Over 350,000 unique open-source repositories are believed to be at risk of potential supply chain cyberattacks due to an unpatched 15-year-old vulnerability in Python’s tarfile module, which is a default module in any project using Python.
Currently, the Python tarfile module is found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as across several industries such as software development, artificial intelligence/machine learning, and code development, but also other sectors as diverse as web development, security, IT management, and media.
The vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), was discovered 15 years ago. This flaw can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device.
Earlier this year, CVE-2007-4559 was rediscovered again by a Trellix vulnerability researcher Kasimir Schulz while investigating another security issue.
“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially, we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559,” reads the post published by security firm Trellix.
”The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.”
While the vulnerability was originally only marked as a 6.8, however, in most cases an attacker can gain code execution from the file write. In the video below, Trellix shows how they were able to get code execution by exploiting Universal Radio Hacker:
An attacker can exploit the flaw by uploading a malicious tarfile in a manner that makes it possible to escape the directory intended to be extracted and achieve code execution, allowing the adversary to potentially seize control of a target device.
“For an attacker to take advantage of this vulnerability they need to add “..” with the separator for the operating system (“/” or “\”) into the file name to escape the directory the file is supposed to be extracted to. Python’s tarfile module lets us do exactly this:” continues the post.
“The tarfile module lets users add a filter that can be used to parse and modify a file’s metadata before it is added to the tar archive. This enables attackers to create their exploits with as little as the 6 lines of code above.”
“Never extract archives from untrusted sources without prior inspection,” the Python documentation for tarfile reads. “It is possible that files are created outside of path, e.g. members that have absolute filenames starting with ‘/’ or filenames with two dots ‘..’.”
Further, Trellix has released a free tool called Creosote to scan for projects vulnerable to CVE-2007-4559, using it to uncover the vulnerability lurking in applications like Spyder Python IDE and Polemarch.
“Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,” Trellix’s Principal Engineer and Director of vulnerability research, Doug McKee noted.