Whether November brought you chilly weather, family gatherings over copious amounts of food, or both, there’s no denying editors of tech publications had their hands full with the now notorious event-stream vulnerability. A cryptocurrency security flaw - who knew? Said no-one over the past few years.
While it’s not the classic open source security vulnerability for reasons which become apparent in our write up, it’s in our database so that users can make sure they are in the clear.
So, here it is folks, our hardworking research team’s list of top 5 open source security vulnerabilities in November. The team reviewed all the new issues added to WhiteSource’s database, which are aggregated continuously from multiple sources including the National Vulnerability Database (NVD), and additional publicly available, peer-reviewed security advisories and issue trackers.
We think it’s a good read and hope you make sure to check for them in your software projects.
Vulnerability Score: Critical — 10.0
Affected versions: npm packages of event-stream version 3.3.6; and flatmap-stream versions 0.1.1 and 0.1.2
This is surely the headline grabber of the month, though not a classic open source vulnerability, but rather malware distributed on top of an open source package.
The vulnerability resides in versions of the event-stream npm package, but the malicious code specifically targeted Copay, a Bitcoin wallet platform for desktop and mobile devices, and an open source project itself.
This is where the story gets complicated: the original author and owner of the event-stream module gave the ownership to a user named "right9ctrl", who offered to take over maintenance of the open source project which the original owner had abandoned. Right9ctrl turned out to have a malicious agenda and apparently inserted a flatmap-stream module into the dependencies of event-stream (version 3.3.6).
The hacker then inserted "flatmap-stream" into the minified version of "index.js", an additional library in the npm package that is not in the GitHub repository, which is not maintained at all.
Flatmap-stream contained malicious code that specifically targets Copay’s source code, allowing hackers to steal their users’ sensitive wallet information and Bitcoin.
Copay issued a security statement announcing that they released an updated and secure version, and the flatmap-stream package has been removed from npm, as well as the vulnerable version of event-stream.
While there is some debate as to whether or not the event-stream affair should be considered a vulnerability, WhiteSource has added it to our database with a “WS” prefix as it is not referenced in the NVD.
#2 SMT in Processors
Vulnerability Score: Medium — 6.7
Affected versions: OpenS 1.1.0h and prior, Ubuntu 18.04
*in general, all software that has secret dependent control flow at any granularity is vulnerable.
Introducing the PortSmash vulnerability, a timing side-channel flaw on processors that implement SMT/Hyper-Threading architectures. The vulnerability can result in the exposure of sensitive data in applications like OpenSSL that have secret dependent control flow at any granularity level. Hackers running a malicious process on the same core of the processor as their victim’s process could exploit the issue to extract privileged information.
The research team that discovered the vulnerability shared their proof of concept, and reported that they were able to “steal an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server using this new side-channel vector.” According to their report, “It is a local attack in the sense that the malicious process must be running on the same physical core as the victim...But in general, any application which branches on a secret value may be affected.”
Vulnerability Score: High — 8
Affected versions: before versions 11.1, 10.6
Multiple SQL injection vulnerabilities were discovered in PostgreSQL, the popular open source database system which is prone to multiple SQL-injection vulnerabilities. This is because vulnerable versions don’t sanitize user-supplied data properly before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
A remote authenticated user can gain elevated privileges on the target system when using a purpose-crafted trigger definition.
PostgreSQL, lovingly referred to as Postgres, is an object-relational database system that boasts a strong reputation for reliability, feature robustness, and performance, thanks to being backed by over 30 years of active development.
#4 Linux Kernel
Vulnerability Score: Medium — 5.5
Affected versions: 4.15.x through 4.19.x before 4.19.2
Another month, another disclosed Linux Kernel security vulnerability from the hard working Linux community.
A local privilege-escalation vulnerability was discovered in vulnerable versions of the Linux Kernel, which could be exploited to gain elevated privileges. The vulnerability is a result of how map_write() in kernel/user_namespace.c mishandles nested user namespaces with over 5UID or GID ranges. Attackers could exploit this vulnerability to override security controls.
Vulnerability Score: Low — 3.5 low
Affected versions: before version 4.17.11
A prototype pollution vulnerability was discovered in a few of the functions in the Lodash node module. The vulnerable functions are merge, mergeWith, and defaultsDeep, and they can be tricked into adding or modifying properties of the Object prototype.
Developers use Lodash’s modular methods for iterating arrays, objects, and strings; manipulating and testing values and creating composite functions.
You might have noticed that this open source vulnerability ID begins with a WS and not the more common CVE. This is because the Lodash vulnerability is yet to be added to the NVD. While the NVD is a popular and well-respected database for security vulnerabilities, open source vulnerabilities that are discovered and remediated by the open source community can be found on other public platforms. This was the case with the Lodash vulnerability, and it was added to the WhiteSource database before it received a CVE index or was added to the NVD.
You can read more about the vulnerability, and its fix on GitHub.
Leave Your Open Source Security Vulnerabilities Behind
November’s list of top 5 open source security vulnerabilities has something for everyone. From processors, OpenSSL and the Linux Kernel, to bitcoin wallets and database systems, the list shows how prevalent and deeply rooted open source components are in nearly every software project that we use.
The list also shows that open source security vulnerabilities can pop up anywhere, no matter how long the component has been around, how active the community, or how popular the component. The number of published open source security vulnerabilities has risen dramatically over the past two years, and the open source community is as committed as ever to finding and remediating vulnerabilities. The event-stream incident and community discussions that arose around it also show that the open source community is willing and able to work to remove any possible security blind spots that might arise in the evolving ecosystem.
When it comes to open source users, it’s up to us to make sure that we’re on top of our open source security management as part of a complete DevSecOps cycle. Considering the number of open source security vulnerabilities discovered in new and old versions of popular open source components, a continuous automated process of tracking open source usage throughout the software development lifecycle is essential. By continuously monitoring our components, we are able to address issues as soon they arise, rather than dealing with the messiness of delayed production due to open source vulnerabilities discovered too late in the game.
Want to catch up on earlier 2018 open source vulnerabilities? Check out our top open source vulnerabilities page.