An old, unpatched bug in the Python programming language potentially affects roughly 350,000 open-source projects and several closed-source projects, inadvertently creating a vast software supply chain attack surface, researchers at cybersecurity company Trellix warn.
Tracked as CVE-2007-4559, the vulnerability is a path traversal issue that resides in the Python tarfile module which is a default module in any project using Python. The flaw is extremely easy to exploit, the researchers say. By uploading a malicious file generated with two or three lines of simple code an attacker can achieve arbitrary code execution, or take over target device.
Initially, the vulnerability was disclosed back in 2007 but it still remains unpacthed, although Python added a warning about the risks of using the tarfile function in its documentation, cautioning developers never to “extract archives from untrusted sources without prior inspection” due to the directory traversal issue.
The Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.
“When we talk about supply chain threats, we typically refer to cyber-attacks like the SolarWinds incident, however building on top of weak code-foundations can have an equally severe impact,” Trellix said. “This vulnerability’s pervasiveness is furthered by industry tutorials and online materials propagating its incorrect usage. It’s critical for developers to be educated on all layers of the technology stack to properly prevent the reintroduction of past attack surfaces.”
The company said it is working to push code via GitHub pull request to protect open-source projects from the vulnerability.