Thousands of Open Source Projects at Risk Due to Zip Slip Vulnerability
Skybox Blog Team Jun 11, 2018
An archive extraction vulnerability known as Zip Slip is putting thousands of open source projects across many ecosystems at risk. These projects are within recognizable companies including Amazon, HP, Apache and many others.
The June 5, 2018 disclosure was published shortly after the Zip Slip vulnerability was discovered by the Synk Security team sometime during the month of April 2018.
What Is the Zip Slip Vulnerability?
Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. Attackers can exploit the vulnerability remotely by overwriting archive files with their own content, and from there pivot to achieving remote command execution on the machine. The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.
A malicious archive and extraction code that does not perform validation checking are used to exploit this vulnerability. Using this ZipSlip attack an attacker can overwrite legitimate executable files or configuration files for an application to trick the targeted system or the user into running it, thus achieving remote command execution on the victim’s machine.
The vulnerability can also cause damage by overwriting configuration files or other sensitive resources and can be exploited on both client (user) machines and servers.
Who Is Vulnerable to This Attack?
Any users of a library which contains the Zip Slip vulnerability or if their project directly contains the vulnerable code, which extracts files from an archive without the required directory validation.
Affected Libraries and Fixes
Below is a list of vulnerable libraries. Fixes are also provided where applicable.
- Npm library
- Java library
- .NET library
Affected Projects and Fixes
Below is a list of vendor projects. Fixes are also provided where applicable.
- AWS Toolkit for Eclipse — fixed version 201805311643
- Apache Storm
- Storm — fixed version 1.0.7 (CVE-2018–8008)
- Concourse — fixed version 0.9.0
- Academic — fixed version 10.0.2
- Fortify Cloud Scan Jenkins Plugin — fixed version 1.5.1
- Lucee — fixed version 5.2.7
- Orient Technologies
- DependencyCheck — fixed version 3.2.0
VPNFilter Malware: What we know so far on the router threat: A new destructive VPNFilter malware has compromised 500,000 networking devices worldwide
Speculative Store Buffer Bypass, Rogue System Register Read: Bug bounties pay off, uncovering two more side-channel flaws in the wake of Meltdown and Spectre
Double Kill Exploit Jumps From MS Office to Internet Explorer: The Double Kill exploit of a VBScript Engine vulnerability uses a first-of-its-kind attack method we’ll likely see more of in the future