Trellix automates tackling open source vulnerabilities at scale

Trellix has successfully patched over 61,000 vulnerabilities in open source projects, utilizing an automated tool to expedite the process against a significant Python bug.

A year ago, the Trellix Advanced Research Center identified a long-standing vulnerability within Python’s tarfile module, which is documented as CVE-2007-4559. This issue can lead to path traversal attacks, enabling remote attackers to overwrite arbitrary files via filename manipulation in a TAR archive.

BACKGROUND Tarfile path traversal bug from 2007 still present in 350k open source repos

According to Trellix researcher Douglas McKee, although the security vulnerability was flagged in 2017, it went unresolved, affecting around 350,000 open source projects and numerous closed source ones.

In a January 23 blog post, Trellix shared their collaboration with GitHub to tackle this flaw amid the vast number of vulnerable projects.

“The vulnerable tarfile module is part of the base Python package, and without a direct fix from Python, it remains integrated into the supply chains of many projects,” the cybersecurity firm stated.

Under the leadership of Kasimir Schulz and Charles McFarland, the project focused on automating the patching of affected open source repositories.

Bulk Pull Request Approach

The initiative was inspired by Jonathan Leitschuh’s presentation at DEFCON 2022, which showcased the use of automated bulk pull requests as an efficient way to resolve open source vulnerabilities.

Trellix and GitHub divided the project into two automated phases. This required minimal execution effort, with quality control and approval left to the project maintainers.

The first phase involved creating the patches. Trellix compiled a list of repositories with the keyword “import tarfile”, cloning and scanning each one with Creosote.

If a repository was found to be affected by the vulnerability, Trellix would patch the relevant file and generate a local patch diff for easy comparison between the original and the modified files, including some metadata about the repository.

RELATED Patching common vulnerabilities at scale: project promises bulk pull requests

During the pull request phase, the team created forks of the repositories, cloned them, and substituted the original files with the patched versions after confirming that the original files had not been altered. This prevented overwriting recent changes to the codebase.

Finally, the files were committed, a pull request was generated, and a detailed message was sent to the repository owner, requesting acceptance or rejection of the changes.

Scaling Up

In an interview with The Daily Swig, Kasimir Schulz highlighted that Creosote and the patching tool could analyze, identify, and apply a fix in seconds, a task that would take skilled developers minutes without the tool.

“While this speed difference might not matter for a small number of repositories, it becomes significant as the scale increases,” Schulz noted.

Via GitHub, the Trellix team has patched 61,895 open-source projects so far.

Recent discussions at ShmooCon have reportedly generated “new momentum” for the vulnerability to be addressed in Python directly, with indications of a potential financial incentive for a fix.

Schulz concluded: “Software supply chains are becoming increasingly complex. The number of individuals and companies developing various software continues to rise. Because of this, simply trying to minimize the attack surface has become a futile endeavor. Instead, we should emphasize auditing our supply chains with automated tools, securing the attack surface instead of engaging in an unwinnable battle.”

YOU MAY ALSO LIKE Git security audit reveals critical overflow bugs