Open-source vulnerabilities likely lurking in your network

Businesses at high risk as cyber criminals take advantage of software flaws

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Remem­ber Heart­bleed and Shell­shock, the two mas­sive secu­ri­ty flaws dis­cov­ered in open-source inter­net pro­to­cols back in 2014?

Don’t look now, but the dis­cov­ery of sim­i­lar vulnerabilities—in just as crit­i­cal open-source systems—has con­tin­ued. What’s more, cyber crim­i­nals are increas­ing­ly mov­ing to take advan­tage. And orga­ni­za­tions, par­tic­u­lar­ly small- and medi­um-size busi­ness­es, appear to be under­es­ti­mat­ing this new exposure.

Amit Sethi, Cigital senior principal consultant
Amit Sethi, Cig­i­tal senior prin­ci­pal consultant

We will con­tin­ue to see many high-risk vul­ner­a­bil­i­ties in open-source soft­ware in the next cou­ple of years,” pre­dicts Amit Sethi, senior prin­ci­pal con­sul­tant at appli­ca­tion secu­ri­ty ven­dor Cig­i­tal. “The prob­lem is that unless a piece of soft­ware was built with secu­ri­ty in mind from the begin­ning, sim­ply find­ing and fix­ing a few bugs will not make it secure.”

Relat­ed pod­cast: Dor­mant SSH keys leave com­pa­nies open to intrusion

Some con­text may be help­ful. Much of the soft­ware inno­va­tions that allow com­put­er sys­tems to con­nect at the mind-bog­gling speed and scale we expe­ri­ence today are open source. These piv­otal break­throughs were dis­cov­ered and developed—and con­tin­ue to be maintained—on a shoe­string bud­get by col­le­gial volunteers.

Heart of the problem

Open-source cod­ing is license free. Because there is no cost for it, open-source pro­to­cols played a fun­da­men­tal role in the rapid devel­op­ment of the infra­struc­ture of the inter­net. And open-source soft­ware con­tin­ues to be wide­ly deployed and depend­ed upon today. It’s safe to say that dig­i­tal com­merce wouldn’t be where it is with­out the open-source cod­ing community.

This means enter­pris­es and SMBs alike don’t have to look too far to find open-source cod­ing deeply embed­ded in their net­works. Yet even in the tumul­tuous after­math of Heart­bleed and Shell­shock, mea­sures for mon­i­tor­ing and secur­ing open-source sys­tems have not kept pace.

In a sur­vey of 1,300 IT exec­u­tives by Black Duck Soft­ware, some 90 per­cent of the respon­dents say their orga­ni­za­tions relied on open source for a vari­ety of rea­sons, includ­ing improved effi­cien­cy, inter­op­er­abil­i­ty, inno­va­tion and free­dom from ven­dor lock-in.

Lax secu­ri­ty oversight

How­ev­er, near­ly half said they had no for­mal process for select­ing or approv­ing the use of such soft­ware in their orga­ni­za­tions, while about the same num­ber expressed their inabil­i­ty to track such use. Near­ly one-third had no process­es for iden­ti­fy­ing and mit­i­gat­ing known vul­ner­a­bil­i­ties in open-source code being used in their orga­ni­za­tions, the Black Duck sur­vey found.

The issue is an impor­tant one to address. Secu­ri­ty vul­ner­a­bil­i­ties are a giv­en in almost any soft­ware prod­uct. This may be even more true with open-source software.

Open-source devel­op­ers don’t have much time or moti­va­tion to fol­low secure soft­ware devel­op­ment prac­tices, such as defin­ing abuse cas­es, cre­at­ing threat mod­els, per­form­ing sta­t­ic analy­sis, cre­at­ing test plans, and con­duct­ing man­u­al code reviews.

Addi­tion­al­ly, open-source cod­ing is, by def­i­n­i­tion, wide open for any­body to ana­lyze. Post Heart­bleed and Shell­shock, it seems like cyber crim­i­nals are tak­ing the great­est advan­tage. It has become com­mon­place for pro­gram­mers with mali­cious intent to expend full ener­gy seek­ing out—and exploiting—open-source vulnerabilities.

