Five Most Overlooked Open Source Vulnerabilities Found By Audits

Risk management company Palamida's list includes direct links to patches that will fix all five flaws, including ones identified in Geronimo 2.0 and JBoss.

Charles Babcock

Editor at Large, Cloud

January 22, 2008

After reviewing 300 million lines of code in 2007, Palamida, a vulnerability audit and software risk management company, says it's identified the five vulnerabilities most frequently overlooked by users in their open source code.

The five are listed in alphabetical order. Palamida did not attempt to assign a frequency ranking to the five, CEO Mark Tolliver said. Also, the Palamida list reflects known vulnerabilities that have been aired and fixed by their parent projects but are still encountered in the user base, such as businesses and government agencies. The projects named are not frequent offenders when it comes to security vulnerabilities, but their code is so widely used that unpatched vulnerabilities show up in Palamida's enterprise and nonprofit agency software scans. In all cases, a patch is available to fix the vulnerability.

Open source code is "not any more vulnerable than commercial software" and in some cases, less so, said Tolliver. Open source projects tend to acknowledge their vulnerabilities and fix them promptly, he added.

The company conducts audits on enterprise software, spotting uses of open source and identifying origins of code. It both sells products to conduct audits and offers audit services and risk management consulting.

Palamida's list of five frequently overlooked vulnerabilities is as follows:

Geronimo 2.0, the application server from the Apache Software Foundation, contains a vulnerability in its login module that allows remote attackers to bypass authentication requirements, deploy a substitute malware code module, and gain administrative access to the application server. The access is gained by "sending a blank user name and password with the command line deployer in [Geronimo's] deployment module," the Palamida report said. A blank user name and password should trigger a "FailedLoginException" response in Geronimo 2.0 but doesn't.

A patch for the vulnerability exists at https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch.

Geronimo competes with Red Hat's JBoss and other open source application servers.

The JBoss Application Server has a "directory traversal vulnerability in its DeploymentFileRepository class in releases 3.2.4 through 4.0.5. It allows remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code," the Dec. 7 report concluded.

A patch is available at http://jira.jboss.com/jira/browse/ASPATCH-126.

The third frequently encountered vulnerability on the list is the LibTiff open source library for reading and writing Tagged Image File Format, or TIFF, files. The LibTiff library before release 3.8.2 contains command-line tools for manipulating TIFF images on Linux and Unix systems and is found in several Linux distributions.

Using the LibTiff library in a version before 3.8.2 allows "context-dependent attackers to pass numeric range checks and possibly execute code via large offset values in a TIFF directory," the Palamida report states. The large values may lead to an integer overflow or other unanticipated result and constitutes an "unchecked arithmetic operation," the report said.

A patch is available at http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz.

The fourth vulnerability on the list is found in Net-SNMP, or the programs that deploy the SNMP protocol. It's found in version 1.0, version 2c and version 3.0. When certain versions of Net-SNMP are running in master agentx mode, the software allows "remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a freeing of an incorrect variable," the report said.

A patch is available at http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1.

The fifth overlooked vulnerability is found in Zlib, a software library used for data compression. Zlib 1.2 and later versions allow a remote attacker to cause a denial-of-service attack. The attack designs a compressed stream with an incomplete code description of a length greater than 1, causing a buffer overflow.

The patch consists of upgrading zlib to version 1.2.3 at www.zlib.net/zlib-1.2.3.tar.gz.

The fact that the vulnerabilities exist doesn't mean that anyone should stop using open source code. But users should adopt vulnerability patches or update to the latest, stable version of the code, said Theresa Bui, VP of marketing at Palamida. A complete description of the five vulnerabilities, along with their Common Vulnerability and Exposure number, can be found at Palamida's Dec. 7 Web site listing. The CVE is a project of the Mitre Corp. that gives vulnerabilities a shared definition and reference number across security vendors.