Trellix claims that in the last four months it has assisted in fixing around 62,000 susceptible projects after presenting stunning figures regarding the prevalence of a 15-year-old Python vulnerability.
In sum, 61,895 open source projects that were discovered to be at risk from a 15-year-old path traversal vulnerability in Python’s tarfile module have been repaired by Trellix and GitHub. In September 2022, the company’s Advanced Research Center team brought attention to the presence of CVE-2007-4559 after determining that, 15 years after its first discovery, it was still being used in an estimated 350,000 open source projects and an undetermined number of closed source ones.
The team discovered the vulnerability while looking into an other problem and initially believed it to be a fresh zero-day, but after following the thread they realised they were actually looking at an old fault in the “extract” and “extractall” functions of Python’s tarfile module. When used to its full potential, CVE-2022-4559 enables a user-assisted remote attacker to execute arbitrary code or take complete control of the target device by using a certain filename sequence in a TAR archive to overwrite arbitrary files.
The team discovered the vulnerability while looking into another problem, and at first they believed it to be a brand-new zero-day weakness. Following the thread, they learned that what they were actually looking at was a long-standing bug in the Python tarfile module’s “extract” and “extractall” functions.
CVE-2022-4559 allows a user-assisted remote attacker to execute arbitrary code or take complete control of the target device by using a certain filename sequence in a TAR bundle to overwrite arbitrary files. The problem, which was rated as being of low importance back in October 2007, is still pervasive in many frameworks, including those made by Amazon Web Services, Google, Intel, and Netflix, as well as numerous additional programmes used for machine learning, automation, and Docker containerization.
The Trellix team assembled a distinct list of repositories to scan after obtaining a list of repositories and files containing the keyword “import tarfile” from GitHub. The team then cloned and scanned each repository using a special app vulnerability checking tool called Creosote that it developed for the purpose. In the event that Creosote discovered a weak repository, the team patched the file and produced a local patch diff with the patched file so that the patched file, the original file, and repository metadata could be compared.
After completing this, the team looked over the list of local path diffs, forked the vulnerable repository, cloned it, and then replaced the original file with the patched file if they discovered it had not changed since then. If it had, they took care not to overwrite any other modifications.