This alert is originally published and can be viewed at www.csa.gov.sg
Background
On 5 June 2018, Snyk Security team disclosed a critical archive extraction vulnerability dubbed Zip Slip. This vulnerability allows attackers to perform arbitrary remote command execution on affected systems. As a result, thousands of projects, including projects by HP, Amazon, Apache, Pivotal and many more, are affected.
The Zip Slip vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central software library for unpacking archive files. The lack of such a library led to vulnerable code snippets being crafted and shared among developer communities such as StackOverflow.
Affected Programming Languages
Affected libraries used by programming languages include, but are not limited to:
Click here for the complete list of affected libraries used by programming languages.
Impact
The Zip Slip vulnerability is exploited using a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted. The attackers can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on a victim's machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both users’ machines and servers. It affects numerous archive formats such as zip, tar, jar, war, cpio, apk, rar and 7z.
Recommendations
Software developers are advised to:
References
https://snyk.io/research/zip-slip-vulnerability#introduction
https://www.techrepublic.com/article/attackers-can-hide-malware-in-archive-files-with-zip-slip-flaw-heres-how-to-fight-it/
https://github.com/snyk/zip-slip-vulnerability
https://www.zdnet.com/article/open-source-security-zip-slip-critical-flaw-hits-thousands-of-projects-update-now/
0 Comment Log in or register to post comments