Trellix security researchers have revealed a major vulnerability in the Python tarfile library that could be exploited in software supply chain attacks. The researchers believe it could be used against organizations at scale, which could lead to attacks as serious as the one that hit SolarWinds two years ago.
Perhaps more troubling is that the vulnerability was first disclosed 15 years ago but remains unpatched. Because the software supply chain is extremely complex, with lots of interdependencies, even if projects do not require the module directly, it can still be installed by another package.
Indeed the Python module is often used by popular frameworks and applications for machine learning, which increases the risk significantly.
Path Traversal Vulnerability Exposes Repositories
According to Trellix, hundreds of thousands of repositories are vulnerable to the path traversal attack, and a potential attacker could use it to overwrite arbitrary files just by adding “../” (dot dot sequence) to the filenames in a TAR archive. Researchers concluded that “in most cases an attacker can gain code execution from the file write.”
The exploit seems very easy to achieve with “as little as 6 lines of code”:
The tarfile module provides functions to extract and write files to the filesystem. Because the code trusts its inputs too much and joins paths that are passed to the extract functions, it can be abused.
Researchers made a few videos demonstrating the exploit, including one where they gain administrative privileges with the flaw by abusing Spyder IDE, a free and popular open-source environment made in Python.
Such an approach is pretty common, which makes the vulnerability concerning. And it’s not uncommon that packages will use the same dependency for the sake of “not reinventing the wheel,” which is a valid argument in some situations but can extend the attack surface in other cases.
Python Docs Warn of Issue
It should be noted that the official Python documentation explicitly warns about this issue:
Researchers published a small Python script dubbed “creosote” that recursively looks through directories searching for .py files and prints the vulnerable ones. Admins and users can use it to check their code for vulnerabilities.
The exploit requires “little to no knowledge about complicated security topics,” the researchers noted, and the vulnerability is prevalent in the wild so it’s recommended to scan your source code and other Python-based tools.
In a statement to eSecurity Planet, the Trellix researchers said that “as a result of the stance that the Python creators have taken, the current resolution is for developers to add mitigating code around the vulnerable function call and then share a new version to their customers. This is why it’s essential that teams do vulnerability research since, generally, large-scale vulnerabilities can be patched or have an easy workaround once they are found.”