Software development is a fast-moving field. Today's vast landscape of different technologies requires developers to deal with various programming languages, configuration specifics, build systems, etc. This complexity sometimes makes it hard to keep up. To ease this burden, we at Sonar are constantly evolving our code analyzer to help developers write Clean Code.
One crucial aspect of this is the detection of severe code vulnerabilities, which would allow attackers to exploit an application. Our dedicated research team finds and inspects vulnerabilities in modern open-source applications to better understand the most recent threats.
Based on the insights of these real-world vulnerabilities, we can improve our product, enabling our users to easily detect weak spots in their code. At the same time, we report all identified vulnerabilities to the corresponding vendors to protect the users of affected applications. We also publicly share our findings to help developers, and security researchers learn from those vulnerabilities, their potential exploitation, and the applied fixes.
Let’s have a look at our research highlights for the year 2022!
Trends and Discovered Vulnerabilities
When choosing an open-source application for vulnerability research, we prefer popular and actively deployed projects. This maximizes the impact of a critical vulnerability and more users can benefit from a patch. Also, the code of these applications has usually been audited by community members and professionals. This makes it more challenging to discover a vulnerability and oftentimes requires new approaches, which may unveil similar vulnerabilities in other applications and lead to stronger improvements of our products.
We are excited that in 2022, our team found and reported about 50 severe vulnerabilities in some of the most popular applications across significant software categories and major programming languages:
Web Frameworks & CMS
The complexity and variety of modern web technologies is constantly increasing. To prevent starting from scratch when developing a web application, different web frameworks have become established. The security of these frameworks is essential, as a vulnerability in a framework does not only affect one particular application, but all applications using it. Because of this we spend some time to audit some of these frameworks and identified critical security issues:
Django (Python) is an open-source web framework deeply embedded in the Python ecosystem. We discovered a way to trick the framework into disclosing sensitive information with a side-channel attack.
Blitz.js (JavaScript) is an upcoming full-stack React framework. We identified a prototype pollution vulnerability, which an unauthenticated attacker can use to gain code execution.
WordPress (PHP) is the world's most popular content management system and is used by approximately 40% of all websites. We discovered multiple vulnerabilities including a stored XSS vulnerability, which can be exploited by a malicious user to gain admin privileges. These admin privileges can be used the execute arbitrary PHP code, even on a hardened instance by leveraging an object injection vulnerability. Also, we disclosed an unauthenticated blind SSRF.
Mail Solutions
The global wave of attacks on Microsoft Exchange Servers in 2021 made it painfully clear to many organizations and companies, how important the security of their internet-facing mail solution is as it opened the door to their internal networks. In our effort to help secure the open-source world, we audited similar open-source mail solutions used by thousands of organizations and companies all over the world. During this research we unveiled critical security issues with devastating impacts:
Zimbra (Java) is a popular webmail solution used by over 200,000 businesses and over a thousand government & financial institutions to exchange emails among millions of users every day. We discovered two severe vulnerabilities, which an unauthenticated attacker can exploit to steal emails via a Memcache injection and even gain code execution via a path traversal in Unrar.
Horde Webmail (PHP) is another popular webmail solution, which universities and government agencies use to exchange sensitive email messages on a daily basis. We discovered two vulnerabilities, which allow attackers to steal emails via stored XSS and gain code execution via CSRF.
Supply Chain Attacks
We are also very excited that we could yet again identify vulnerabilities, which cannot only be used to target a specific installation but could have been abused by attackers to launch a supply chain attack. The impact of such an attack is tremendous because popular software dependencies can be infected, which will then be used by all dependent software components, potentially compromising millions of servers and users. Here are two findings:
PEAR was the first PHP package manager. Although its use decreased in favor of Composer, it is still an integral part of the PHP ecosystem. We identified two vulnerabilities that were exploitable for more than 15 years. These vulnerabilities would allow an attacker to take over any developer account and then gain persistent access to the central PEAR server. The technical details can be found here.
Composer is the biggest PHP package manager, which serves around 2 billion software packages every month. We discovered a severe argument injection vulnerability in its official package repository called Packagist. This vulnerability would have allowed an attacker to hijack more than a hundred million monthly requests to distribute malicious dependencies and compromise millions of servers. You can learn more about this vulnerability in our related blog post.
