Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Addressed in Popular Code Libraries

A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more.

A critical and widespread arbitrary file overwrite vulnerability has been addressed in popular libraries of projects from HP, Amazon, Apache, Pivotal, and more.

Dubbed Zip Slip and discovered by the Snyk Security, the vulnerability exists when the code that extracts files from an archive doesn’t validate the file paths in the archive.

The security flaw was responsibly disclosed to the impacted parties starting in mid-April and is said to impact thousands of projects. The issue has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go.

According to Snyk Security, Java has been impacted the most, as it lacks a central library for the high level processing of archive files. Because of that, vulnerable code snippets “were being hand crafted and shared among developer communities such as StackOverflow,” the security researchers explain.

Exploitation is possible via a specially crafted archive containing directory traversal filenames. Numerous archive formats are affected by the bug, including tar, jar, war, cpio, apk, rar and 7z.

“Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive,” Snyk Security explains.

The directory traversal vulnerability allows an attacker to access parts of the file system residing outside of their target folder. The attacker can then overwrite executable files and achieve remote command execution on the victim’s machine when these files are executed. The flaw can also be abused to overwrite configuration files or other sensitive resources.

“The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking,” the researchers explain.

Advertisement. Scroll to continue reading.

First, the archive should contain one or more files designed to break out of the target directory when extracted. The contents of the archive need to be hand crafted, as archive creation tools “don’t typically allow users to add files with these paths,” Snyk Security notes. Armed with the right tools, however, an attacker can easily create files with these paths.

Second, the attacker needs to extract the archive, either using a library or own code.

“You are vulnerable if
you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation,” the researchers say.

In a GitHub repository, Snyk published a list of impacted libraries, which includes npm (language JavaScript), Java (language Java), .NET (languages: .NET and Go), Ruby gem (language Ruby), Go (language Go), Oracle (language Java), and Apache (language Java).

“Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarCube, OpenTable, Arduino, ElasticSearch, Selenium, Gradle, JetBrains and Google,” the researchers note.

Snyk also notes that some projects were patched despite being confirmed not vulnerable, while others that continue to use the vulnerable code implementation are said to be not exploitable. Specifically, “it is believed that it would not be possible to attack these projects in such a way that could lead to a malicious outcome,” the researchers say.

Related: Microsoft Patches Critical Flaw in Open Source Container Library

Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.