OWASP Québec 19 novembre 2019: "Securing open sources libraries in open source code package" (Coveo)
Learn how to find and fix vulnerabilities in open source libraries, where to integrate testing to prevent adding new vulnerable libraries to your code and how to respond to newly disclosed vulnerabilities in libraries you already use.
Par:
Jean-Alexandre Beaumont
Louis-Philippe Déry
Coveo
2. AGENDA
1 2 3
Understanding Acronyms
Land & Conquer
Tips & Tricks For
Remediations
Knowledge Application :
Case Stories
▶ CVE’s
▶ CWE’s
▶ CVSS
▶ Updating
▶ Patching
▶ Removing
▶ Ignoring Issues
▶ Easy Cases
▶ Harder Cases
▶ A Glimmer Of Hope
3. Acceptance
Reality of the loss,
of productivity
settles in, and you
start working
Denial
Bargaining
What if...
temporary escape
you plead removing
the requirement
Overwhelming
emotion, defense
mechanism that
buffers shock
Anger
Grief replaced with
pain, you search for
blame, feel intense
guilt, and lash out
CVE
Anger
Management
Journey™
Cognitive
framework
4. Updating
Recommendations,
changing library
numbers and
automagically fixing
CVE’s
Ignoring
Patching
using context, ie. a
forked repo with a
fixe
Siloed decision and
questionable
decisions
Removing
Dropping features
to fix it...
CVE
Relevance
Mitigation
Journey™
Mitigation framework
9. Common Vulnerability
And Exposure
Known Vulnerability Database World
CVE CWE
● US Gov Sponsored
● Maintained by MITRE
● Specific Incremental Numbering
● Taxonomy of CVE
Common Weakness
Enumeration
● Categorises security by
weaknesses
● Lower numbers 15k-ish
10. CWE-119 : Improper Restriction of Operations within the
Bounds of a Memory Buffer
Summary
Weakness Prevalence Consequences Code execution
Remediation Cost Ease of Detection Attack Frequency
Attacker Awareness
Prevention and Mitigations
Architecture and Design
Operation Implementation
11. Common Vulnerability
And Exposure
Known Vulnerability Database World
What about me Common Platform Enumeration, don’t I also qualify ? Well.. yes but no one cares about you for now…
Common Vulnerability
Scoring System
CVE CWE CVSS
● US Gov Sponsored
● Maintained by MITRE
● Specific Incremental Numbering
● Taxonomy of CVE
● Categorises security by
weaknesses
● Lower numbers 15k-ish
Common Weakness
Enumeration
● Third iteration CVSSv3
● Simple scoring methodology
● Divided into severity
powered by
13. Common Vulnerability Scoring System (CVSS)
Base Score
Immutable Base Score
Temporal Score
Time-sensitive Information
Environmental Score
Contextual information
powered by
19. Upgrading Vulnerable Packages
… I just updated one tiny package now everything is broken…
Upgrading
● Indirect Dependency
Upgrade
● Conflicts
● Major Upgrades
20. Not a valid response
“We’re so out of
date we’re not
affected”
29. ● Java Application Backend
○ Website internet facing
● Login functionality
○ Offers security training for
employee
App ContextCase #1
30. Case # 1 - JAVA-COMGOOGLEGUAVA-32236
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
Technical Data
Vulnerable package : com.google.guava [11.0, 24.1.1)
CVE : CVE-2018-10237
CWE : CWE-119
CVSS : 5.9
CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type : Deserialization of Untrusted Data
(DoS)
Disclosed : 25 Apr, 2018
Published : 02 May, 2018
Vulnerable package : com.google.guava [11.0, 24.1.1)
CVE : CVE-2018-10237
CWE : CWE-119
CVSS Score : 5.9 (Medium)
CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type : Deserialization of Untrusted Data
(DoS)
Disclosed : 25 Apr, 2018
Published : 02 May, 2018
31. Understanding the issue
Case # 1 - JAVA-COMGOOGLEGUAVA-32236
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to
conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided
data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering
class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a
client has sent and whether the data size is reasonable.
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to
conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided
data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering
class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a
client has sent and whether the data size is reasonable.
Affects deserialization of AtomicDoubleArray and CompoundOrdering classes
Relies on attacker-provided data
Eager memory allocation leads to resource consumption and crash
32. Case # 1 - JAVA-COMGOOGLEGUAVA-32236
Are we affected?
We don’t deserialize any user provided
data in our code
One thing to keep in mind
Code change
33. Case # 1 - JAVA-COMGOOGLEGUAVA-32236
Our Options
Upgrade
● We cannot
Patching
● Hard to do
● Not future-proof
Removing
Where do we use Guava?
● Only for some
isNullOrEmpty on
strings?
● Lets get rid of Guava
and fix everything
Ignoring
● We would rather not
35. ● Small animation rendering
application in Linux
● User can playback
animations
App ContextCase #2
36. Case # 2 - Direct3D Buffer Overflow
https://nvd.nist.gov/vuln/detail/CVE-2017-7845
Technical Data
Vulnerable package :
● Direct3D [, 11.1)
CVE : CVE-2017-7845
CVSS : 8.8 (High)
CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type : Buffer Overflow
Published Date : Nov 06, 2018
Vulnerable package :
● Direct3D [, 11.1)
CVE : CVE-2017-7845
CVSS : 8.8 (High)
CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type : Buffer Overflow
Published Date : Nov 06, 2018
37. Understanding the issue
Case # 2 - Direct3D Buffer Overflow
Buffer overflow are very serious issues
Affect a graphic library that is mostly used on
Windows (and in emulator like Wine)
A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content.
