For year-end 2007, we have compiled the Top 5 Most Overlooked Open Source Vulnerabilities encountered during 2007. We came up with this list after reviewing over 300 million lines of code and spending literally thousands of hours of analysis across a wide range of industries - including technology, financial services and government, among others.
So what do we mean by "Most Overlooked"? Well first, we mean that these are known vulnerabilities with a high-severity, Common Vulnerability and Exposure, (CVE) ranking found within open source projects that appear in code audits we perform. Secondly, and perhaps even more importantly, these vulnerabilities were found throughout 2007 in some of the most frequently used open source projects that customers did not realize they had.
It's sometimes dangerous to publish a list like this because it can so easily be taken out of context. Let me first stress that open source software is NOT any more vulnerable than commercial software - some folks even point to evidence that it's less vulnerable. The majority of open source projects provide a patched version for issues within hours of discovery.
What does put people at risk, however, is if you don't know that you're using open source components at all. When that's the case, as it so often is, then how can you retrieve the updated versions? When you don't have a system in place to to alert you to available patches or security issues, you put yourself at risk for introducing security vulnerabilities into your organization's code base
So here's our Top 5 Most Overlooked Open Source Vulnerabilities for 2007 in alphabetical order:
PROJECT DESCRIPTION: A free software application server developed by the Apache Software Foundation
VULNERABILITY DESCRIPTION: The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.
PATCH INFORMATION: https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch
PROJECT DESCRIPTION: JBoss Application Server (or JBoss AS) is a free software / open source Java EE-based application server.
VULNERABILITY DESCRIPTION: Directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5 allows remote authenticated users to read or modify arbitrary files, and possibly execute arbitrary code, via unspecified vectors related to the console manager.
PROJECT DESCRIPTION: (Library for reading and writing Tagged Image File Format) (abbreviated TIFF) files. The set also contains command line tools for processing TIFF's. It is distributed in source code and can be found (on the internet) as binary builds for all kinds of platforms. LibTiff is embedded multiple Linux distributions.
TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving "unchecked arithmetic operations".
PATCH INFORMATION: http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz
PROJECT DESCRIPTION: Net-SNMP is a suite of software for using and deploying the SNMP protocol (v1, v2c and v3 and the AgentX subagent protocol).
VULNERABILITY INFORMATION: snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3, and 5.0.x before 126.96.36.199, when running in master agentx mode, allows remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a free of an incorrect variable, a different vulnerability than CVE-2005-2177.
PATCH INFORMATION: http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.
This issue has been addressed in the following (and later) versions: 5.1.3, 5.2.2, 5.3
PROJECT DESCRIPTION: Zlib is a software library used for data compression. zlib was written by Jean-loup Gailly and Mark Adler and is an abstraction of the DEFLATE compression algorithm used in their gzip file compression program.
VULNERABILITY INFORMATION: zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
PATCH INFORMATION: Upgrade to version 1.2.3. http://www.zlib.net/zlib-1.2.3.tar.gz
Vulnerabilities do NOT mean that you should avoid using these popular projects. To the contrary, the quick response and patch availability indicates that these are active projects which consider vulnerabilities a serious issue. Take these projects up on their hard work - and make sure you're using the latest stable version.
We're interested in what your versions of the Top Most Overlooked Open Source Vulnerabilities might be!
- Theresa Bui Friday