TechGuard Blog

Open Source Software - Common Vulnerabilities

The proof, as they say, is in the pudding

In a previous blog post I wrote about addressing concerns with Open Source Software (OSS). In that blog, I discussed some potential concerns with OSS and how it is the organization's responsibility to catalog OSS packages and modules in use. Let’s face it, in terms of cybersecurity, we’re not dealing with the Ronco Rotisserie. You can’t simply “set it and forget it”. The vulnerability landscape changes daily and the days of doing the bare minimum are gone, organizations must stay alert to all vulnerabilities, including OSS libraries.

TechGuard Security works with a diverse group of clients, spanning a wide spectrum of industry and cybersecurity maturity. One of the core services we offer is External Vulnerability Assessments. What kind of vulnerabilities can you find by simply scanning internet-facing assets and what does that have to do with open source components? Let’s find out.

 

The results are in

In order to better understand some of the most common vulnerabilities we encounter, I examined a year’s worth of external vulnerability assessment results. It should come as no surprise (after all, why else would I be talking about it) that two of the top three areas are directly related to open source software.

Top 10 most commonly encountered PHP related vulnerabilities.

Name

Risk

Synopsis

PHP 5.3.x < 5.3.29 Multiple Vulnerabilities

High

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

PHP 5.4.x < 5.4.40 Multiple Vulnerabilities

Critical

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

PHP 5.6.x < 5.6.40 Multiple vulnerabilities.

High

An application installed on the remote host is affected by multiple vulnerabilities.

PHP 5.6.x < 5.6.37 exif_thumbnail_extract() DoS

Medium

The version of PHP running on the remote web server is affected by a denial of service vulnerability.

PHP 7.1.x < 7.1.17 Multiple Vulnerabilities

Medium

The version of PHP running on the remote web server is affected by multiple vulnerabilities.

PHP 5.4.x < 5.4.30 Multiple Vulnerabilities

Critical

The remote web server is running a version of PHP that is affected by multiple vulnerabilities.

PHP 5.4.x < 5.4.42 Multiple Vulnerabilities

High

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

PHP Unsupported Version Detection

Critical

The remote host contains an unsupported version of a web application scripting language.

PHP 7.1.x < 7.1.26 Multiple vulnerabilities.

High

An application installed on the remote host is affected by multiple vulnerabilities.

 

 

Top 10 most commonly encountered Apache related vulnerabilities.

Name

Risk

Synopsis

Apache 2.4.x < 2.4.33 Multiple Vulnerabilities

Medium

The remote web server is affected by multiple vulnerabilities.

Apache 2.4.x < 2.4.39 Multiple Vulnerabilities

Medium

The remote web server is affected by multiple vulnerabilities.

Apache 2.4.x < 2.4.38 Multiple Vulnerabilities

Medium

The remote web server is affected by multiple vulnerabilities.

Apache 2.2.x < 2.2.33-dev / 2.4.x < 2.4.26 Multiple Vulnerabilities

High

The remote web server is affected by multiple vulnerabilities.

Apache 2.4.x < 2.4.34 Multiple Vulnerabilities

Medium

The remote web server is affected by multiple vulnerabilities.

Apache 2.4.x < 2.4.35 DoS

Medium

The remote web server is affected by a denial of service vulnerability.

Apache Server ETag Header Information Disclosure

Medium

The remote web server is affected by an information disclosurevulnerability.

Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (httpoxy)

High

The remote web server is affected by multiple vulnerabilities.

Apache 2.4.x < 2.4.27 Multiple Vulnerabilities

Medium

The remote web server is affected by multiple vulnerabilities.

Apache 2.4.x < 2.4.10 Multiple Vulnerabilities

High

The remote web server may be affected by multiple vulnerabilities.

 

Don’t be a statistic

According to https://w3techs.com/, PHP is used for 79% of websites where the server-side programming language is known. They report 56.8% of PHP web sites are still on version 5, despite the fact that support for PHP version 5 was discontinued 11 months ago.

Likewise, the same source indicates that approximately 43% of all websites are hosted on Apache (where the webserver is known).  Of those, 72% are running a version of Apache that is at least one year out of date. 

If we take those statistics and match them up with the common findings above, we can see that indeed, the majority of findings are coming from outdated versions of open source software.

If you don’t know if you are using open source software components, do yourself a favor and find out.

Written by Aaron Moore