A security vulnerability called Zip Slip that’s prevalent in open source code could impact millions of companies using Google Cloud Platform (GCP), some Amazon Web Services (AWS) and Alibaba products, and other projects, according to security startup Snyk.
Zip Slip is an arbitrary file overwrite vulnerability. In a white paper published today, Snyk (pronounced “sneak”), which maintains a database of security vulnerabilities in open source libraries, warns that thousands of projects — and millions of users’ data — are at risk.
Snyk CEO Guy Podjarny said he’s unaware of any public exploits linked to this vulnerability, but he admitted that posting the security research will essentially start a race: “Will the owners fix the vulnerability? Or will hackers exploit it first?”
In an interview with SDxCentral, Podjarny explained that hackers exploit the vulnerability by using malicious file names — usually zip files — to gain access to other parts of the system. “The malicious archive contains a file that points to a folder that is outside the directory you are trying to extract the files to, and that is called arbitrary file write,” Podjarny said. “When that archive gets unzipped, the attacker’s file gets stored elsewhere on the system.”
The attacker can then overwrite sensitive files so that when the system runs it will use the attacker’s code. It can also cause a system to shut down entirely.
It’s especially widespread in Java ecosystems because Java doesn’t have a central library that does high-level processing of zip files. “In the absence of such a library, developers share code on platforms like Slack and other social channels,” Podjarny said.
This leads to developers handcrafting and unintentionally sharing vulnerable code.
“This vulnerability, Zip Slip, has been known to be a bad practice for a good many years,” Podjarny said. “What our research has discovered is that the vulnerability has been missed in many thousands of projects including ones from top-tier brands including HP [Hewlett Packard], Amazon, Pivotal, and many others, and thousands of open source projects.”
Snyk last month disclosed the vulnerability to vendors including Oracle, Pivotal, HP, Google, Amazon, LinkedIn, Alibaba, and others — as well as Apache, which houses several open source projects deemed vulnerable. At press time, Oracle, Pivotal, HP, LinkedIn, and Apache, among others, all fixed the vulnerable projects.
GCP, Amazon CodePipeline, and Alibaba Jstorm, however, are not yet fixed, according to Snyk.
The company’s threat researchers didn’t find any vulnerable code snippets or libraries in Ruby and Python ecosystems. A page on the Snyk GitHub repository has an up-to-date list of the latest vulnerability information.
Snyk uses its open source database to continuously monitor enterprise applications’ dependencies and respond to vulnerabilities. The goal is to find any open source security flaws before the applications deploy. But when that doesn’t happen, Snyk can also upgrade or patch vulnerabilities.
The company processes hundreds or even thousands of vulnerability disclosures every quarter, Podjarny said. “This is a far larger vulnerability disclosure than we typically do,” he said. “This is a very large-scale vulnerability.”
Open Source Ubiquity, Security Risk
The latest warning comes about a year after the Equifax data breach, which also exploited an open source framework library.
And it should teach security professionals, developers, and enterprises two lessons, Podjarny said. The first is about the importance of basic security hygiene and the need for automation.
“Security best practices, even ones that are well-known like not allowing these types of files, require better enforcement,” Podjarny said. “We need the world to invest in better automation, better ways of finding vulnerabilities within your code so you would not repeat mistakes that are known and reasonably easily caught.”
Another lesson is about the prevalence of shared open source libraries — and the potential security risks.
“Open source projects are used massively,” Podjarny said. “That implies that many parts of the world benefit from their goodness and are also susceptible to their risk. History shows typically it takes open source consumers a long time to clue in to the fact that a vulnerability like this has been disclosed and either download a fixed version or otherwise protect themselves.”