Open-Source Vulnerabilities — Will They Ever End?
With the barrage of attacks that have plagued open source components over the past decade, will they ever be totally secure?
Join the DZone community and get the full member experience.Join For Free
Open-source software, or software that has been built in an open environment, is undeniably enormously popular for several reasons.
Unfortunately, most end-users don’t know the dangers of using open-source software and/or services, and they also don’t find out about the dangers lurking in the dark until it’s too late.
Open-source software is currently used by approximately 96 percent of the most popular applications on the enterprise market. Some of the largest Internet companies use open-source technologies, source code, and/or libraries, which makes development easier for them and third-party vendors, but it can lead to exposure to vulnerabilities that absolutely refuse to die.
The reason for this is fairly simple. The same code that you can see, can also be seen by hackers, too. And if they can find an exploit, they can use it to extract sensitive data from compromised systems that have not been updated. In most cases, a vulnerability may go undetected for months as was the case with Equifax in 2017. Due to outdated, open-source software, Equifax exposed over 145 millions user records to numerous hackers.
With all that said, here are the top open-source vulnerabilities that will not die.
The Longevity of Open-Source Vulnerabilities
The primary issue of open-source software is the fact that the vulnerabilities can go undetected for quite some time. And with 96 percent of enterprise applications using some form of open source coding, the payload can be quite large (i.e. Equifax 2017). But, there is a reason open source is so vulnerable — it’s generally free and built by numerous users.
Larger enterprises such as Google actually pay others to alert them to their vulnerabilities. The Google Patch Rewards is an example of this, and the program has been operating for years with plenty of exploits identified.
The Severity of Vulnerabilities In Open Source Software
Of course, any time the word "vulnerability" is mentioned in the tech industry, people get a little nervous. But not every vulnerability is the same, as some cause nothing more than a broken homepage to appear, where others can steal all of your sensitive customer data.
In fact, a lot of vulnerabilities reported by the mainstream media were simple issues such as relying on simple passwords and not updating to the most recent software.
If the companies using these open source programs would have followed basic security protocols, they would not have fallen prey to these vulnerabilities in the first place.
The Open-Source Equifax Data Breach
There are circumstances where open-source vulnerabilities pose a legitimate, serious risk. Equifax is perhaps the strongest example of recent memory.
In 2017, Equifax was involved in an open-source exposure that led to a data breach of more than 145 million records in the United States. Millions of Americans had their names, social security numbers, birthdates, and home addresses breached.
The vulnerability was initially attributed to Apache Struts, which responded that they believed a previous unpatched Equifax server was attacked, or a previously unknown vulnerability was exploited.
The massive data breach led to the term “zero-day exploit” and sent up a lot of shivers in the IT security world.
In the end, it was discovered that CVE-2017-5638 was identified by US CERT and patched two months prior to the data breach. However, since Equifax failed to update its systems, the patch never went into effect.
Businesses Role in Open-Source Vulnerabilities
Ironically, when open-source vulnerabilities make the news it is not always because the software failed, but because organizations failed to update the programs with the new patches, which would have removed the vulnerabilities. As a result, there are some misconceptions about how vulnerable open-sourced software is to security threats.
Often, organizations fail to resolve vulnerabilities in a reasonable timeframe because:
- There is not a clear update protocol in place for patches and updates to be installed.
- The company does not know which open source components are actually in use in their software.
For example, had Equifax had better lines of communication and simply updated its systems, it would have prevented leaks of millions or records.
Preparing Your Company for Open-Source Threats
Did you know that in the United States, businesses with fewer than 20 employees make up nearly 86% of all cybersecurity risk within organizations? While it is great to see small businesses still doing well in the United States, the limited number of employees does not bode well for open-source security.
Small businesses are the least prepared to successfully handle hackers because they simply do not have the financial backing and/or system infrastructure. How many of those employees are dedicated to online security? Probably not many, if any. But, how many of them also are still operating online?
The HeartBleed Open-Source Vulnerability
HeartBleed, CVE-2014-0160, is another terrific example of an open-source vulnerability that will not go away. The very dangerous security hole was first discovered in OpenSSL 1.01 all the way back in 2014.
At the time, OpenSSL 1.01 was in use by approximately two-thirds of all secured websites, which was a problem because it granted hackers with access to so many sites.
The HeartBleed security flaw, which was the default open-source code library for Apache and NGINX web servers, translated into an open door for hackers to sneak in and collect sensitive data remotely. The exposure led to user authentication credentials and secret keys getting stolen.
While a patch was released in April of 2014, it still was not successfully updated on close to 200,000 servers worldwide that were still using the outdated version.
The ShellShock Open-Source Vulnerability
ShellShock, CVE-2014-6271, is another 2014 open-source vulnerability that rocked the tech world. If you haven’t already noticed, 2014 and 2017 were not exactly kind years to open-source vulnerabilities.
ShellShock was an appropriate example of a vulnerability that operated in open-source components for decades before it started to get resolved. It had been present in Bash for more than 20 years and has the potential to open up Linux, Unix, and Mac servers to extreme attacks.
The vulnerability led to a perfect score from CVSS as it witnessed an exploitation of the bug that included the execution of payloads like malware droppers, reserve shells and backdoors, distributed denial-of-service (DDoS) attacks as well as data exfiltration.
Unfortunately, ShellShock is still considered a problem even in 2019. According to IBM X-Force, the “cheap attack” only requires basic programming skills to get access to servers that continue to remain exposed and vulnerable, despite a patch that has been available for years.
The average cost of a data breach is now nearly $4 million to correct. The good news is that more companies are recognizing open-source vulnerabilities, as 69 percent of them are repaired within a day of public disclosure, and 90 percent are fixed within 14 days.
However, only 25 percent of open-source code maintainers notify users of vulnerabilities, and only 10 percent file a CVE, which is a serious problem. The lack of communication continues to contribute to long-standing security threats that could be corrected with a few simple measures.
Opinions expressed by DZone contributors are their own.