A recently disclosed vulnerability in how open source software libraries handle archive files reveals that it only takes a malicious archive and a lack of validation checking to give total control of a victim machine to an attacker.
Dubbed Zip Slip, the vulnerability was discovered by researchers from software firm Snyk, and it affects multiple ecosystems and thousands of projects, including those from major companies like HP and Amazon.
Thelist of affected projects published on GitHub by Snyk is extensive, and anyone who uses open source libraries should take a look to be sure they aren't vulnerable.
How Zip Slip works
At its core Zip Slip is fairly simple to understand: It's a directory traversal attack that tries to sneak code into a hidden location when the file is decompressed.
Directory traversal attacks rely on the use of ".." instead of particular directory names in code to move files to the root directory of a machine. If the decompression software uses validation checking it won't allow traversal attacks and will stop Zip Slip.
The problem is that many open source software libraries don't validate directories when decompressing, allowing Zip Slip to freely drop off its malicious payload.
Once decompressed Zip Slip's malicious code can "overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim's machine," Snyk said.
Defending against Zip Slip
Snyk gives a few suggestions for protecting yourself against Zip Slip, and the process is fairly simple.
SEE: IT leader's guide to making DevOps work (Tech Pro Research)
If you've determined you're vulnerable you can find links to updated versions by following the GitHub link to the Zip Slip project given above. After that you should be all set—as long as your code is validating directories when unzipping archives, you're protected.
Some software developers may have hundreds of libraries to search through, making looking for code snippets untenable. For those people Snyk recommends using a dependency vulnerability scanning tool to search for vulnerable code as part of your development cycle.
The fix for this problem is simple, and the alternative is potentially devastating. Check your code today to make sure Zip Slip doesn't affect your projects.
The big takeaways for tech leaders:
- A new vulnerability affecting open source software libraries could give remote execution capabilities to an attacker, enabling them to sneak a malicious archive into a software project.
- The problem exists across multiple ecosystems but is simple to identify and fix. Open source library users are advised to secure their systems immediately.
- IT pro's guide to effective change management (free PDF) (TechRepublic)
- Open-source security: Zip Slip critical flaw hits thousands of projects. Update now (ZDNet)
- Git users: Update now to avoid massive remote code execution flaw (TechRepublic)
- Open-source vulnerabilities plague enterprise codebase systems (ZDNet)
- Enterprise IT shouldn't blame open source for their own poor security practices (TechRepublic)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.