By Byron V. Acohido
Arguably the biggest security blind spot in just about every business network is something too few security executives are aware of, much less focusing on: open source software vulnerabilities.
This truism first rose to the fore in 2014 with the flurry of malicious activity following the discovery of gaping defects in three innocuous open-source protocals: Heartbleed, Shellshock and POODLE.
And today, a long know vulnerability in open-source JBoss application servers is being leveraged by criminal gangs to scale up highly invasive ransomware attacks against business networks, according to intelligence recently shared by Cisco.
These are telltale signs. More open-source-based attacks are coming. Organizations need to recognize this rising exposure, and manage open-source defects as assidiuosuly as they do vulnerabilities in their paid-for commercial software systems, security experts say.
“More and more companies are embracing open source technologies for mission-critical operations, thanks to its ability to lower costs and accelerate innovation” observes Alexandra Gheorghe, security specialist at antimalware vendor BitDefender. “As open source software development continues to proliferate, the potential risk of cyber attacks increases.”
Root of the problem
The root of the problem derives from the very nature of open-source software, which is steeped in a spirit of pioneering altruism. Independent coders create open-source programs for the sake of writing good code. They then make it available for anyone to use and extend, license free.
It is not uncommon for just a handful of volunteers working part-time to maintain an open source software package. Best coding practices, such as threat modeling, static analysis, manual code reviews and security testing, are bypassed. Down the line, patch management is rudimentary. No vendor or government agency assumes responsibility for systematically identifying and mitigating open source vulnerabilities. This circumstance is compounded by the wide practice of reusing critical libraries, originally developed by understaffed groups that do not have the necessary resources to properly maintain the codebase, Gheorghe points out.
To be sure, gaping vulnerabilities are not the exclusive domain of open source systems –licensed proprietary software has them too. “However, open source software is often developed with very limited resources,” and with little by way of secure software development lifecycle practices, says Amit Sethi, senior principal consultant at application security vendor Cigital.
If that sounds like a recipe for an attack surface riddled with criminal opportunity, it is. For understandable reasons, open-source protocals came to be used deep within the infrastructure of business networks and the Internet. In fact, if it wasn’t for open-source coding, corporate networks and digital commerce would never have evolved as quickly as it did, mushrooming in complexities and capabilities.
Underestimated exposure
But now, the other shoe falls. Open source software vulnerabilities have come to present an increasingly serious security and privacy risk to companies of all sizes – one that for the moment is starkly underestimated.
A survey of 1,300 IT executives by Black Duck Software earlier this year had 90 percent of the respondents saying their organizations relied on open source for a variety of reasons including improved efficiency, interoperability, innovation and freedom from vendor lock-in.
However, nearly half said they had no formal process for selecting or approving the use of such software in their organizations while about the same number expressed their inability to track such use. Nearly one-third had no processes for identifying and mitigating known vulnerabilities in open source code being used in their organizations, the Black Duck survey found.
Importantly, in the open source realm, there are few formal programs available like Windows Auto Update for automatically installing security patches on vulnerable software. So it falls upon the enterprise entirely to keep track of vulnerability disclosures impacting their open source portfolio and for ensuring deployment of patches in a timely manner.
Businesses only exacerbate the problem when they deploy open source products and code without properly vetting it for security issues on the mistaken notion that it is already secure. Nearly 50 percent of the code base at some organizations, according to Black Duck, is already comprised of open source components.
A long standing joke in the developer community is that if StackOverflow, the über popular Q&A website site for programmers, went down for a day thousands of programmers would find themselves in the unemployment line.
“The abundance of public code, often written by programmers just as inexperienced as the original client, leads to potentially unsafe code resting in thousands of different applications,” says BitDefender’s Gheorghe.
Forgotten lessons
Given their frustrations keeping bad guys from breaching their licensed business applications, many security executives appear to have forgotten the open-source lessons of 2014.
You may recall how, in 2014, Heartbleed exposed the OpenSSL protocols widely used by website shopping carts; Shellshock enabled a hacker to take control of the module used to type text-based commands on Linux , Unix and Mac servers; and POODLE opened a path to highjack accounts from visitors using secured banking and shopping webpages.
More recently, a large-scale vulnerability was discovered in Linux 3.6, which has been around since 2012 and was used to introduce Android 4.4 KitKat. This is the version of Linux used in all versions of Android after KitKat, including the current version, Android Nougat. This makes some 80 percent of Android users, or around 1.4 billion individuals, open to being hacked.
That Android vulnerability highlights how Web apps present an acute open-source pain point. BitDefender analysts routinely observe spam, data theft and ransomware campaigns stemming from minimally secured Web app content management systems.
Gheorghe
“Despite known risks and safety recommendations, many organizations still fail to update add-ons and plugins, thus, exposing their networks and users,” says Gheorghe. “This failure partially happens because some highly popular open-source plugins or themes are discontinued and vulnerabilities discovered after the project’s termination are left unpatched forever.”
JBoss vulnerability
And now comes some similarly chillingly intel from Cisco regarding JBoss. It turns out that several versions of JBoss application servers contain a vulnerability that allows hacker to take control of the server. Though Red Hat issued a patch for the JBoss flaw about five years ago, many organizations failed to implement the patch. The result: more than 3.2 million JBoss servers left open to a nasty ransomware exploit dubbed SamSam.
Cisco researchers found that about 10 percent of all web-connected JBoss servers have been compromised, putting a huge computing resource under criminal control. Cisco found examples of intruders using JexBoss, an open-source tool for testing JBoss application servers, to gain a foothold in organizations’ networks.
Once inside the network, the intruders proceeded to encrypt multiple Microsoft Windows systems using the SamSam ransomware family. “We expect the next wave of ransomware to be even more pervasive and resilient,” Cisco warns in its Mid-Year Cybersecurity report. “Organizations and end users should prepare now by backing up their critical data and confirming that those backups will not be susceptible to compromise.”
Open-source clearly has great value. We wouldn’t be where we are today without it. But to harness the full power of open source, organizations need to focus on:
•Implementing robust security policies that contain clear guidelines about the installation and maintenance of open source software.
•Performing an extensive risk and security analysis of any open source considered for an enterprise use.
•Download software only from trusted sites.
•Using vulnerability scanners to scan the network for vulnerabilities.
Over the next few years, expect to see many more high-risk vulnerabilities in open source software. It is imperative for organizations of all sizes to view open source vulnerabilities as an exposure on par with vulnerabilities in their licensed software.
(Editor’s note: Last Watchdog has supplied consulting services to BitDefender.)
