At SonarSource we are constantly improving our code analyzers to help developers write Clean Code. The detection of severe code vulnerabilities plays an important role in this process so that applications are protected from attacks and security breaches. For this same reason, our research team finds and inspects vulnerabilities in modern open source applications.
In addition to being a fun challenge for our researchers, it enables us to study real-world examples, test and fine-tune our rules, and improve our products for our users. At the same time, our responsible vulnerability reports help affected vendors and their users to stay secure. Additionally, we document what we find so that the developer and security communities can learn from those vulnerabilities, their (potential) exploits, and their fixes.
Our research team had a fun and interesting year 2021. In this blog post, we would like to share the highlights of our year.
When choosing an open source application for vulnerability research, we prefer active and widely deployed projects. This way, we maximize the impact of our findings to benefit many users at once. However, this also means that finding something will be a challenge because more community members and professionals will have looked at the code already.
We are excited that in 2021, our team found and reported critical vulnerabilities in some of the most popular applications across major programming languages:
Wordpress (PHP) is the world’s most popular content management system and is used by approximately 40% of all websites. We discovered a critical vulnerability that could have allowed attackers with low privileges to leak sensitive files and to perform SSRF attacks. Read more.
Zimbra (Java) is a popular webmail solution used by over 200,000 businesses and over a thousand government & financial institutions to exchange emails among millions of users every day. We found two code vulnerabilities that could be combined by attackers to compromise an organization's webmail server. Read more.
LocalStack (Python) provides an easy-to-use test framework for cloud applications and is one of the most popular open source Python applications. We discovered multiple critical vulnerabilities that together enabled remote attackers to compromise local installations. Read more.
Rocket.Chat (JS/TS) is deployed on over 800,000 server instances and used by more than 12 million users worldwide to exchange confidential messages and files. We discovered critical vulnerabilities in its source code that could have been used by an attacker to take complete control over a server. Read more.
SmartStoreNet (C#) is the leading open-source e-commerce platform for .NET and a popular choice for companies running Windows Server. We discovered two vulnerabilities that allowed attackers to gain control of a SmartStoreNET shop by sending a malicious message to the administrator or in the public message board. Read more.
You can find a list of all our vulnerability disclosures here.
By uncovering, reporting and coordinating patch releases for these vulnerabilities with the affected vendors, we were able to help many large companies with their security efforts, including the NSA. More than 60 CVEs were issued based on our research. In cases where we earned a monetary reward for our report (bug bounty), we donated the money to charity. We are happy that we were able to make significant donations to organizations that have a strong social impact.
Some of the vulnerabilities we discovered could have led to not only compromising specific installations, but could also have helped attackers launch supply chain attacks. In a supply chain attack, a software package is infected and then shipped as part of another software package to other users. Here are two highlights:
Composer is the major tool in the PHP ecosystem to manage and install PHP packages, serving millions of daily downloads. Our team discovered critical vulnerabilities in the central PHP package repository of Composer that could have been used to backdoor all PHP packages; it could have been exploited to attack virtually any organization relying on this language! You can learn more in our blog post about this vulnerability.
GoCD: In another research project, our team discovered multiple critical vulnerabilities in GoCD, a popular CI/CD solution used by many NGOs and Fortune 500 companies. Without any prerequisite, remote attackers could have infected these companies' code repositories, build artifacts and their products. We wrote a two-part blog (Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD, Agent 008: Chaining Vulnerabilities to Compromise GoCD) about these vulnerabilities.
Another highlight for us in 2021 was when our vulnerability researchers received three nominations for Pwnie Awards. For this annual award presented at the BlackHat USA conference, a jury of renowned security experts evaluate achievements of security researchers and the security community. Our researchers were nominated in these three categories:
- Most Under-Hyped Research: Supply Chain Attack on Composer
- Best Privilege Escalation Bug: CVE-2020-27194
- Best Client-Side Bug: RCE through CS:GO
In the end, we did not win any Pwnies but, we felt very honored to be nominated.
The Code Security Advent Calendar is an annual tradition since 2016. Each December we publish 24 different code puzzles. Players are encouraged to look for security vulnerabilities in code snippets, explain the impact, and how they could be exploited by malicious actors. We think it’s a great way to share good vibes with the community and to have fun while learning about security. It was a fantastic event this year, and we would like to thank all the players for their active participation and the interesting discussions.
You can still find all the challenges online in our community thread or on Twitter. We are also happy to receive your feedback to make the next edition even better.
Last but not least, our team enjoyed engaging with the security community. We presented learnings from our vulnerability research that helped us to uncover vulnerabilities in popular web applications, such as WordPress, Magento and Zimbra, at the Hacktivity Budapest conference. Kudos to Simon for a great presentation with cool demos in front of a full conference room.
Participating in Capture the Flag (CTF) contests is an affair of the heart for all our researchers and also a highlight. For the saarCTF, our researchers joined forces with the renowned FluxFingers team from Bochum to find and patch code vulnerabilities in a competition with 78 international teams. After nine intense hours, our team managed to score 2nd (congrats to FluxFingers!). We contributed our own CTF challenges for players to solve during the annual Hack.lu CTF also organized by the FluxFingers.
We look back at an exciting year 2021, and we are looking forward to the next one. We already have awesome vulnerability findings in our pipeline that we will publish once patches are available. You can follow us on Twitter or subscribe to our blog to stay up-to-date. We will also present at OffensiveCon in February, and at the Insomnihack conference in March. Come visit our team for a chat and consider joining our passionate teams :)
On behalf of SonarSource, we wish you a happy new year and a great and safe start!