AOH :: ISNQ5120.HTM

Five Most Overlooked Open Source Vulnerabilities Found By Audits




Five Most Overlooked Open Source Vulnerabilities Found By Audits
Five Most Overlooked Open Source Vulnerabilities Found By Audits



http://www.informationweek.com/news/showArticle.jhtml?articleID 5916637 

By Charles Babcock
InformationWeek
January 22, 2008

After reviewing 300 million lines of code in 2007, Palamida, a 
vulnerability audit and software risk management company, says it's 
identified the five vulnerabilities most frequently overlooked by users 
in their open source code.

The five are listed in alphabetical order. Palamida did not attempt to 
assign a frequency ranking to the five, CEO Mark Tolliver said. Also, 
the Palamida list reflects known vulnerabilities that have been aired 
and fixed by their parent projects but are still encountered in the user 
base, such as businesses and government agencies. The projects named are 
not frequent offenders when it comes to security vulnerabilities, but 
their code is so widely used that unpatched vulnerabilities show up in 
Palamida's enterprise and nonprofit agency software scans. In all cases, 
a patch is available to fix the vulnerability.

Open source code is "not any more vulnerable than commercial software" 
and in some cases, less so, said Tolliver. Open source projects tend to 
acknowledge their vulnerabilities and fix them promptly, he added.

The company conducts audits on enterprise software, spotting uses of 
open source and identifying origins of code. It both sells products to 
conduct audits and offers audit services and risk management consulting.

Palamida's list of five frequently overlooked vulnerabilities is as 
follows:


* Geronimo 2.0, the application server from the Apache Software 
  Foundation, contains a vulnerability in its login module that allows 
  remote attackers to bypass authentication requirements, deploy a 
  substitute malware code module, and gain administrative access to the 
  application server. The access is gained by "sending a blank user name 
  and password with the command line deployer in [Geronimo's] deployment 
  module," the Palamida report said. A blank user name and password 
  should trigger a "FailedLoginException" response in Geronimo 2.0 but 
  doesn't.

A patch for the vulnerability exists at 
https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.

Geronimo competes with Red Hat's JBoss and other open source application 
servers.


* The JBoss Application Server has a "directory traversal vulnerability 
  in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5. 
  It allows remote authenticated users to read or modify arbitrary files 
  and possibly execute arbitrary code," the Dec. 7 report concluded.

A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126. 


* The third frequently encountered vulnerability on the list is the 
  LibTiff open source library for reading and writing Tagged Image File 
  Format, or TIFF, files. The LibTiff library before release 3.8.2 
  contains command-line tools for manipulating TIFF images on Linux and 
  Unix systems and is found in several Linux distributions.

Using the LibTiff library in a version before 3.8.2 allows 
"context-dependent attackers to pass numeric range checks and possibly 
execute code via large offset values in a TIFF directory," the Palamida 
report states. The large values may lead to an integer overflow or other 
unanticipated result and constitutes an "unchecked arithmetic 
operation," the report said.

A patch is available at 
http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz. 


* The fourth vulnerability on the list is found in Net-SNMP, or the 
  programs that deploy the SNMP protocol. It's found in version 1.0, 
  version 2c and version 3.0. When certain versions of Net-SNMP are 
  running in master agentx mode, the software allows "remote attackers 
  to cause a denial of service (crash) by causing a particular TCP 
  disconnect, which triggers a freeing of an incorrect variable," the 
  report said.

A patch is available at 
http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1. 


* The fifth overlooked vulnerability is found in Zlib, a software 
  library used for data compression. Zlib 1.2 and later versions allow a 
  remote attacker to cause a denial-of-service attack. The attack 
  designs a compressed stream with an incomplete code description of a 
  length greater than 1, causing a buffer overflow.

The patch consists of upgrading zlib to version 1.2.3 at 
www.zlib.net/zlib-1.2.3.tar.gz. 

The fact that the vulnerabilities exist doesn't mean that anyone should 
stop using open source code. But users should adopt vulnerability 
patches or update to the latest, stable version of the code, said 
Theresa Bui, VP of marketing at Palamida. A complete description of the 
five vulnerabilities, along with their Common Vulnerability and Exposure 
number, can be found at Palamida's Dec. 7 Web site listing. The CVE is a 
project of the Mitre Corp. that gives vulnerabilities a shared 
definition and reference number across security vendors.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 

Site design & layout copyright © 1986-2014 CodeGods