Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Securing open sources libraries in open source code package

133 vues

Publié le

OWASP Québec 19 novembre 2019: "Securing open sources libraries in open source code package" (Coveo)

Learn how to find and fix vulnerabilities in open source libraries, where to integrate testing to prevent adding new vulnerable libraries to your code and how to respond to newly disclosed vulnerabilities in libraries you already use.
Par:
Jean-Alexandre Beaumont
Louis-Philippe Déry
Coveo

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Securing open sources libraries in open source code package

  1. 1. Louis-Philippe Local Security Crawler Jean-Alexandre Resident Chaos Monkey Common Vulnerabilities & Exposures Addressing Open Source Vulnerabilities
  2. 2. AGENDA 1 2 3 Understanding Acronyms Land & Conquer Tips & Tricks For Remediations Knowledge Application : Case Stories ▶ CVE’s ▶ CWE’s ▶ CVSS ▶ Updating ▶ Patching ▶ Removing ▶ Ignoring Issues ▶ Easy Cases ▶ Harder Cases ▶ A Glimmer Of Hope
  3. 3. Acceptance Reality of the loss, of productivity settles in, and you start working Denial Bargaining What if... temporary escape you plead removing the requirement Overwhelming emotion, defense mechanism that buffers shock Anger Grief replaced with pain, you search for blame, feel intense guilt, and lash out CVE Anger Management Journey™ Cognitive framework
  4. 4. Updating Recommendations, changing library numbers and automagically fixing CVE’s Ignoring Patching using context, ie. a forked repo with a fixe Siloed decision and questionable decisions Removing Dropping features to fix it... CVE Relevance Mitigation Journey™ Mitigation framework
  5. 5. What are known vulnerabilities ?
  6. 6. Weaponizing Information Identifying : ▶ Architecture ▶ Web presence ▶ Infrastructure Fingerprinting
  7. 7. Exploit Tooling ▶ Script kiddies ▶ Low/No interaction required Automated Attacks
  8. 8. Common Vulnerability And Exposure Known Vulnerability Database World CVE ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering
  9. 9. Common Vulnerability And Exposure Known Vulnerability Database World CVE CWE ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering ● Taxonomy of CVE Common Weakness Enumeration ● Categorises security by weaknesses ● Lower numbers 15k-ish
  10. 10. CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer Summary Weakness Prevalence Consequences Code execution Remediation Cost Ease of Detection Attack Frequency Attacker Awareness Prevention and Mitigations Architecture and Design Operation Implementation
  11. 11. Common Vulnerability And Exposure Known Vulnerability Database World What about me Common Platform Enumeration, don’t I also qualify ? Well.. yes but no one cares about you for now… Common Vulnerability Scoring System CVE CWE CVSS ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering ● Taxonomy of CVE ● Categorises security by weaknesses ● Lower numbers 15k-ish Common Weakness Enumeration ● Third iteration CVSSv3 ● Simple scoring methodology ● Divided into severity powered by
  12. 12. CVE’s… Everywhere…
  13. 13. Common Vulnerability Scoring System (CVSS) Base Score Immutable Base Score Temporal Score Time-sensitive Information Environmental Score Contextual information powered by
  14. 14. Base Score MITRE Managed - Immutable - Big picture of the CVE - How bad is it, doc?
  15. 15. Temporal Score Time-sensitive - Exploit code maturity - Can try I it out?! - Trustworthiness - Remediation availability
  16. 16. Environmental Score Contextual Information Environmental context for the vulnerable system Confidentiality : information leaked Integrity : information tampered Availability : loss of availability
  17. 17. RELEVANT CVE Mitigation SCOPE CONTEXT
  18. 18. CVE Relevance Mitigation Journey Upgrading Indirect Dependency Upgrade Conflicts 1 Fixing Vulnerable Package
  19. 19. Upgrading Vulnerable Packages … I just updated one tiny package now everything is broken… Upgrading ● Indirect Dependency Upgrade ● Conflicts ● Major Upgrades
  20. 20. Not a valid response “We’re so out of date we’re not affected”
  21. 21. Patching Vulnerable Packages Patching Snyk/Simple patching Monkey Patching 2
  22. 22. Patching Vulnerable Packages Upgrading Patching ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching
