Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Flaws Found in Some Open Source Projects Exploited More Often

A study of major open source projects finds that 3.3% of vulnerabilities are exploited, but the rate of exploitation varies significantly.

 Vulnerabilities in major open source projects are not commonly turned into attacks — only 3.3% are "weaponized" — but at least one in 10 software flaws found in the most-targeted projects has had those weaknesses turned into exploit code, according to an analysis of 54 major open source projects published by security firm RiskSense on Monday.

The research used data on 2,694 vulnerabilities in the 54 open source projects, analyzing which issues had published exploitation code. Of the 89 weaponized vulnerabilities, or 3.3% of the total, only 18 allowed remote-code execution. Six are currently being used in active attack campaigns, RiskSense stated in the report.

"Our data shows that OSS vulnerabilities are a growing and increasingly critical part of an organization's attack surface," says Srinivas Mukkamala, CEO of RiskSense. "Managing vulnerabilities in those projects may require some added attention from both developers as well as security and IT staff."

The research suggests that companies should first concern themselves with the riskiest vulnerabilities — those that have already have published exploit code. In addition, some open source libraries — such as Vagrant, Artifactory, Chef, and JBOSS — should be given priority in patching because vulnerabilities in those projects tend to be exploited more often.

Vagrant, for example, is the project with the highest rate of weaponization for its vulnerabilities — out of nine issues discovered in the past five years, six have been exploited, for a rate of weaponization of 67%, RiskSense said. Ten of the 54 projects — Vagrant, Alfresco, Artifactory, Chef, Kaltura, SVN, Ansible, Redis, LifeRay Portal, and Odoo — had weaponization rates of 10% or higher.

Weaponization rates are "worth noting and monitoring going forward, as organizations should be aware of their software that is the most likely to be weaponized," RiskSense stated in its report.

The RiskSense report is not the first to underscore the risks that developers have accepted — perhaps unknowingly — when they use open source components to build software. In May, for example, application-security firm Veracode revealed that old or unpatched open source components left 71% of customers' software open to attack.

The variability in terminology and naming schemes also makes the organizations that use open source projects more likely to miss vulnerable components, according to a study by the Linux Foundation and the Laboratory for Innovation Science at Harvard University, which also confirmed the link between older software and greater vulnerability.

The open source projects themselves are often targeted by attackers. In May, GitHub revealed that more than two dozen open source projects were serving up malicious code after an attack compromised the developers' systems and replaced code objects created with the NetBeans IDE with Trojanized versions.

"In an OSS [open source software] context, it gives the malware an effective means of transmission since the affected projects will presumably get cloned, forked, and used on potentially many different systems," Alvaro Muñoz, a security researcher with the GitHub Security Lab, said in a blog post. "The actual artifacts of these builds may spread even further in a way that is disconnected from the original build process and harder to track down after the fact."

While the total number of vulnerabilities in the major projects studied by RiskSense jumped in 2019, compared with other years, the number of weaponized software flaws remained fairly level, with less than two dozen exploits for vulnerabilities published in any given year.

The number of vulnerabilities disclosed for a particular project varied enormously. The e-commerce project Magento, for example, had no published vulnerabilities in 2018, but 137 disclosed in 2019, according to the report. The variability in the number of vulnerabilities found in different projects is due to a variety of factors, says Mukkamala.

"Some vulnerabilities are naturally easier or more difficult to exploit, and ... certain types weaknesses are more prone to have associated exploits," he says. "So it often comes down to value of the target app, value of the exploit itself, and how hard it is to develop."

The report also found significant lag between the day a vulnerability is reported and when the issues is documented in the National Vulnerability Database, or NVD. On average, the NVD did not post information on a vulnerability until 54 days after it is disclosed.

The most common class of weaponized vulnerability has been cross-site scripting (XSS) issues with 11 exploited vulnerabilities in the 54 projects, with improper input validation coming in second with nine weaponized issues, and improper access control accounting for seven exploited flaws.

"In the worst cases, XSS can give an attacker control over a site, so they can be very impactful," says Mukkamala. "But certainly not every XSS falls into this category. ... On the other end of the spectrum, we only had one containerization vulnerability, but it was trending in the wild."

Related Content:


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.