A great challenge for developers nowadays is to keep up in the fast-evolving field of software development. Today's vast landscape of different technologies requires developers to deal with various programming languages, configuration specifics, build systems, etc. And as if that were not enough, this complexity increases the risk of introducing security vulnerabilities, which would allow attackers to steal sensitive data, attack other users, deploy ransom- or malware, or carry out other malicious activities.
To ease this burden, we at Sonar, are constantly improving our code analyzers to help developers write Clean Code. One important aspect of this is Code Security. A software application should be free of security vulnerabilities. Our dedicated research team finds and inspects vulnerabilities in modern open-source applications to keep up with the latest trends and better understand the most recent threats.
Based on the insights of these real-world vulnerabilities, we can improve our product, enabling our users to easily detect weak spots in their own code. At the same time, we responsibly disclose all identified vulnerabilities to the corresponding vendors to protect the users of affected applications. We also publicly share our findings to help developers, and security researchers learn from those vulnerabilities, their potential exploitation, and the applied fixes.
Let’s have a look at our research highlights for the year 2023!
Pwnie Award Nominations
Following our nominations in 2021 and 2022, we were happy to receive yet another two nominations for the Pwnie Awards in 2023. The traditional Pwnie Awards are presented at the BlackHat USA conference and honor outstanding achievements of security researchers and the security community.
We were nominated in the following categories:
Epic Achievement
- Nominated for our work on the PHP supply chain that prevented the compromise of millions of servers (Blog)
Best Remote Code Execution
- Nominated for our complex RCE bug chain in Checkmk (Blog)
Although we did not win the award, the nominations were a great honor for us again. Let’s see what this year brings!
Conferences and Talks
Conferences are an excellent way for us to keep up with the latest research trends, meet with the IT security community, and share our own knowledge by presenting a talk.
We were honored to share the results of our research at top-tier conferences in 2023, including the following:
Black Hat Asia 2023
DEF CON 31
- YouTube: DEF CON 31 - Visual Studio Code is Why I Have Workspace Trust Issues - Chauchefoin, Gerste
- Blog: BlackHat 2023: Hackers, Casinos, and an Exciting Announcement
HEXACON2023
Pwn2Own
Pwn2Own is a hacking contest held by ZDI, where participants are supposed to discover and exploit vulnerabilities in popular software or hardware devices. After our successful participation in 2022, we were thrilled to participate again in this year’s Pwn2Own Toronto edition. Despite the fact that the research related to this is not our main focus, we were able to successfully exploit the Wyze v3 camera. Stay tuned for the details!
Trends and Discovered Vulnerabilities
When choosing an open-source application for vulnerability research, we prefer active and widely deployed projects. This way, we maximize the impact of our findings to benefit many users at once. Although these are usually big and complex projects, and hence harder to analyze with traditional SAST techniques, these are also excellent realistic benchmarks for analyzers. This also means that finding something will be a challenge because more community members and professionals will have looked at the code already.
We are excited that in 2023, our team found and reported critical vulnerabilities in some of the most popular applications across different domains and major programming languages:
Attacks on Supply Chain and Developers
Vulnerabilities in critical CI/CD infrastructure could not only allow attackers to compromise specific installations but could also have helped to launch entire supply chain attacks. In a supply chain attack, a software package is infected and then shipped as part of another software package to users. Aside from directly attacking the CI/CD infrastructure malicious threat actors are also targeting developers. These have access to the most valuable asset for a software company: its source code. Continuing our efforts from last year, we identified and published more vulnerabilities that could be used to launch supply chain attacks and explicitly attack developers.
TeamCity is a widely used Continuous Integration and Continuous Deployment (CI/CD) server from JetBrains deployed by more than 30,000 customers worldwide. We identified a critical authentication bypass, which could be used by attackers to execute arbitrary code on the server and potentially launch a supply chain attack.
Visual Studio Code is the most popular source code editor. We thoroughly investigated its security landscape including the five major attack surfaces, namely exposed network services, protocol handlers, workspace settings and local data, workspace trust, and XSS. Furthermore, we identified multiple vulnerabilities in third-party extensions with millions of installs and even more vulnerabilities in the NPM integration of VSCode.
