A serious security flaw in a commonly used, but overlooked open source security module may be undermining the integrity of hundreds of thousands or even millions of private and public applications, putting untold numbers of organizations and data at risk.

A team of independent security researchers that includes application security professionals at Shutterstock and Squarespace identified the flaw in private-ip, a npm module first published in 2016 that enables applications to block request forgery attacks by filtering out attempts to access private IP4 addresses and other restricted IP4 address ranges, as defined by ARIN

The SSRF Blocker That Didn’t

The researchers identified a so-called Server Side Request Forgery (SSRF) vulnerability in commonly used versions of private-ip. The flaw allows malicious attackers to carry out SSRF attacks against a population of applications that may number in the hundreds of thousands or millions globally. It is just the latest incident to raise questions about the security of the “software supply chain,” as more and more organizations shift from monolithic to modular software application development built on a foundation of free and open source code.

Report: Cybercriminals target difficult-to-secure ERP systems with new attacks

According to an account by researcher John Jackson of Shutterstock, flaws in the private-ip code meant that the filtering allegedly carried out by the code was faulty. Specifically, independent security researchers reported being able to bypass protections and carry out Server-Side Request Forgeries against top tier applications. Further investigation uncovered a common explanation for those successful attacks: private-ip, an open source security module used by the compromised applications.

SSRF attacks allow malicious actors to abuse functionality on a server: reading data from internal resources or modifying the code running on the server. Private-ip was created to help application developers spot and block such attacks. SSRF is one of the most common forms of attack on web applications according to OWASP.

Black Box Device Research reveals Pitiful State of Internet of Things Security

The problem: private-ip didn’t do its job very well.

“The code logic was using a simple Regular Expression matching,” Jackson (@johnjhacking) told The Security Ledger. Jackson, working with other researchers, found that private-ip was blind to a wide number of variations of localhost, and other private-ip ranges as well as simple tricks that hackers use to obfuscate IP addresses in attacks. For example, researchers found they could send successful requests for localhost resources by obscuring those addresses using hexadecimal equivalents of private IP addresses or with simple substitutions like using four zeros for each octet of the IP address instead of one (so: 0000.0000.0000.0000 instead of 0.0.0.0). The result: a wide range of private and restricted IP addresses registered as public IP addresses and slipped past private-ip.

Private-IP: small program, BIG footprint

The scope of the private-ip flaws are difficult to grasp. However, available data suggests the component is very widely used. Jackson said that hundreds of thousands, if not millions of applications likely incorporate private-ip code in some fashion. Many of those applications are not publicly addressable from the Internet, but may still be vulnerable to attack by an adversary with access to their local environment.

Private-ip is the creation of developer Damir Mustafin (aka “frenchbread”), a developer based in the Balkan country of Montenegro, according to his GitHub profile, which contains close to 60 projects of different scopes. Despite its popularity and widespread use, private-ip was not a frequent focus of Mr. Mustafin’s attention. After first being published in August 2016, the application had only been updated once, in April 2017, prior to the most recent update to address the SSRF flaw.

A Low Key, High Distribution App

The lack of steady attention didn’t dissuade other developers from downloading and using the npm private-ip package, however. It has an average of 14,000 downloads weekly, according to data from GitHub. And direct downloads of private-ip are just one measure of its use. Fully 355 publicly identified npm modules are dependents of private-ip v1.0.5, which contains the SSRF flaws. An additional 73 GitHub projects have dependencies on private-ip. All told, that accounts for 153,374 combined weekly downloads of private-ip and its dependents. One of the most widely used applications that relies on private-ip is libp2p, an open source network stack that is used in a wide range of decentralized peer-to-peer applications, according to Jackson.

While the flaw was discovered by so-called “white hat” vulnerability researchers, Jackson said that it is almost certain that malicious actors knew about and exploited it -either directly or inadvertently. Other security researchers have almost certainly stumbled upon it before as well, perhaps discovering a single address that slipped through private-ip and enabled a SSRF attack, while failing to grasp private-ip’s role or the bigger flaws in the module.

In fact, private-ip may be the common source of a long list of SSRF vulnerabilities that have been independently discovered and reported in the last five years, Jackson said.”This may be why a lot of enterprises have struggled with SSRF and block list bypasses,” he said.

After identifying the problem, Jackson and his team contacted the developer, Damir Mustafin (aka “frenchbread”), looking for a fix. However, it quickly became clear that they would need to enlist additional development talent to forge a patch that was comprehensive. Jackson tapped two developers: Nick Sahler of the website hosting provider Square Space and the independent developer known as Sick Codes (@sickcodes) to come up with a comprehensive fix for private-ip. The two implemented the netmask utility and update private-ip to correctly filter private IP ranges and translate all submitted IP addresses at the byte level to catch efforts to slip encoded addresses past the filter.

Common Mode Failures and Software Supply Chain

Even though it is fixed, the private-ip flaw raises larger and deeply troubling questions about the security of software applications on which our homes, businesses and economy are increasingly dependent.

The greater reliance on open source components and the shift to agile development and modular applications has greatly increased society’s exposure to so-called “common cause” failures, in which a the failure of a single element leads to a systemic failure. Security experts say the increasingly byzantine ecosystem of open source and proprietary software with scores or hundreds of poorly understood ‘dependencies’ is ripe for such disruptions.

Sites like npm are a critical part of that ecosystem -and part of the problem. Created in 2008, npm is a package manager for the JavaScript programming language that was acquired by GitHub in March. It acts as a public registry of packages of open source code that can be downloaded and incorporated into web and mobile applications as well as a wide range of hardware from broadband routers to robots. But vetting of the modules uploaded to npm and other platforms is often cursory. Scores have been called out as malicious and an even greater number are quietly dropped from the site every day after being discovered to be malicious in nature.

