Veracode Static scan - Very high security issues found with 1.1.9.1 version

Question

Veracode Static scan - Very high security issues found with 1.1.9.1 version

rssurdikar opened this issue a year ago · comments

Rohan Sunil Surdikar commented a year ago

Hi,

I am using snappy java's 1.1.9.1 jar in my application and when I did Veracode static scan, I found the following very high vulnerability issues.

Command or Argument Injection(1 flaw)

Description
Command or argument injection vulnerabilities occur when data enters an application from an untrusted source and is used to
dynamically construct and execute a command. In the case of OS command injection, an attacker may be able to either alter
the command executed by the application or append additional commands. In the case of argument injection, the attacker may
influence the behavior of the program in other ways, for example, by changing the destination of an outbound network request or
injecting additional commands into an argument or parameter. The command is typically executed with the privileges of the
executing process and gives an attacker a privilege or capability that he would not otherwise have.

Recommendations
Careful handling of all untrusted data is critical in preventing injection attacks. Using one or more of the following techniques
provides defense in depth and minimizes the likelihood of a vulnerability.

If possible, use library calls rather than external processes to recreate the desired functionality.
Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using
centralized data validation routines when possible.
Select safe API routines. Some APIs that execute system commands take an array of strings as input rather than a single
string, which protects against some forms of command injection by ensuring that a user-supplied argument cannot be
interpreted as part of the command.

Associated Flaws by CWE ID:
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')(CWE ID 78)(1 flaw)

Description
This call contains a command injection flaw. The argument to the function is constructed using untrusted input. If an
attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with
the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines,
if any.
An effort to Fix: 3 - Complex implementation error. The fix is approx. 51-500 lines of code. Up to 5 days to fix.

Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters. Most APIs that execute system commands also have a "safe" version of
the method that takes an array of strings as input rather than a single string, which protects against some forms of
command injection.

Code:
int exitCode = Runtime.getRuntime().exec("which readelf").waitFor();

Untrusted Search Path(2 flaws)

Description
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to
execute malicious commands (and payloads) on behalf of an attacker.
If an attacker is allowed to specify all or part of a filename to a certain API function, it may be possible to load arbitrary libraries.
In addition, certain functions perform automatic path searching, iterating over a list of paths to search for desired resources,
such as executables, libraries, or configuration files. If an attacker can modify the path, for example, by manipulating an
environment variable, he may be able to trick the program into referencing an attacker-controlled resource. Similarly, the
search path is static but an attacker is able to place a malicious copy of the resource higher in the search order than the file the
application intends to load, then the application will load the malicious version.

Recommendations
Avoid using user-supplied filenames or paths. When calling methods that load libraries or launch processes, ensure that full
paths are provided specifying the resource to be loaded.

Associated Flaws by CWE ID:
Process Control (CWE ID 114)(2 flaws)

Description
A function call could result in a process control attack. An argument to a process control function is either derived from
an untrusted source or is hard-coded, both of which may allow an attacker to execute malicious code under certain
conditions. If an attacker is allowed to specify all or part of the filename, it may be possible to load arbitrary libraries. If
the location is hard-coded and an attacker is able to place a malicious copy of the library higher in the search order than
the file the application intends to load, then the application will load the malicious version.

An effort to Fix: 2 - Implementation error. The fix is approx. 6-50 lines of code. 1 day to fix.

Recommendations
Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation
routines when possible. When using hard-coded file locations, use fully-qualified filenames to ensure the proper library
is being loaded.

Code:

 if (nativeLibFile != null) {
                    // Load extracted or specified snappy java native library.
                    System.load(nativeLibFile.getAbsolutePath());
                }

Taro L. Saito · Answer 1 · Sat Jun 03 2023 01:50:08 GMT+0800 (China Standard Time)

Hi. For such vulnerability-related reports, can I kindly ask to use private reporting here https://github.com/xerial/snappy-java/security/advisories so that any security hole will not be exploited by attacker before a fix is made?

Rohan Sunil Surdikar · Answer 2 · Mon Jun 05 2023 14:10:02 GMT+0800 (China Standard Time)

Thanks, @xerial. I did not know that previously. I will definitely use advisories next time. Let me close this issue right now.