Software Integrity Blog


Why patching core open source libraries is only half the battle

On Tuesday, Talos, a division of Cisco, warned against three critical memory-related vulnerabilities that remain exploitable even after patching an open source component.

Up to 90 percent of software today consists of third party components. Admins today must also ensure that third-party software running the library is also fixed. In other words, what are the dependencies for each component.

For example, libarchive. Developed in 2004 for FreeBSD, libarchive use different file archive formats, including Zip, tar, among others. FreeBSD still makes use of the library as do archiving tools and file browsers such as Tarsnap, Springy (on Mac OS X) and Nautilus also use it. GnuWin32, DarwinPorts, Debian Linux and Gentoo all use ports of libarchive. Libarchive published a running list on its GitHub page, according to Threatpost.

Cisco Talos worked with the libarchive organization to patch three rather severe bugs in the library. The Talos team concludes the root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file. Because of the number of products that include libarchive, they now strongly recommend that related and vulnerable software also be updated.

In particular, Talos calls out:

[CVE-2016-4300]: 7-Zip read_SubStreamsInfo Integer Overflow. In order to exploit this vulnerability, an attacker would send a poisoned 7-Zip file for the victim to process with libarchive. The vulnerability here lies in the 7-Zip support format module: libarchivearchive_read_support_format_7zip.c.

[CVE-2016-4301]: mtree parse_device Stack Based Buffer Overflow. In this vulnerability, protection against buffer overflows is incorrect. An array is created to hold at maximum three unsigned longs, Threatpost noted. Later the code tries to verify the number of arguments is less than the maximum, three, but fails to check whether these arguments are bigger than size long. in the mtree support format module libarchivearchive_read_support_format_mtree.c.

[CVE-2016-4302]: Libarchive Rar RestartModel Heap Overflow. This is a vulnerability in the libarchive RAR restartmodel.

“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected,” said Talos in its blog post. “These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems.”


More by this author