Privacy Mailers
Many messenger services have already switched to end-to-end encryption (E2EE) to protect messages in transit and at rest, but it is still rare among email services. While PGP and S/MIME do exist, they are usually cumbersome to set up and use, even for tech-savvy users. That's why many people turn to privacy-oriented webmail services which make communications safe in transit and at rest. However, the web clients will need to decrypt these messages to show them to the user which makes it an interesting component to attack!
Proton Mail is a very popular end-to-end encrypted email service with nearly 70 million users worldwide. We identified a Cross-Site Scripting (XSS) vulnerability in its web client. Attackers could leverage different techniques to successfully overcome all mitigations and potentially steal emails and impersonate victims.
Skiff is a well-established, end-to-end encrypted email service. During our audit of its source code, we discovered a mutation-based Cross-Site Scripting (XSS) vulnerability, which could be exploited by attackers to steal emails and impersonate victims.
Tutanota Desktop is the secure desktop client for the encrypted email service Tutanota. The vulnerability we identified in this application could be leveraged by attackers to even execute arbitrary code on a victim’s machine.
Management Software & CMS
A great advantage of web applications is that they are very accessible. While native applications usually require a full-blown client on a user’s machine, web applications can be accessed via a browser. Because of this, a lot of software that manages not only generic but also sensitive data is implemented as a web application. Since these applications are usually exposed to the network, they are a valuable target for threat actors.
Moodle is an open-source learning management system (LMS) used to create and deliver online courses. It is now widely used by educators and institutions around the world, earning the trust of educational institutions worldwide, with its user base exceeding 350 million across 242 countries. During our research, we discovered that an unauthenticated user could create arbitrary folders on a Moodle server. This apparently innocuous action turned out to introduce a Cross-Site Scripting (XSS) vulnerability, that could eventually be leveraged by an attacker to gain remote code execution. Furthermore, we identified an Account Takeover (ATO) via self-XSS in the WYSIWYG editor of Moodle.
OpenEMR is the most popular open-source software for electronic health records and medical practice management. It is used worldwide to manage sensitive patient data, including information about medications, laboratory values, and diseases. We analyzed multiple code vulnerabilities detected by our SAST engine, which could be exploited by an attacker to take over any OpenEMR instance.
Pimcore is an enterprise software platform for central management of corporate data. With over 100,000 clients across 56 countries, including some major vendors, it has become a trusted choice for businesses worldwide. With the help of SonarCloud, we identified two distinct vulnerabilities that an attacker could exploit with a single GET request, ultimately leading to code execution.
Infrastructure and Network
IT infrastructure is the keystone of our modern digital world and has increasingly become more complex. An attacker who can compromise a company’s IT infrastructure could easily exfiltrate sensitive data, deploy ransomware, spy on employees, and much more. This makes IT infrastructure a high-profile target for threat actors. Continuing our efforts from the previous year, we identified and published more critical vulnerabilities in IT infrastructure-related applications.
pfSense is a popular open-source firewall solution by Netgate. Since a firewall stands as the vigilant guardian of an organization’s network, it is exposed to attacks from external threat actors. Thus we put its resistance to the test and, with the help of SonarCloud, discovered multiple vulnerabilities, that attackers could have used to spy on traffic or attack services inside the local network.
Cacti is a well-established, open-source monitoring solution with thousands of publicly exposed instances on the internet. We identified a critical command injection vulnerability, which could be triggered via an unauthenticated attacker by leveraging an authentication bypass.
LibreNMS is a fully featured, open-source monitoring solution. During our audit of the application, we identified a second-order XSS vulnerability, which attackers could combine with a Blade template injection to gain remote code execution.
What’s next?
Looking back at this exciting year 2023, we are even more thrilled to look forward to the next year. We already have awesome vulnerability findings in our pipeline that we will publish once patches are available. You can follow our research team on X or infosec.exchange if you want to stay up-to-date.
On behalf of SonarSource, we wish you a happy new year and a safe start to 2024!