- Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
- Trellix Advanced Research Center published its research into CVE-2007-4559, estimated to be present in over 350,000 open-source projects.
- The vulnerability can be exploited by uploading a malicious file generated with two or three lines of simple code.
Cybersecurity company, Trellix announced the launch of the Trellix Advanced Research Center. Hundreds of security analysts and researchers are focusing on producing actionable real-time intelligence and threat indicators for the Advanced Research Center to be able to help customers against the latest cybersecurity threats. Along with the launch, Trellix Advanced Research Center also published its research into a bug that is estimated to be present in approximately 350,000 open-source projects and prevalent in closed-source projects.
Python’s tarfile module
Trellix Advanced Research Center noticed the vulnerability while investigating an unrelated vulnerability. At first sight, the team thought they found a new zero-day vulnerability, but it was a 15-year-old Python vulnerability, tracked as CVE-2007-4559.
The bug was found in the Python tarfile module, a default module for any project using Python and it can be found in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation, and docker containerization. Tarfiles used to unarchive the tarfile, are a collection of files and metadata. Metadata includes file name, the size and checksum of the file, and information about the owner of the file when it was archived.
Once exploited by uploading a malicious file generated with two or three lines of simple code, the vulnerability allows attackers arbitrary code execution or control of a target device. To exploit the vulnerability, the attackers can add “..” with the separator for the operating system into the file name to escape the directory from which the file is supposed to be extracted to. Christiaan Beek, Head of Adversarial & Vulnerability Research at Trellix said,
« When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact. This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces. »