Less scrutinized is low quality code and applications that may quickly be adopted and woven into scores or hundreds or thousands of other applications and components.

“The problem with (software) dependencies is once you identify a problem with a dependency, everything downstream is f**ked,” the developer known as Sick Codes told The Security Ledger. “It’s a house of cards.”

Patch Now

In the short term, organizations that know they are using private-ip version 1.0.5 or earlier as a means of preventing SSRF or related vulnerabilities should upgrade to the latest version immediately, Jackson said. Static application security testing tools can help identify whether private-ip is in use within your organization.

The bigger fix is for application developers to pay more attention to what they’re putting into their creations. “My recommendations is that when software engineers use packages in general or third party code, they need to evaluate what they’re using and where its coming from,” Jackson said.  

Chinese electronics giant TCL has acknowledged security holes in some models of its smart television sets, but denies that it maintains a secret “back door” that gives it control over deployed TVs.

In an email statement to The Security Ledger dated November 16, Senior Vice President for TCL North America Chris Larson acknowledged that the company issued a security patch on October 30 for one of two serious security holes reported by independent researchers on October 27. That hole, assigned the Common Vulnerabilities and Exposure (CVE) number 2020-27403 allowed unauthenticated users to browse the contents of a TCL smart TV’s operating system from an adjacent network or even the Internet.

A patch for a second flaw, CVE-2020-28055, will be released in the coming days, TCL said. That flaw allows a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.

The Security Ledger reported last week on the travails of the researchers who discovered the flaws, @sickcodes and @johnjhacking, who had difficulty contacting security experts within TCL and then found a patch silently applied without any warning from TCL.

A Learning Process for TCL

In an email statement to Security Ledger, Larson acknowledged that TCL, a global electronics giant with a market capitalization of $98 billion, “did not have a thorough and well-developed plan or strategy for reacting to issues” like those raised by the two researchers. “This was certainly a learning process for us,” he wrote.

At issue was both the security holes and the manner in which the company addressed them. In an interview with The Security Ledger, the researcher using the handle Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.

IT Asset Disposition (ITAD) is the Slow Motion Data Breach Nobody notices

By TCL’s account, the patch was distributed via an Android Package (APK) update on October 30. APK files are a method of installing (or “side loading”) applications and code on Android-based systems outside of sanctioned application marketplaces like the Google Play store. The company did not address in its public statements the question of whether prior notification of the update was given to customers or whether TV set owners were required to approve the update before it was installed.

Limited Impact in North America

However, the patch issued on October 30 is unlikely to have affected TCL customers in the U.S. and Canada, as none of the TCL models sold in the North America contain the CVE-2020-24703 vulnerability, TCL said in its statement. However, some TCL TV models sold in the U.S. and Canada are impacted by CVE-2020-28055, the company warned. They are TCL models 32S330, 40S330, 43S434, 50S434, 55S434, 65S434, and 75S434.

The patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.

Consumer Reports: Flaws Make Samsung, Roku TVs Vulnerable

No Back Doors, Just “Remote Maintenance”

While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones.

In particular, TCL acknowledges that an Android APK known as “Terminal Manager…supports remote diagnostics in select regions,” but not in North America. In regions where sets with the Terminal Manager APK are deployed, TCL is able to “operate most functions of the television remotely.” That appears to include cameras and microphones installed on the set.

However, TCL said that Terminal Manager can only be used if the user “requests such action during the diagnostic session.” The process must be “initiated by the user and a code provided to TCL customer service agents in order to have diagnostic access to the television,” according to the company’s FAQ.

Other clarifications from the vendor suggest that, while reports of secret back doors in smart TVs may be overwrought, there is plenty of reason to worry about the security of TCL smart TVs.

The TCL statement acknowledged, for example, that two publicly browsable directories on the TCL Android TVs identified by the researchers could have potentially opened the door for malicious actors. A remotely writeable “upgrade” directory /data/vendor/upgrade on TCL sets has “never been used” but is intended for over the air firmware upgrades. Firmware update files placed in the directory are loaded on the next TV reboot. Similarly a directory /data/vendor/tcl, has also “never been used,” but stores “advertising graphics” that also are loaded “as part of the boot up process,” TCL said.

Promises to work with Independent Researchers

The company said it has learned from its mistakes and that it is undertaking efforts to work more closely with third party and independent security researchers in the future.

“Going forward, we are putting processes in place to better react to discoveries by 3rd parties. These real-world experts are sometimes able to find vulnerabilities that are missed by testing. We are performing additional training for our customer service agents on escalation procedures on these issues as well as establishing a direct reporting system online,” the company said.

China Risk Rising

Vendor assurances aside, there is growing concern within the United States and other nations about the threat posed by hundreds of millions of consumer electronic devices manufactured – or sourced in China. The firm Intsights in August warned that China was using technological exports as “weaponized trojans in foreign countries.” The country is “exporting technology around the world that has hidden backdoors, superior surveillance capability, and covert data collection capabilities that surpass their intended purposes and are being used for widespread reconnaissance, espionage, and data theft,” the company warned, citing reports about gear from the telecommunications vendor Huawei and social media site TikTok among others.

Western governments and non-governmental organizations have also raised alarms about the country’s blend of technology-enabled authoritarianism, including the use of data theft and data harvesting, coupled with artificial intelligence to identify individuals whose words or actions are counter to the ruling Communist Party.