350K Open-Source Projects At Risk of Supply Chain Vulnerability

Trellix has announced the establishment of the Trellix Advanced Research Center, a facility and project aimed at creating real–time intelligence and threat indicators to help customers detect, respond and remediate the latest cybersecurity threats.

“The threat landscape is scaling in sophistication and potential for impact,” said Trellix chief product officer Aparna Rayasam. “We do this work to make our digital and physical worlds safer for everyone. With adversaries strategically investing in talent and technical know–how, the industry has a duty to study the most combative actors and their methods to innovate at a faster rate.” 

Upon its establishment, the Trellix Advanced Research Center also published its research into CVE–2007–4559, a vulnerability estimated to be present in roughly 350,000 open–source projects and several closed–source projects.

The flaw resides in the Python tarfile module, which is automatically installed in any project using the Python programming language. It’s often found in frameworks created by Netflix, AWS, Intel, Facebook and Google, as well as in applications used for machine learning, automation and docker containerization. 

According to Trellix, the vulnerability can be exploited by uploading a malicious file generated with a few lines of code that allows attackers to then perform arbitrary code execution.

“When we talk about supply chain threats, we typically refer to cyber–attacks like the SolarWinds incident, however building on top of weak code–foundations can have an equally severe impact,” explained Christiaan Beek, head of adversarial and vulnerability research at Trellix. 

“This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.” 

Further, the company said while open–source developer tools like Python are necessary to advance computing and innovation, they heavily rely on industry collaboration for protection from known vulnerabilities.

To this end, Trellix said it is working to push code via GitHub pull request to protect open–source projects from the vulnerability.

“A free tool for developers to check if their applications are vulnerable is available on Trellix Advanced Research Center’s GitHub,” the company wrote.

This is not the first time Python–based applications have come under scrutiny recently. Earlier this month, a joint advisory by SentinelLabs and Checkmarx linked a threat actor called ‘JuiceLedger’ to the first known phishing campaign targeting Python Package Index (PyPI) users.