Developer Tools
The most valuable asset of a software company is its source code. Developers have primary access to this source code, which makes them an attractive target for cybercriminals. Attacks against developers are increasing and in the past years, dozens have been documented. During our research we identified multiple vulnerabilities in developer tools, which could have been leveraged by attackers for malicious actions:
Yarn, pip, pnpm, and other Package managers play an essential role in modern software development with thousands of packages and dependencies. As a result of our research, we found vulnerabilities in some of the most popular package managers.
Git has become the quasi-standard when it comes to source code management. To make the work with it even easier, popular IDEs have implemented different ways to integrate Git. Though, our research showed that these integrations may yield new vulnerabilities and thus create an additional attack surface against developers.
Visual Studio Code (JavaScript) is one of the most popular IDEs developed by Microsoft. We identified an argument injection, which an attacker can leverage to execute arbitrary code on a user’s machine only by tricking the user into clicking on a link.
Monitoring Solutions
Our modern digital world runs on top of a complex IT infrastructure. In order to ensure the availability of this fundamental infrastructure, a sophisticated monitoring solution is essential. These monitoring solutions are usually a central component of a company’s network, which makes them an attractive target for attackers. While auditing some popular open-source monitoring solutions, we identified critical vulnerabilities:
Zabbix (PHP) is a very popular open-source monitoring solution. We identified a bypass in the SAML SSO authentication, which allows an attacker to gain admin privileges and execute arbitrary commands on linked Zabbix servers and agents.
Icigna (PHP) is a modern, open-source IT monitoring solution. We discovered two vulnerabilities, which can be abused to disclose any file without prior authentication via a path traversal and execute arbitrary PHP code from the admin interface via a file write.
Checkmk (Python) is an IT monitoring solution used by thousands of enterprise customers. We discovered multiple vulnerabilities, which can be chained together by an unauthenticated attacker to gain code execution.
… and many more. You can find all our vulnerability publications on our new blog here.
Pwnie Award Nominations
Following our nominations in 2021, we were really excited to receive yet another two nominations for the Pwnie Awards in 2022. The traditional Pwnie Awards are presented at the BlackHat USA conference and honor outstanding achievements of security researchers and the security community.
We were nominated in the following categories:
- Best Desktop Bug: Attacking Developer Tools
- Most Underhyped Bug: PHP Supply Chain Attack on PEAR
Although we did not win the award, the nominations were a great honor for us again. Maybe this year!
Pwn2Own
Pwn2Own is a hacking contest held by ZDI, where participants are supposed to discover and exploit vulnerabilities in popular software or hardware devices. One of our highlights this year was our successful participation at the Pwn2Own Toronto 2022 as team Sonar. Although a last-minute patch purged three of our exploits for the NETGEAR RAX30 router, we were able to successfully exploit the Synology RT6600ax router via the WAN interface.
Conferences and Talks
After the long-lasting restrictions due to COVID we were happy to attend multiple conferences in 2022 and engage with the security community in person.
Conferences are a great opportunity to learn from the huge variety of sophisticated talks and a place where we can share knowledge. We were excited to share the outcomes of our research during 10 conference presentations, including:
- Insomni’hack 2022
- Hexagon 2022
- OffensiveCon22
Code Security Advent Calendar
The Code Security Advent Calender 2022 was the seventh edition of this yearly tradition. We think it is a great way to share some good vibes with the community and produce fun for every developer or security enthusiast. The challenges varied in difficulty and covered the following languages: C, C#, Java, JavaScript, Python, and PHP.
This year's event was terrific: Many players actively participated in solving the challenges and we had some interesting discussions. We would like to thank everyone who participated!
You haven't done the challenges yet? Have a look at our dedicated website and try to spot the vulnerabilities.
What’s next?
2022 was undoubtedly a very exciting year for us. Looking back at everything, we are even more excited to look forward to the next one. Be prepared for some awesome vulnerability findings, which we can publish once patches are available. You can follow our research team on Twitter or infosec.exchange if you want to stay up-to-date.
On behalf of SonarSource, we wish you a happy new year and a great and safe start!