Open-source vulnerabilities likely lurking in your network
Businesses at high risk as cyber criminals take advantage of software flaws
By Byron Acohido, ThirdCertainty
Remember Heartbleed and Shellshock, the two massive security flaws discovered in open-source internet protocols back in 2014?
Don’t look now, but the discovery of similar vulnerabilities—in just as critical open-source systems—has continued. What’s more, cyber criminals are increasingly moving to take advantage. And organizations, particularly small- and medium-size businesses, appear to be underestimating this new exposure.
“We will continue to see many high-risk vulnerabilities in open-source software in the next couple of years,” predicts Amit Sethi, senior principal consultant at application security vendor Cigital. “The problem is that unless a piece of software was built with security in mind from the beginning, simply finding and fixing a few bugs will not make it secure.”
Related podcast: Dormant SSH keys leave companies open to intrusion
Some context may be helpful. Much of the software innovations that allow computer systems to connect at the mind-boggling speed and scale we experience today are open source. These pivotal breakthroughs were discovered and developed—and continue to be maintained—on a shoestring budget by collegial volunteers.
Heart of the problem
Open-source coding is license free. Because there is no cost for it, open-source protocols played a fundamental role in the rapid development of the infrastructure of the internet. And open-source software continues to be widely deployed and depended upon today. It’s safe to say that digital commerce wouldn’t be where it is without the open-source coding community.
This means enterprises and SMBs alike don’t have to look too far to find open-source coding deeply embedded in their networks. Yet even in the tumultuous aftermath of Heartbleed and Shellshock, measures for monitoring and securing open-source systems have not kept pace.
In a survey of 1,300 IT executives by Black Duck Software, some 90 percent of the respondents say their organizations relied on open source for a variety of reasons, including improved efficiency, interoperability, innovation and freedom from vendor lock-in.
Lax security oversight
However, nearly half said they had no formal process for selecting or approving the use of such software in their organizations, while about the same number expressed their inability to track such use. Nearly one-third had no processes for identifying and mitigating known vulnerabilities in open-source code being used in their organizations, the Black Duck survey found.
The issue is an important one to address. Security vulnerabilities are a given in almost any software product. This may be even more true with open-source software.
Open-source developers don’t have much time or motivation to follow secure software development practices, such as defining abuse cases, creating threat models, performing static analysis, creating test plans, and conducting manual code reviews.
Additionally, open-source coding is, by definition, wide open for anybody to analyze. Post Heartbleed and Shellshock, it seems like cyber criminals are taking the greatest advantage. It has become commonplace for programmers with malicious intent to expend full energy seeking out—and exploiting—open-source vulnerabilities.
SMBs especially at risk
Unaddressed open-source security issues present a huge and growing danger for businesses, especially SMBs that often do not have the resources to do basic security due diligence. A flaw discovered in open-source JBoss application servers is a prominent reminder. JBoss servers are widely used to deploy Java EE applications, the software that enables interactive web pages.
Though Linux software vendor Red Hat issued a patch for the JBoss vulnerability about five years ago, a failure by many organizations to implement the patch resulted in more than 3.2 million JBoss servers being left exposed.
JBoss servers often are used in health care institutions, says Vitali Kremez, senior analyst at security intelligence vendor Flashpoint. Criminal rings have begun actively seeking out and attacking JBoss servers to carry out ransomware campaigns using the “SamSam” family of malware, he says.
What’s more, once an attacker establishes a foothold on a JBoss server, he or she can easily leverage common administrator tools to steal credentials, conduct reconnaissance, and move laterally through the breached network, Kremez says.
“The attacker gains operational maneuverability,” Kremez says. “Prior to deploying the ransomware, the attacker is able to identify and exfiltrate databases and intellectual property. He can then use the stolen data to further extort the victim into paying the ransom, or sell it for additional income, or both.”
In the open-source realm, there are no formal programs available, such as Windows Auto Update, for automatically installing security patches on vulnerable software. The burden rests with the company to monitor and mitigate vulnerability disclosures, including ensuring security patches are installed in a timely manner.
And businesses only exacerbate the problem when they deploy open-source products and code without properly vetting it for security issues. Nearly 50 percent of the code base at some organizations, according to Black Duck, is comprised of open-source components.
Proponents of open source have long touted the security benefits of having many eyes look at and inspect the code. They argue that it is easier to find and fix bugs when more people have access to the source code of a product.
Conversely, when a flaw is fixed in open-source software, attackers, too, can inspect the code and see what was changed so they can figure out what the vulnerability was, for free, Sethi says.
“Unless everybody patches their systems immediately, the unpatched systems can be targeted,” he says. “This is a problem with closed-source software as well, but the problem is worse with open-source software due to the source code being readily available.”
Over the next few years, expect to see many more such high-risk vulnerabilities in open-source software, Sethi says.
Jaikumar Vijayan contributed to this report.
More stories related to software security:
$81 million cyber heist offers lessons for financial institutions
A case for making software more hack-resistant from the start
To get ahead of threat curve, boost security during software development