Open-source software supply chain vulns have doubled in 12 months

Hackers 'mainlining' vulns into projects – report


Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach.

Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components over the last 12 months.

Hackers injecting malicious code into the software supply chain [source: Sonatype]

Click to enlarge

Miscreants have even started to inject (or mainline) vulnerabilities directly into open source projects, according to Sonatype, which cited 11 recent examples of this type of malfeasance in its study.

El Reg has reported on several such incidents including a code hack on open-source utility eslint-scope back in July.

Several of the problems listed by Sonatype involved messing around with NPM, a utility used by JavaScript projects to install dependencies.

The software tools firm estimated 1.3 million vulnerabilities in open source software components were not logged in the publicly maintained NVD database, meaning that no related CVE advisory exist. This, in turn, make bugs harder to triage.

Sonatype estimated the average enterprise downloads 170,000 open source components a year of which as many as one in eight are vulnerable in some way or another. This is becoming even more of a problem because the average time before a software vulnerability gets exploited is also dropping to as little as three days, according to Sonatype.

Vuln to exploit time is decresaing fast [Sonatype]

The time lag between vulnerability to exploit is shrinking fast

The Equifax breach last year was blamed on a long missed Apache Struts update. The oversight had monumental consequences. A debate on the security dependancies of software supply chains was spawned through the incident.

Apache Struts run rate after and before Equifax [source: Sonatype]

Vulnerable Apache Struts download rate barely affected by Equifax megabreach, reports Sonatype

These discussions are yet to shift things in the real world where organisations are still downloading vulnerable versions of the Apache Struts framework at much the same rate as before the Equifax data breach, at around 80,000 downloads per month.

Downloads of buggy versions of another popular web application framework called Spring were also little changed since a September 2017 vulnerability, Sonatype added. The 85,000 average in September 2017 has declined only 15 per cent to 72,000 over the last 12 months.

Sonatype's report was based on the analysis of a broad mix of open source (public) data and proprietary information collected by the software automation vendor. The firm unsurprisingly argued that applying automation across the software development lifecycle and introducing DevOps best practices can reduce breach exposure by helping to weed out vulnerable software components before they are put into production systems.

Derek Weeks, VP at Sonatype, said it was "discouraging" to see the percentage of vulnerable component downloads increasing whilst expressing sympathy for developers.

"Today, it is difficult for developers to know if they are downloading open source components with known vulnerabilities like Struts," Weeks told El Reg. "Free downloads of components take milliseconds and no information is actively passed to the developer during that effort about known vulnerabilities. It is the equivalent of shopping in a huge supermarket full of tasty products that have no food labels or expiration dates. Without data about component quality and security surfaced quickly to developers, they are effectively shopping blindfolded.

"In this day and age, manual research and reviews could not keep pace with the volume of open source component consumption," he added. ®

Broader topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022