Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/10/2017
01:30 PM
Jeff Williams
Jeff Williams
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

How Code Vulnerabilities Can Lead to Bad Accidents

The software supply chain is broken. To prevent hackers from exploiting vulnerabilities, organizations need to know where their applications are, and whether they are built using trustworthy components.

When a car manufacturer discovers a faulty part, it is obliged to issue a recall and notify its customers of the damaged product. The problem is that all these cars are already on the road driving around with a recalled part, causing immense amounts of liability for all parties involved.

Building a Web application or API with open source components has direct parallels to building a car. Anyone using open source components must be aware that there will be vulnerabilities. And whether you’re building a car or software, your product is only as good as the components you use. Frankly, cars these days are basically software on wheels, but our software supply chain is full of holes.

You may not realize that a modern Web application is built using hundreds of these components that usually include many millions of lines of code. According to data from Contrast Security spanning almost 10,000 applications totaling over 8 billion lines of code, the average application is 79% library code, and only 21% custom code. Just over 76% of applications contain at least one vulnerability, and 34% containing four or more vulnerabilities. These are shocking failures of the software supply chain.

Earlier this year Apache released a patch for the Struts2 framework. The patch was designed to fix an easy-to-exploit vulnerability that allows attackers to execute arbitrary code on the application server. The patch announcement quickly attracted hackers who figured out how to exploit the vulnerability. Within hours, widespread exploitation attempts were launched from China, India, Hong Kong, and more. Here’s a real example of this attack blocked by Contrast:

CVE-2017-5638 Event from 119.28.21.109
When: 06/27/2017 08:43 AM

We observed an attack against CVE-2017-5638 enter the application through the HTTP Request Header "content-type:"

Common Occurrences
A few times every year, a special vulnerability like Struts2 is released. These are easy to exploit, so widespread, and so powerful that they make very lucrative targets for cybercriminals. Knowing this, organizations are left with the question: How do we respond?

You can't simply deploy a new version of Struts2 because it will break applications. This is exactly like the problem the industry faced back in the 90s with operating system software updates. At large enterprises, there used to be dedicated teams who would manually update the OS and test for problems. Over the past 15 years, operating system vendors have dramatically improved their notification and update infrastructure to automate updates.

However, we don't have automatic update in the application space. So, nobody ever knows that their components are broken, and even if they did, there's no way to update without going all the way back to development, which could take months and might affect large numbers of applications. As Struts2 demonstrates – this is a huge a problem. Attacks start within hours of a new vulnerability release. Without automated notification of vulnerabilities in components, and a fast way for organizations to respond across their entire portfolio, there is simply no way for organizations to get in front of this threat.

Every industry goes through a supply chain transformation as they mature. Look at the automobile industry or the pharmaceutical industry, for example. At some point, it becomes critical to take responsibility for the quality of the components that are part of the product. This is way overdue in enterprise software, which has reaped the benefits of using open source components without taking appropriate steps to ensure their security. So, what can we do?

Most organizations take a long time, months or years, to respond to new vulnerabilities in their software components, even when those components are easily exploited and result in catastrophic breaches. Most do not have a program to identify exactly what components they are using across their application portfolio. And they lack a program to monitor for new security vulnerabilities and evaluate whether the vulnerable components are in use in the organization.

Fortunately, there's a promising alternative called Runtime Application Security Protection (RASP) that can help. Organizations can deploy RASP directly into their Web applications and APIs to protect themselves against these software supply chain risks. Unlike Web application firewalls (WAFs), RASP works from inside the application, where it has all the context necessary to protect applications accurately at high speed. With this approach, RASP elegantly solves two problems that have plagued organizations for years.

First, RASP continuously shows you exactly where you have vulnerable open source code across your application portfolio. This is "A9" in the OWASP Top Ten. RASP products continuously report exactly what applications are running on which servers, including exactly what open source components are in use. As it turns out, simply knowing exactly what code is running is a major challenge for most organizations. RASP also pinpoints any components that have known vulnerabilities, indicating exactly what applications they are part of and which servers they are running on. In this way, RASP provides a "big data" approach to the "secure composition analysis" problem.

Second, RASP products provide "CVE Shields" that automatically protect these vulnerable components so that flaws cannot be exploited. These shields don't necessarily remove the vulnerability from the library, but simply prevent attacks from reaching their target. In some ways this is similar to runtime defenses in operating systems and compilers, such as ASLR, that make vulnerabilities difficult or impossible to exploit. These CVE shields can be deployed quickly across an entire application portfolio without rewriting code and redeploying.

In the future, every application needs the capability to report its own "bill of materials" to make it easy for enterprises to identify where component vulnerabilities might lurk. Further, every application must have the ability to receive CVE shields that prevent component vulnerabilities from being exploited. 

We can't wait weeks or years to respond to new vulnerabilities. Every organization needs the capability to respond in a matter of hours when a new vulnerability is discovered. The attackers certainly aren't waiting.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

 

A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...