Yesterday, the Snyk Security team released information about a widespread archive extraction vulnerability known as Zip Slip. Zip Slip allows cyberattackers to write arbitrary files on the system, potentially permitting remote command execution. Zip Slip is a combination of “arbitrary file overwrite” and “directory traversal” weaknesses. An attacker could unzip files outside the normal unzip path and overwrite sensitive files, including critical OS libraries or server configuration files.
Analysis
The vulnerability affects thousands of projects, including ones from Amazon, Apache, HP and Pivotal due to their usage of the vulnerable open-source libraries. The affected libraries are available for a broad range of programming languages, including JavaScript, Python, Ruby, .NET, Go and Groovy.
According to Snyk, issues have also been found in the Java ecosystem. While following the SDLC best practices of code reuse, developers share portions of code in various online forums. Some of the code snippets have been found to be vulnerable to Zip Slip. thereby making applications that reused these code snippets potentially vulnerable, too.
The Zip Slip vulnerability affects multiple archive formats, including tar, jar, war, apk, rar and 7z. An attacker can use a specially crafted archive that holds files with directory traversals in their names to exploit the vulnerability.
Solution
The Snyk security team has listed the affected libraries and recommended mitigation steps here.
Tenable® Research is monitoring the situation on behalf of our customers. We’ll release Nessus® plugins as required to help identify the Cyber Exposure gap.
Additional information
- Snyk whitepaper on Zip Slip
- GitHub reference
- Learn more about Tenable.io,® the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management