Over 350,000 unique open-source repositories are believed to be at risk of potential supply chain cyberattacks due to an unpatched 15-year-old vulnerability in Pythonโs tarfile module, which is a default module in any project using Python.
Currently, the Python tarfile module is found extensively in frameworks created by AWS, Facebook, Google, Intel, and Netflix, as well as across several industries such as software development, artificial intelligence/machine learning, and code development, but also other sectors as diverse as web development, security, IT management, and media.
The vulnerability, tracked asย CVE-2007-4559ย (CVSS score: 6.8), was discovered 15 years ago. This flaw can be exploited by uploading a malicious file generated with two or three lines of simple code and allows attackers arbitrary code execution, or control of a target device.
Earlier this year, CVE-2007-4559 was rediscovered again by a Trellix vulnerability researcher Kasimir Schulz while investigating another security issue.
โWhile investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Pythonโs tarfile module. Initially, we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559,โ reads theย postย published by security firm Trellix.
โThe vulnerability is a path traversal attack in theย extractย andย extractallย functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the โ..โ sequence to filenames in a TAR archive.โ
While the vulnerability was originally only marked as a 6.8, however, in most cases an attacker can gain code execution from the file write. In the video below, Trellix shows how they were able to get code execution by exploitingย Universal Radio Hacker:
An attacker can exploit the flaw by uploading a malicious tarfile in a manner that makes it possible to escape the directory intended to be extracted and achieve code execution, allowing the adversary to potentially seize control of a target device.
โFor an attacker to take advantage of this vulnerability they need to add โ..โ with the separator for the operating system (โ/โ or โ\โ) into the file name to escape the directory the file is supposed to be extracted to. Pythonโs tarfile module lets us do exactly this:โ continues the post.
โThe tarfile module lets users add a filter that can be used to parse and modify a fileโs metadata before it is added to the tar archive. This enables attackers to create their exploits with as little as the 6 lines of code above.โ
“Never extract archives from untrusted sources without prior inspection,” the Python documentation for tarfileย reads. “It is possible that files are created outside of path, e.g. members that have absolute filenames starting with ‘/’ or filenames with two dots ‘..’.”
Further, Trellix has released a free tool called Creosote to scan for projects vulnerable to CVE-2007-4559, using it to uncover the vulnerability lurking in applications like Spyder Python IDE and Polemarch.
“Left unchecked, this vulnerability has been unintentionally added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,” Trellixโs Principal Engineer and Director of vulnerability research, Doug McKee noted.