  23. 23. Removing Vulnerable Packages Removing Drop/Disable Refactor Code 3
  24. 24. Removing Vulnerable Packages Upgrading RemovalPatching ● Drop the feature ● Refactor the code ● Disable the feature ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching
  25. 25. Ignoring Vulnerable Packages Upgrading RemovalPatching ● Drop the feature ● Refactor the code ● Disable the feature ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching Ignoring Issue ● Mute until fix ● Properly tag ● False positive
  26. 26. A million CVE’s A million fixes
  27. 27. Invest in making fixes easy
  28. 28. Time to get your hands dirty
  29. 29. ● Java Application Backend ○ Website internet facing ● Login functionality ○ Offers security training for employee App ContextCase #1
  30. 30. Case # 1 - JAVA-COMGOOGLEGUAVA-32236 https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236 Technical Data Vulnerable package : com.google.guava [11.0, 24.1.1) CVE : CVE-2018-10237 CWE : CWE-119 CVSS : 5.9 CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Type : Deserialization of Untrusted Data (DoS) Disclosed : 25 Apr, 2018 Published : 02 May, 2018 Vulnerable package : com.google.guava [11.0, 24.1.1) CVE : CVE-2018-10237 CWE : CWE-119 CVSS Score : 5.9 (Medium) CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Type : Deserialization of Untrusted Data (DoS) Disclosed : 25 Apr, 2018 Published : 02 May, 2018
  31. 31. Understanding the issue Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Affects deserialization of AtomicDoubleArray and CompoundOrdering classes Relies on attacker-provided data Eager memory allocation leads to resource consumption and crash
  32. 32. Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Are we affected? We don’t deserialize any user provided data in our code One thing to keep in mind Code change
  33. 33. Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Our Options Upgrade ● We cannot Patching ● Hard to do ● Not future-proof Removing Where do we use Guava? ● Only for some isNullOrEmpty on strings? ● Lets get rid of Guava and fix everything Ignoring ● We would rather not
  34. 34. Questions on this case ?
  35. 35. ● Small animation rendering application in Linux ● User can playback animations App ContextCase #2
  36. 36. Case # 2 - Direct3D Buffer Overflow https://nvd.nist.gov/vuln/detail/CVE-2017-7845 Technical Data Vulnerable package : ● Direct3D [, 11.1) CVE : CVE-2017-7845 CVSS : 8.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerability Type : Buffer Overflow Published Date : Nov 06, 2018 Vulnerable package : ● Direct3D [, 11.1) CVE : CVE-2017-7845 CVSS : 8.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerability Type : Buffer Overflow Published Date : Nov 06, 2018
  37. 37. Understanding the issue Case # 2 - Direct3D Buffer Overflow Buffer overflow are very serious issues Affect a graphic library that is mostly used on Windows (and in emulator like Wine) A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This CVE : Only affects Windows operating systems.
  38. 38. Case # 2 - Direct3D Buffer Overflow Are we affected? Using Direct3D in Wine on Linux ....
  39. 39. Easy, right ?
  40. 40. ● Serverless : Lambda granting employee access ○ Built on Python 3.6 App ContextCase #3
  41. 41. Case # 3 - PYTHON-PYYAML-42159 https://snyk.io/vuln/SNYK-PYTHON-PYYAML-42159 Technical Data Vulnerable package : pyYaml [,4.1) CVE : CVE-2017-18342 CWE : CWE-94 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Arbitrary Code Execution Disclosed : 26 Aug, 2017 Published : 28 Jun, 2018 Fix : 13 Mar, 2019* Vulnerable package : pyYaml [,4.1) CVE : CVE-2017-18342 CWE : CWE-94 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Arbitrary Code Execution Disclosed : 26 Aug, 2017 Published : 28 Jun, 2018 Fix : 13 Mar, 2019*
  42. 42. Understanding the issue Case # 3 - PYTHON-PYYAML-42159 ● yaml.load() is a dangerous function by design ● The CVE states that load() should be safe by default ● Project maintainer disagreed with the community on fix ● Method safe_load() exists and is safe for untrusted data ● For trusted data (loading your config for example) there is no issue Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.
