Trellix automates tackling open source vulnerabilities at scale

Over 61,000 vulnerabilities resolved and still counting

Trellix has successfully patched more than 61,000 projects impacted by a critical vulnerability in Python, utilizing an innovative automated system to streamline the remediation process significantly.

Recently, researchers at the Trellix Advanced Research Center uncovered a 15-year-old vulnerability found within Python’s tarfile module. Identified as CVE-2007-4559, this issue is characterized as a path traversal vulnerability that could allow “user-assisted remote attackers” to overwrite arbitrary files by exploiting a “.. (dot dot)” sequence within filenames found in TAR archives.

BACKGROUND: Tarfile Path Traversal Bug from 2007 Still Present in 350k Open Source Repositories

According to researcher Douglas McKee from Trellix, although the vulnerability was first reported in 2017, it remained inadequately addressed. Consequently, this flaw has been inadvertently included in roughly 350,000 open source projects and is prevalent across many closed-source applications.

Despite the challenges, Trellix has partnered with GitHub to address this issue, as highlighted in their January 23 blog post. The task is daunting given the sheer number of vulnerable projects involved.

“The vulnerable tarfile module is part of the standard Python distribution and lacks a direct fix from Python, making it entrenched in the supply chain of numerous projects,” the cybersecurity firm elaborates.

Under the leadership of Kasimir Schulz and Charles McFarland, the multi-month initiative focused on the automatic patching of repositories containing the flawed code.

Bulk Pull Request Strategy

The initiative was inspired by Jonathan Leitschuh’s DEFCON 2022 presentation, which advocated for the use of automated bulk pull requests as an efficient method to tackle open source vulnerabilities.

Trellix and GitHub organized the undertaking into two automated phases, necessitating only execution, while leaving quality control and approvals to the project maintainers.

The initial phase involved creating the patch. Trellix compiled a list of repositories with the term “import tarfile,” subsequently cloning and examining each repository with the aid of Creosote.

“If a repository was identified as containing the vulnerability, we applied the necessary patch and generated a local patch diff for users to compare the original and updated files, along with relevant repository metadata,” McKee explained.

RELATED: Patching Common Vulnerabilities at Scale: Project Promises Bulk Pull Requests

During the pull request phase, the cybersecurity team forked repositories, cloned them, and substituted the original files with the patched versions, ensuring that no recent changes were overlooked in the process.

Finally, the updated file was committed, a pull request was generated, and a message was dispatched to the project owner detailing the changes and requesting their approval or dismissal.

Scaling Up

In an interview with The Daily Swig, vulnerability researcher Kasimir Schulz remarked that the combination of Creosote and the patching tool enables rapid repository scans to detect and rectify the vulnerability within seconds—while even the most adept developers might take several minutes to achieve similar results manually.

“While this efficiency may seem trivial for a few repositories, it becomes increasingly significant as the number of projects expands,” Schulz highlighted.

To date, Trellix has patched 61,895 open-source projects through its collaboration with GitHub.

Schulz noted that recent dialogues at ShmooCon have instigated “new momentum” toward getting the vulnerability addressed in Python itself, with discussions hinting at “the possibility of a financial incentive for a fix.”

In conclusion, Schulz stated: “As software and supply chains grow more intricate, the number of developers and companies producing diverse software increases, complicating efforts to minimize the attack surface. Our focus should shift toward auditing our supply chains using automated tools and securing the attack surface rather than engaging in an unwinnable struggle.”

YOU MAY ALSO LIKE: Git Security Audit Reveals Critical Overflow Bugs