What is the Issue?
Security firm Snyk has disclosed a widespread and critical flaw in multiple archive file-extraction libraries found in thousands of open-source web application projects from HP, Amazon, Apache, Oracle, LinkedIn, Twitter and others. Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. As you might guess from its name, the vulnerability is all about Zip files. An exploit allows attackers to remotely overwrite archive files with their own content, and from there pivot to achieving remote command execution on the machine. The flaw is especially prevalent in Java, where there’s no central library offering high-level processing of ZIP files. This lack of centralization has led to vulnerable code snippets being handcrafted and shared among developer communities such as StackOverflow. Besides .zip, it can also affect other archive formats, such as .tar, .jar, .war, .cpio, .apk, .rar, and 7z.
Why is this noteworthy?
Enterprises across the world have been eager to adopt open-source management tools, but are usually not as fast in updating their security controls. Sypnopsys, a systems design company, released a report saying that the majority of codebases contain known vulnerabilities. Of 1,000 commonly used applications in the enterprise environment, roughly 96% utilize open-source software, of which approximately 60% contain security vulnerabilities due to these components.
What is the exposure or risk?
Attackers can create Zip archives that use path traversal to overwrite important files on affected systems, either destroying them or replacing them with malicious alternatives. It is unclear at this time just how much of a threat this vulnerability will pose, but open-source attacks, such as the one suffered by Equifax, can lead to massive data breaches. The nature of open-source projects means that bugs may escape the net and cause chaos further down the line. To exploit Zip Slip, an attacker needs to use a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted.
What are the recommendations?
Users and staff must remain aware and maintain regular security checks and install the right patches in a timely manner. Though affected library developers have since fixed this issue after Snyk began alerting developers in April, application developers that use any of these vulnerable libraries will need to update to a fixed version. Snyck has published a list on GitHub of affected archive processing libraries for Java, .NET, Oracle, Apache, Ruby, and Go software. If you maintain software that does its own unzipping, you should test it to see if it’s vulnerable.
If you have any questions, please contact our Security Operations Center.