  43. 43. Case # 3 - PYTHON-PYYAML-42159 Are we affected? We use pyYAML to load our configuration It is trusted data.
  44. 44. Fixed in 4.1? Case # 3 - PYTHON-PYYAML-42159 Snyk claims that it is fixed in v4.1 Let’s update! …… wait. Version 4.1 was pulled from Pypi How can I fix it, if no fix are available?
  45. 45. Case # 3 - PYTHON-PYYAML-42159 Our Options Upgrade If only… ● No patch available Patching Great option ● Change load() to safe_load() ● Beware : usual caveat ● Not future proof Removing Might require work ● Change library ● Do without? Ignoring Valid option : ● No untrusted data ● Beware : usual caveat
  46. 46. Questions on this case ?
  47. 47. ● Authenticated service providing read only configuration for production ○ Python 3.7 App ContextCase #4
  48. 48. Case # 4 - PYTHON-REQUESTS-72435 https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-72435 Technical Data Vulnerable package : request [,2.20) CVE : CVE-2018-18074 CWE : CWE-200 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Information Exposure Disclosed : 09 Oct, 2018 Published : 10 Oct, 2018 Vulnerable package : request [,2.20) CVE : CVE-2018-18074 CWE : CWE-200 CVSS : 9.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Information Exposure Disclosed : 09 Oct, 2018 Published : 10 Oct, 2018
  49. 49. Understanding the issue Case # 4 - PYTHON-REQUESTS-72435 ● Redirecting from HTTPS -> HTTP ● Send the Authorization header ○ Basic Auth == base64 credentials ● Request consider only host, not port/scheme The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. Authorization: Basic Y292ZW9fdXNlcjpFbGV2YXRlMjAxOSE=Authorization: Basic coveo_user:0WA$P_QC!
  50. 50. Are we affected? Case # 4 - PYTHON-REQUESTS-72435 ● We do use request ● We do downgrade to HTTP on authenticated pages (!!) ● How fast must we fix it?
  51. 51. CVSS v3 - Temporal score Case # 4 - PYTHON-REQUESTS-72435 ● (E) Exploit Code Maturity : High ○ None is needed, just have to listen to the traffic ● (RL) Remediation Level : Official Fix ○ Just bump to v2.20 ● (RC) Report Confidence : Confirmed ○ The code is open source ○ Easy to verify ○ Have an official CVE (vetted)
  52. 52. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (CR) Confidentiality Requirement : Medium ○ This system doesn’t contain highly confidential data but does contain some sensitive information ● (IR) Integrity Requirement : High ○ The asset integrity must not be compromised as it is a critical system. ● (AR) Availability Requirement : High ○ Critical system for the production, must stay up (ex: System is under SLA from clients) ● (MAV) Modified Attack Vector : Adjacent Network ○ The system is not directly accessible on the internet, but must be routed internally.
  53. 53. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (MAC) Modified Attack Complexity : Not Defined ○ Nothing changes the complexity of the attack. ● (MPR) Modified Privileges Required : High ○ In order to intercept the HTTP communication, an attacker must be listening from inside the VPC network or share a local network with the victim (be on site) ● (MUI) Modified User Interaction : None ○ No engagement from the user is required ● (MS) Modified Scope : Unchanged ○ Compromising this asset don’t give access to another one.
  54. 54. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (MA) Modified Confidentiality : Low ○ Getting unauthorized access doesn’t grant access to sensitive information in this system but does give insight of the infrastructure ● (MA) Modified Integrity : None ○ User access to the system is read only, cannot change the data included inside ● (MA) Modified Availability : None ○ Getting access will not let a user affect the system’s availability
  55. 55. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 We managed to get it down to 2.3 (Low) Issue must still be addressed in 3 month Preferably, fixing will be best
  56. 56. Case # 4 - PYTHON-REQUESTS-72435 Our Options Upgrade ● Could be a good idea, if the fix is available Patching ● We should get rid of the redirection to HTTP Removing ● Not really possible... Ignoring ● We would rather not
  57. 57. Fixing the issue Case # 4 - PYTHON-REQUESTS-72435 Get rid of the HTTP redirection Long lasting mitigation
  58. 58. Questions on this case ?
  59. 59. Any General Questions? ? Any fun stories to share?

×