SMBs espe­cial­ly at risk

 Unad­dressed open-source secu­ri­ty issues present a huge and grow­ing dan­ger for busi­ness­es, espe­cial­ly SMBs that often do not have the resources to do basic secu­ri­ty due dili­gence. A flaw dis­cov­ered in open-source JBoss appli­ca­tion servers is a promi­nent reminder. JBoss servers are wide­ly used to deploy Java EE appli­ca­tions, the soft­ware that enables inter­ac­tive web pages.

Though Lin­ux soft­ware ven­dor Red Hat issued a patch for the JBoss vul­ner­a­bil­i­ty about five years ago, a fail­ure by many orga­ni­za­tions to imple­ment the patch result­ed in more than 3.2 mil­lion JBoss servers being left exposed.

Vitali Kremez, Flashpoint senior analyst
Vitali Kre­mez, Flash­point senior analyst

JBoss servers often are used in health care insti­tu­tions, says Vitali Kre­mez, senior ana­lyst at secu­ri­ty intel­li­gence ven­dor Flash­point. Crim­i­nal rings have begun active­ly seek­ing out and attack­ing JBoss servers to car­ry out ran­somware cam­paigns using the “Sam­Sam” fam­i­ly of mal­ware, he says.

What’s more, once an attack­er estab­lish­es a foothold on a JBoss serv­er, he or she can eas­i­ly lever­age com­mon admin­is­tra­tor tools to steal cre­den­tials, con­duct recon­nais­sance, and move lat­er­al­ly through the breached net­work, Kre­mez says.

The attack­er gains oper­a­tional maneu­ver­abil­i­ty,” Kre­mez says. “Pri­or to deploy­ing the ran­somware, the attack­er is able to iden­ti­fy and exfil­trate data­bas­es and intel­lec­tu­al prop­er­ty. He can then use the stolen data to fur­ther extort the vic­tim into pay­ing the ran­som, or sell it for addi­tion­al income, or both.”

In the open-source realm, there are no for­mal pro­grams avail­able, such as Win­dows Auto Update, for auto­mat­i­cal­ly installing secu­ri­ty patch­es on vul­ner­a­ble soft­ware. The bur­den rests with the com­pa­ny to mon­i­tor and mit­i­gate vul­ner­a­bil­i­ty dis­clo­sures, includ­ing ensur­ing secu­ri­ty patch­es are installed in a time­ly manner.

And busi­ness­es only exac­er­bate the prob­lem when they deploy open-source prod­ucts and code with­out prop­er­ly vet­ting it for secu­ri­ty issues. Near­ly 50 per­cent of the code base at some orga­ni­za­tions, accord­ing to Black Duck, is com­prised of open-source components.

Pro­po­nents of open source have long tout­ed the secu­ri­ty ben­e­fits of hav­ing many eyes look at and inspect the code. They argue that it is eas­i­er to find and fix bugs when more peo­ple have access to the source code of a product.

Con­verse­ly, when a flaw is fixed in open-source soft­ware, attack­ers, too, can inspect the code and see what was changed so they can fig­ure out what the vul­ner­a­bil­i­ty was, for free, Sethi says.

Unless every­body patch­es their sys­tems imme­di­ate­ly, the unpatched sys­tems can be tar­get­ed,” he says. “This is a prob­lem with closed-source soft­ware as well, but the prob­lem is worse with open-source soft­ware due to the source code being read­i­ly available.”

Over the next few years, expect to see many more such high-risk vul­ner­a­bil­i­ties in open-source soft­ware, Sethi says.

Jaiku­mar Vijayan con­tributed to this report.

More sto­ries relat­ed to soft­ware security:
$81 mil­lion cyber heist offers lessons for finan­cial institutions
A case for mak­ing soft­ware more hack-resis­tant from the start
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development

Posted in Cybersecurity, Data Security, Featured Story