In a breach disclosure notice made in early September, US-based credit reference agency Equifax said criminal hackers had stolen the personal data of 143 million customers in the US. The attack persisted for several weeks, beginning in mid-May and continuing to late July this year, taking advantage of a “web application vulnerability.” Equifax also holds the personal details of 44 million UK citizens, according to reports, and admitted without going into details that "limited personal information" from British and Canadian residents had also been compromised.
The attack was simple, and avoidable. Equifax issued a statement on September 13th acknowledging that the breach was due to a vulnerability in Apache Struts, a free, open source framework for creating web applications and widely used by Fortune 100 companies to build corporate websites. Organisations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and ShowTime all have developed applications using the Struts framework.
The vulnerability was CVE-2017-5638, which was reported in March of this year. That Struts flaw allows an attacker to execute requests to an Apache webserver and provides an easy way to take control of sensitive sites. A patched version of the component was released at the same time, allowing developers to remediate the vulnerability quite easily. The following day, an exploit was released, making it far simpler for even less-skilled hackers to take advantage of the vulnerability. At that moment, a race began between organisations using Struts and hackers looking to take advantage of the vulnerability.
Equifax is not alone in neglecting vulnerabilities and updates to commonly used open source components. Earlier this year the UK's Information Commissioner's Office (ICO) imposed a £100,000 fine on Gloucester City Council over its failure to fix a weakness in the security of its website. According to the ICO, Gloucester City Council failed to ensure software it was using was updated to fix the 'Heartbleed' bug.
The software in question was OpenSSL, among the most common open source components used by organisations. OpenSSL is an open source project contained in hundreds of thousands of applications to secure communications over computer networks. More than 66% of websites use OpenSSL, in addition to business email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and a wide variety of client-side software. Although council IT staff flagged the need to patch the open source component, that patch was never applied. The vulnerability was then exploited by a hacker to access sensitive personal information.
The Common Thread: Open Source Vulnerabilities
Outside of their respective breaches and the resultant exposure of personal information, the common thread connecting Equifax and Gloucester City Council is their use of open source components with known vulnerabilities. That’s unsurprising. Open source is ubiquitous in today’s applications because using open source lowers development costs, enables innovation and speeds time to market. Last year, Black Duck’s Center for Open Source Research & Innovation (COSRI) analysed more than 1,000 applications that were audited as part of Merger & Acquisition transactions. The Black Duck COSRI audit analysis found that 96% of the applications scanned contained open source software. But more tellingly, more than 60% of those applications contained known security vulnerabilities in those open source components. In fact, the average application had over 2 dozen vulnerabilities in its open source components.
Notably, 60% of the financial industry applications that were audited contained high-risk vulnerabilities in their open source components. Additionally, the COSRI analysis showed that 83% of audited applications in the retail and e-commerce industries contained high-risk known open source vulnerabilities.
It makes sense that the longer a vulnerability goes unpatched, the greater likelihood of an attack. While Equifax was successfully attacked within a months of the Struts vulnerability’s disclosure, we often give attackers far more time than that. On average, the open source vulnerabilities identified in the COSRI audited applications had been publicly known for more than four years.
It’s Up to Users to Know What Open Source They Use
At this point it’s important to differentiate between open source components and open source vulnerabilities when talking about the need for open source security. Open source is no less secure than proprietary/commercial code. Nearly all open source vulnerabilities are disclosed responsibly, and either a patch is released concurrent with the disclosure of the vulnerability. But unlike commercial software–Microsoft’s for example–critical open source security updates are not pushed to users as they become available. It’s up to open source users to know what open source they are using and to stay on top of the various patches, fixes and upgrades made to their open source packages. As the COSRI audit analysis shows, many companies are not at all effective in doing this.
The issue is not your use of open source components coming home like so many chickens to roost. The real issue is that too many companies lack visibility into and control over the open source they have in use. Many organisations don’t pay sufficient attention to the additional security exposures created by vulnerable open source components, and actually may not even be aware these exposures exist in their applications or websites, like a time bomb that only needs to be triggered by a hacker.
What Can Companies Do to Protect Themselves?
The most effective way for companies to get visibility into and control over open source in their applications and websites is to use automated processes to scan for open source, create an inventory of those open source components and then map that open source to open source vulnerability databases. This enables them to identify any known vulnerabilities and then monitor the inventory for any newly reported open source vulnerabilities.
With this visibility and vigilance, organisations can effectively protect themselves and their customers from the type of open source exploits that affected the Gloucester City Council and Equifax. They can avoid the fire drill that is going on right now at many large corporations that are running vulnerability assessment tools, trying to determine if they will be the next to be exploited by some vulnerability and be placed in a very uncomfortable media spotlight.
The consequences for inaction can be serious, both for you and for your customers, so our advice is to get processes and policies into place immediately to identify, manage, and secure the open source used in your applications and web properties. As “Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.”
Mike Pittenger, Vice President, Security Strategy at Black Duck Software
Image Credit: Mike Stewart / AP