Hidden in Plain Sight: Open-Source Software Vulnerabilities

Open-source software (OSS), software which has had its original source code made available for redistribution and adaptation, has become so popular in recent years that it can now be found in almost every organisation currently running software systems. Its rise in popularity is largely attributed to its collaborative, easily accessible nature. By using OSS, software designers can save significant development hours by incorporating existing elements rather than creating new ones from scratch. However, its ubiquitous adoption has not brought only positives to the world of tech. One of the main challenges it brings with it is around cyber security.  

OSS isn’t infallible 

Despite OSS’ widespread use, even widely trusted and adopted OSS solutions can expose end-users and organisations to significant vulnerabilities when integrated. Take, for instance, Log4j, a popular logging utility used by many businesses for recording events such as status reports and errors. Its implementation into countless commercial products underlined the inherent vulnerabilities of some open-source technologies when its weak points were exposed, a situation which came to be known as ‘Log4shell’. This zero-day vulnerability allowed threat actors to compromise systems using malicious code and take control while remaining undetected. At the time, its impact was described as “enormous” and the incident raised some important concerns, such as how organisations can truly understand and manage the software packages they rely on. 

Attacking the source

One of the primary problems that is associated with OSS packages is that they come with a significant amount of the ‘unknown’. By opting to leverage established OSS solutions instead of building a bespoke package, end-users risk being left in the dark when it comes to the risks associated with these open-source integrations.

Additionally, the primary sources from which developers pull these packages, public OSS repositories, are typically inundated with new third-party packages and frequent package updates on a daily basis. While these repositories offer the prospect of fast-tracked development, the sheer volume on offer makes security vetting a huge task. As a result, responsibility for sifting the wheat from the chaff predominantly falls upon security researchers and firms rather than being taken care of by a structured, mandated system. 

Threat actors look to capitalise on these issues by manipulating legitimate packages with malicious insertions, which they then re-upload onto public repositories under similar names and wait for their victims to download them. Another method hackers use is to develop something new to upload to the sites, embedding secondary malicious code under the guise of useful open-source packages. Some of these cybercriminals have honed their approach to such an extent that they have created fake social media profiles, positioning themselves as credible developers to present more convincing personas. 

While numerous malicious security problems within OSS packages have been flagged because they predominantly cater to larger audiences, by the time these vulnerabilities surface, they are often too entrenched to be isolated. 

Who’s at risk? 

The problem with open-source technologies is that they have become so commonplace that no industry is immune to an OSS attack. However, sectors that rely on standardised applications, such as the banking sector, are particularly susceptible to these forms of attacks. Here, hackers can almost predict the software that will be run by a bank and look to infect it with malicious code accordingly. Attackers can also be highly pragmatic in their approach and will assess the potential return of tactics which provide more in terms of efficiency and reliability than attacking a higher volume of random targets with more unpredictable infrastructures.  

Looking further afield, however, no industry is invulnerable, not least because the development ecosystem is geared towards optimising the use of open-source technologies. Modern work environments in particular usually operate using a significant amount of ‘off the shelf’ software – many with some form of OSS package built in. Developers sharing packages throughout their community is not a new concept – it has been going on for decades – but the problem today is that external awareness of these ecosystems has increased so that attackers have turned their attention to how they can capitalise on the community trust that has been created over the long term. 

Mitigating the threat 

In the aftermath of the Log4shell incident, the lack of awareness about contaminated software integrations only worsened the impact of the attack. To safeguard against future attacks, organisations need to have a comprehensive understanding of all deployed software. A crucial step towards this is for organisations to keep detailed documentation of OSS integrations and a readily accessible software directory for swift vulnerability assessments.

Organisations should also use tools that are capable of analysing and identifying packages within the software. Ultimately, protection from OSS attacks hinges on increased awareness and knowledge. While OSS has proven immensely beneficial, its vulnerabilities are magnified because of its widespread use and acceptance. Therefore a proactive approach, coupled with heightened knowledge and vigilance, is the best defence in this evolving sector of the technology industry.

Print Friendly, PDF & Email
Andy Swift
Technical Director of Cyber Security Assurance at Six Degrees | + posts

Leave a Reply

Your email address will not be published. Required fields are marked *