Lucene search

K
thnThe Hacker NewsTHN:2DA6F98EC7A48A092478A6E6EB267C1C
HistorySep 22, 2022 - 9:17 a.m.

15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects

2022-09-2209:17:00
The Hacker News
thehackernews.com
164

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

Python Vulnerability

As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years.

The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, and IT management.

The shortcoming, tracked as CVE-2007-4559 (CVSS score: 6.8), is rooted in the tarfile module, successful exploitation of which could lead to code execution from an arbitrary file write.

β€œThe vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the β€˜β€¦β€™ sequence to filenames in a TAR archive,” Trellix security researcher Kasimir Schulz said in a writeup.

Originally disclosed in August 2007, the bug has to do with how a specially crafted tar archive can be leveraged to overwrite arbitrary files on a target machine simply upon opening the file.

Put simply, a threat actor can exploit the weakness by uploading a malicious tarfile in a manner that makes it possible to escape the directory that a file is intended to be extracted to and achieve code execution, allowing the adversary to potentially seize control of a target device.

β€œNever extract archives from untrusted sources without prior inspection,” the Python documentation for tarfile reads. β€œIt is possible that files are created outside of path, e.g. members that have absolute filenames starting with β€˜/’ or filenames with two dots β€˜β€¦β€™.”

The vulnerability is also reminiscent of a recently disclosed security flaw in RARlab’s UnRAR utility (CVE-2022-30333) that could lead to remote code execution.

Trellix has further released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, using it to uncover the vulnerability in the Spyder Python IDE as well as Polemarch.

β€œLeft unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,” Douglas McKee noted.

Found this article interesting? Follow THN on Facebook, Twitter ο‚™ and LinkedIn to read more exclusive content we post.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P