This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This
attack only affects Windows operating systems. Other operating systems are unaffected.
A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content.
This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This
attack only affects Windows operating systems. Other operating systems are unaffected.
A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content.
This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This
attack only affects Windows operating systems. Other operating systems are unaffected.
This CVE : Only affects Windows operating
systems.
38. Case # 2 - Direct3D Buffer Overflow
Are we affected?
Using Direct3D in Wine on Linux ....
42. Understanding the issue
Case # 3 - PYTHON-PYYAML-42159
● yaml.load() is a dangerous function by design
● The CVE states that load() should be safe by default
● Project maintainer disagreed with the community on fix
● Method safe_load() exists and is safe for untrusted data
● For trusted data (loading your config for example) there is no issue
Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.
43. Case # 3 - PYTHON-PYYAML-42159
Are we affected?
We use pyYAML to load our
configuration
It is trusted data.
44. Fixed in 4.1?
Case # 3 - PYTHON-PYYAML-42159
Snyk claims that it is fixed in v4.1
Let’s update! …… wait.
Version 4.1 was pulled from Pypi
How can I fix it, if no fix are available?
45. Case # 3 - PYTHON-PYYAML-42159
Our Options
Upgrade
If only…
● No patch available
Patching
Great option
● Change load() to
safe_load()
● Beware : usual caveat
● Not future proof
Removing
Might require work
● Change library
● Do without?
Ignoring
Valid option :
● No untrusted data
● Beware : usual caveat
48. Case # 4 - PYTHON-REQUESTS-72435
https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-72435
Technical Data
Vulnerable package : request [,2.20)
CVE : CVE-2018-18074
CWE : CWE-200
CVSS : 9.8
CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type : Information Exposure
Disclosed : 09 Oct, 2018
Published : 10 Oct, 2018
Vulnerable package : request [,2.20)
CVE : CVE-2018-18074
CWE : CWE-200
CVSS : 9.8 (High)
CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type : Information Exposure
Disclosed : 09 Oct, 2018
Published : 10 Oct, 2018
49. Understanding the issue
Case # 4 - PYTHON-REQUESTS-72435
● Redirecting from HTTPS -> HTTP
● Send the Authorization header
○ Basic Auth == base64 credentials
● Request consider only host, not port/scheme
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon
receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover
credentials by sniffing the network.
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon
receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover
credentials by sniffing the network.
Authorization: Basic Y292ZW9fdXNlcjpFbGV2YXRlMjAxOSE=Authorization: Basic coveo_user:0WA$P_QC!
50. Are we affected?
Case # 4 - PYTHON-REQUESTS-72435
● We do use request
● We do downgrade to HTTP on authenticated pages (!!)
● How fast must we fix it?
51. CVSS v3 - Temporal score
Case # 4 - PYTHON-REQUESTS-72435
● (E) Exploit Code Maturity : High
○ None is needed, just have to listen to the traffic
● (RL) Remediation Level : Official Fix
○ Just bump to v2.20
● (RC) Report Confidence : Confirmed
○ The code is open source
○ Easy to verify
○ Have an official CVE (vetted)
52. CVSS v3 - Environmental Score
Case # 4 - PYTHON-REQUESTS-72435
● (CR) Confidentiality Requirement : Medium
○ This system doesn’t contain highly confidential data but does contain some sensitive information
● (IR) Integrity Requirement : High
○ The asset integrity must not be compromised as it is a critical system.
● (AR) Availability Requirement : High
○ Critical system for the production, must stay up (ex: System is under SLA from clients)
● (MAV) Modified Attack Vector : Adjacent Network
○ The system is not directly accessible on the internet, but must be routed internally.
53. CVSS v3 - Environmental Score
Case # 4 - PYTHON-REQUESTS-72435
● (MAC) Modified Attack Complexity : Not Defined
○ Nothing changes the complexity of the attack.
● (MPR) Modified Privileges Required : High
○ In order to intercept the HTTP communication, an attacker must be listening from inside the VPC network or
share a local network with the victim (be on site)
● (MUI) Modified User Interaction : None
○ No engagement from the user is required
● (MS) Modified Scope : Unchanged
○ Compromising this asset don’t give access to another one.
54. CVSS v3 - Environmental Score
Case # 4 - PYTHON-REQUESTS-72435
● (MA) Modified Confidentiality : Low
○ Getting unauthorized access doesn’t grant access to sensitive information in this system but does give insight
of the infrastructure
● (MA) Modified Integrity : None
○ User access to the system is read only, cannot change the data included inside
● (MA) Modified Availability : None
○ Getting access will not let a user affect the system’s availability
55. CVSS v3 - Environmental Score
Case # 4 - PYTHON-REQUESTS-72435
We managed to get it down to 2.3 (Low)
Issue must still be addressed in 3 month
Preferably, fixing will be best
56. Case # 4 - PYTHON-REQUESTS-72435
Our Options
Upgrade
● Could be a good idea, if
the fix is available
Patching
● We should get rid of the
redirection to HTTP
Removing
● Not really possible...
Ignoring
● We would rather not
57. Fixing the issue
Case # 4 - PYTHON-REQUESTS-72435
Get rid of the HTTP redirection
Long lasting mitigation