The proof, as they say, is in the pudding
In a previous blog post I wrote about addressing concerns with Open Source Software (OSS). In that blog, I discussed some potential concerns with OSS and how it is the organization's responsibility to catalog OSS packages and modules in use. Let’s face it, in terms of cybersecurity, we’re not dealing with the Ronco Rotisserie. You can’t simply “set it and forget it”. The vulnerability landscape changes daily and the days of doing the bare minimum are gone, organizations must stay alert to all vulnerabilities, including OSS libraries.
TechGuard Security works with a diverse group of clients, spanning a wide spectrum of industry and cybersecurity maturity. One of the core services we offer is External Vulnerability Assessments. What kind of vulnerabilities can you find by simply scanning internet-facing assets and what does that have to do with open source components? Let’s find out.
The results are in
In order to better understand some of the most common vulnerabilities we encounter, I examined a year’s worth of external vulnerability assessment results. It should come as no surprise (after all, why else would I be talking about it) that two of the top three areas are directly related to open source software.
Top 10 most commonly encountered PHP related vulnerabilities.
|
Name |
Risk |
Synopsis |
|
PHP 5.3.x < 5.3.29 Multiple Vulnerabilities |
High |
The remote web server uses a version of PHP that is affected by multiple vulnerabilities. |
|
PHP 5.4.x < 5.4.40 Multiple Vulnerabilities |
Critical |
The remote web server uses a version of PHP that is affected by multiple vulnerabilities. |
|
PHP 5.6.x < 5.6.40 Multiple vulnerabilities. |
High |
An application installed on the remote host is affected by multiple vulnerabilities. |
|
PHP 5.6.x < 5.6.37 exif_thumbnail_extract() DoS |
Medium |
The version of PHP running on the remote web server is affected by a denial of service vulnerability. |
|
PHP 7.1.x < 7.1.17 Multiple Vulnerabilities |
Medium |
The version of PHP running on the remote web server is affected by multiple vulnerabilities. |
|
PHP 5.4.x < 5.4.30 Multiple Vulnerabilities |
Critical |
The remote web server is running a version of PHP that is affected by multiple vulnerabilities. |
|
PHP 5.4.x < 5.4.42 Multiple Vulnerabilities |
High |
The remote web server uses a version of PHP that is affected by multiple vulnerabilities. |
|
PHP Unsupported Version Detection |
Critical |
The remote host contains an unsupported version of a web application scripting language. |
|
PHP 7.1.x < 7.1.26 Multiple vulnerabilities. |
High |
An application installed on the remote host is affected by multiple vulnerabilities. |
Top 10 most commonly encountered Apache related vulnerabilities.
|
Name |
Risk |
Synopsis |
|
Apache 2.4.x < 2.4.33 Multiple Vulnerabilities |
Medium |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.4.x < 2.4.39 Multiple Vulnerabilities |
Medium |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.4.x < 2.4.38 Multiple Vulnerabilities |
Medium |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.2.x < 2.2.33-dev / 2.4.x < 2.4.26 Multiple Vulnerabilities |
High |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.4.x < 2.4.34 Multiple Vulnerabilities |
Medium |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.4.x < 2.4.35 DoS |
Medium |
The remote web server is affected by a denial of service vulnerability. |
|
Apache Server ETag Header Information Disclosure |
Medium |
The remote web server is affected by an information disclosurevulnerability. |
|
Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy) |
High |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.4.x < 2.4.27 Multiple Vulnerabilities |
Medium |
The remote web server is affected by multiple vulnerabilities. |
|
Apache 2.4.x < 2.4.10 Multiple Vulnerabilities |
High |
The remote web server may be affected by multiple vulnerabilities. |
Don’t be a statistic
According to https://w3techs.com/, PHP is used for 79% of websites where the server-side programming language is known. They report 56.8% of PHP web sites are still on version 5, despite the fact that support for PHP version 5 was discontinued 11 months ago.
Likewise, the same source indicates that approximately 43% of all websites are hosted on Apache (where the webserver is known). Of those, 72% are running a version of Apache that is at least one year out of date.
If we take those statistics and match them up with the common findings above, we can see that indeed, the majority of findings are coming from outdated versions of open source software.
If you don’t know if you are using open source software components, do yourself a favor and find out.
.%20In%20that%20blog,%20I%20discussed%20some%20potential%20concerns%20with%20OSS%20and%20how%20it%20is%20the%20organization's%20responsibility%20to%20catalog%20OSS...){kind=link}