Open-source software offers many benefits to enterprises and development teams, they are subjected to open source vulnerabilities that pose significant risks to application security. Many development teams, be it traditional or agile, incorporate pre-built, reusable open source software components to accelerate the delivery of the product but most open-source software is not subjected to the same level of scrutiny as software that is custom developed. The Open source software’s source code files are managed by many people, therefore vulnerability relies exactly upon the openness of the open-source software, as the same code is seen by all the users, it is also easily available to the attackers. Thus, once they find a flaw in the code, they can manipulate it to cause harm or retrieve sensitive data from systems. The files may further comprise open source libraries and dependencies that are left unchecked by the developers and causes security issues that could potentially expose an organization to threats such as code modification by the attacker, Denial-of-Service (DoS) attacks, malware injections, data breaches, digital extortion, and identity theft. These security issues make the open-source software vulnerable to attack and thus are termed as open source vulnerabilities.
Total common vulnerabilities and exposures vulnerabilities (CVEs) reached 968 in 2019, up from 421 in 2018, a rise of 130%. CVEs have remained at exponentially high levels into the first three months of 2020 too, suggesting this is a long-term trend. The report also revealed that it takes an average of 54 days for OSS vulnerabilities to be added to the National Vulnerability Database (NVD) following public disclosure. These delays mean organizations are often exposed to serious application security risks for around two months. The lags were observed across all severities of vulnerabilities, including the critical and weaponized ones.
Well-Known Coding Vulnerabilities
SQL injections — Code permits alteration of SQL scripts, allowing attackers to manipulate or compromise information in databases through modifying parameters.
Cross-Site Scripting (XSS) — Compromised web pages enable attackers to inject client-side scripts that will be executed by other users who view the web page. The damage may include extracting cookies, exposing sensitive data, or defacing the existing website.
Insecure Direct Object References (IDOR) — This is an access control vulnerability where the code refers to an object directly by user-supplied input. This can be a name or id that is supplied as a URL parameter. This might expose data unintentionally and give hackers information that is useful for other attacks on the site.
Cross-Site Request Forgery (CSRF) — It occurs when an end-user is forced or tricked into executing unwanted web requests for which they are currently authenticated. An attacker tricks the user into executing the actions of the attacker’s choosing. This can enable cyberthieves to modify or create profiles or user accounts for use in additional attacks.
Security misconfiguration — This vulnerability is often the result of using default configurations. Developers might not even know about these default settings, but it might enable attackers to access the system or retrieve important user information, and even specific data regarding the application. This opens the door for future attacks that compromise those specific technologies.
How to check the vulnerabilities?
Using Tools: There are various vulnerability checking tools available such as SourceClear, BlackDuck, VeraCode, OWASP Dependency Check, and Nexus Repository Pro. These tools find vulnerabilities in the source code of an application and help in determining which type of licenses are used in the open-source software and scans the dependencies in the library for checking vulnerabilities in the software using public vulnerability databases such as the NIST National Vulnerability Database (NVD).
Checking Manually: Manual checking requires the prerequisite knowledge of dependencies used in the open-source software and the open-source vulnerability database. The dependencies include a list of libraries and external references while the database comprises a list of vulnerabilities detected in the dependencies. The database comprises entries of vulnerabilities indexed with corresponding dependencies. The database is publicly available so that the user can check the vulnerabilities in the open-source software and develop a patch of software to protect the system from attack.
Publicly Available Vulnerability Databases
Common Vulnerabilities and Exposures (CVE) - CVE is a database operated by MITRE. It is a dictionary that provides publicly disclosed cybersecurity vulnerabilities and exposures. CVE entries comprise an identification number, a description, and at least one public reference. CVE list does not include any severity rating such as CVSS score.
National Vulnerability Database (NVD) - NVD is a database maintained by the U.S. government. The National Institute of Standards and Technology (NIST) NVD team analyzes the new CVE in the CVE dictionary and assigns severity ratings such as Common Vulnerability Scoring System (CVSS) score as High/Medium/Low to the CVE.
Vulnerability Notes Database - This database is operated by the CERT division of the Carnegie Mellon software engineering institute.
Exploit Database - This database is operated by Offensive security.
Vulnerability Lab - This is an open-source database.
VulDB - this is also an open source vulnerability database with over 140k entries.
All these databases are used to share computer flaws detected in the open source software and/or dependencies.
For example, Apache HTTP server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers. In the year 2019, Denial of Service (DoS) vulnerability (CVE-2019-0190) was detected in the Apache HTTP server software.
Denial of Service (DoS) - It is a type of attack on an online service such as a website that disrupts its normal function and prevents other users from accessing it. This attack can also be launched against networks, machines, or even a single program.
CVE-2019-0190: A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to interaction in changes to the handling of renegotiation attempts.
Following is the list of products that are using open source software, Apache HTTP server and thus are affected by the Denial of Service (DoS) vulnerability CVE-2019-0190.
NIST NVD team maintains a publicly available vulnerability database and search option for all published CVE along with CVSS severity score as High, Medium, or Low.
NIST NVD team after analyzing the Denial of Service (DoS) vulnerability (CVE-2019-0190) in the CVE dictionary assigns the CVSS severity score and then publishes it on the NVD webpage.
Each vulnerability is marked with CVSS severity as High/Medium/Low. The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat.
Thus publicly available NVD and CVE dictionary play an important role in the detection of vulnerabilities and development of security patches against vulnerable attacks.
The effect on the security of an application implementing open source software, or its component is still a major concern in the security community, a large number of prominent experts believe that it has great potential to be more secure. Meanwhile, the open-source vulnerabilities can be found and fixed, businesses must be proactive in discovering security issues before hackers and cybercriminals can exploit them. Paid and open-source tools scanning for open source vulnerabilities provide just such a capability for developers and IT security teams, or the development teams can do this manually. The latter variant is more time and resource-intensive, and is a way of educating developers, so as they make fewer mistakes in their coding practices, check for vulnerabilities, and remediate them at once.
Copperpod provides Technology Due Diligence and Source Code Review services to help attorneys dig deep into computer technology products. Our experts are well versed with Java, Objective-C, C/C++, PHP and most other popular programming languages, as well as expertise on security and cryptography standards such as DES, AES, RSA, OpenPGP, MD5, SHA-1, SHA-2, DSA and WEP to provide clients with unparalleled insights and thorough analysis during IP monetization and litigation.
Rinku advises clients on infringement investigations related to patented encryption techniques, source code review, and software inventions. Rinku has a Bachelor's degree in Computer Science and Engineering.