Are you using an opensource library? There's a good chance you are vulnerable... by Bruno Bossola
Download as ODP, PDF0 likes73 views
#Codemotion Rome 2018 - Do you remember Equifax? How did someone manage to steal the data of almost 200 million users? Well, Equifax simply fell victim to a vulnerability on a framework, Struts, which older developers like me remember well. But you folks, who now use cooler things like Guava or Jackson, do you feel safe? Unfortunately, you are not. After a clear introduction to the problem, with a couple of other illustrious examples, we will perform a couple of exploits together, live, and then take a look at possible prevention strategies. This talk will open your eyes to a problem you did not know you had.
More Related Content
What's hot (20)
Similar to Are you using an opensource library? There's a good chance you are vulnerable... by Bruno Bossola (20)
More from Codemotion (20)
Recently uploaded (20)
Are you using an opensource library? There's a good chance you are vulnerable... by Bruno Bossola
- 1. Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
- 2. `@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
- 3. `@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
- 4. `@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
- 5. `@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
- 7. `@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
- 8. `@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
- 9. `@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
- 10. `@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
- 11. `@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
- 12. `@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
- 13. `@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
- 14. `@bbossola Preventive measures What a detection system would have said?
- 15. `@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
- 16. `@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
- 17. `@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
- 18. `@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
- 19. `@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
- 20. `@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io
Editor's Notes
- #3: Introduce meterian clearly“we help companies to ship software without vulnerabilities” startup, I am a cofounder with Vivian (PM)
- #5: San Francisco Metropolitan Transit Agency 2,112 systems impacted A weekend of free rides Exploit on object serialisation issue in apache commons-collections, sending crafted binary traffic over the T3 protocol Operation Rosebud: a team of 50 Google employees used GitHub to patch the “Apache Commons Collections Deserialization Vulnerability” in thousands of open source projects Note that the attack was in 2016 while the vulnerability was from 2015!
- #6: Canada Revenue Agency Undisclosed impact (or “nothing happened, trust us”) Exploit a vulnerability in the multipart parser in Apache Struts2which allows remote attackers to execute arbitrary commands via a crafted header Zero day vulnerability
- #7: Equifax, one of the three biggest credit rating agencies in the USA 143 millions US citizens impacted 44 millions UK citizens impacted Exploit (again) a vulnerability in the multipart parser in Apache Struts2 almost 3 months after it was public (remember CRA?) announced only in September
- #8: logging (jokes logging and his history, about NIH syndrome) web: spring, jersey, dropwizard js: jquery, bootstrap, angular Bouncycastle: more cipher suites and algorithms, ability to read arcane formats like PEM and ASN.1 librec (more than 70 algorithms)
- #12: spring is #1 on hotframeworks.com / java struts is #5 on hotframeworks.com vert.x is #6 on hotframeworks.com