Published on Sep 26, 2022
A Python module that has remained unpatched for 15 years has a security flaw that may expose 350,000 open source projects to exploitation.
There are open source repositories for software development, artificial intelligence/machine learning, web development, media, security, and IT management.
An arbitrary file write could lead to code execution through CVE-2007-4559 (CVSS score: 6.8), a vulnerability in the tarfile module.
According to Trellix security researcher Kasimir Schulz, the vulnerability can be exploited by adding the ‘..’ sequence to filenames in a TAR archive to overwrite arbitrary files.
A specially crafted tar archive can be leveraged to overwrite arbitrary files on a target machine simply by opening it.
A threat actor can exploit the weakness by uploading a malicious tarfile and escaping the directory where the file is intended to be extracted, allowing the adversary to obtain control of the target device.
The Python documentation for tarfile warns against extracting archives from untrusted sources. There is a possibility that files will be created outside of path, such as members with absolute filenames starting with ‘/’ or files with two dots ‘..’.”
Additionally, the vulnerability is similar to a recently disclosed security flaw in RARlab’s UnRAR utility (CVE-2022-30333).
Trellix has released a custom utility called Creosote to scan for projects vulnerable to CVE-2007-4559, which was used to discover the vulnerability in the Spyder Python IDE and Polemarch.
“Unchecked, this vulnerability has unintentionally been added to hundreds of thousands of open- and closed-source projects worldwide, creating a substantial software supply chain attack surface,” Douglas McKee explained.
