Speaker Slides: static.sched.c...
In a world full of vulnerabilities, there is an untold story of those libraries that are insecure by design. For example, libraries that by using them in a certain way, the application could be compromised. Not all libraries' security issues are treated as vulnerabilities and addressed with a patch or CVE, hence addressed with minor documentation warnings at best. These vulnerabilities pose a significant risk to organizations as they are nearly impossible to detect, we named them "Shadow Vulnerabilities".
We discovered a new shadow vulnerable code pattern in a widely used OSS library and wondered who might be vulnerable.
We developed a tool that automatically analyzed more than 100k repositories to determine whether each repository is vulnerable and prioritized them based on their potential to create vast damage. We were able to validate the exploitability of hundreds of high-profile targets such as Apache Cassandra, Prometheus, PyTorch, and many more…
In this presentation, we will review the discovered vulnerabilities, and discuss the challenges of scaling the triage, validating exploitation, and building a reliable infrastructure. We will use Apache Cassandra to demonstrate how we validated the attack vector for each target, sharing the exploitation details of the critical RCE we found, and its implications on a database-as-a-service used by multiple cloud providers.
Both project owners and library owners claimed the responsibility to use it “safely” is on the users themselves. The result is that most users are vulnerable and have no process to fix this or even be aware of it.
We believe it is vital to raise community awareness of shadow vulnerabilities, as we only scratched the surface with one example out of many more that are still out there.
Guy Kaplan
Oligo Security
Security Researcher
Guy Kaplan is a Security Researcher in the CTO Office of Oligo Security. His experience in software development and vulnerability research spans more than a decade. In his previous jobs, Guy held various roles in various cyber security startups in which he acquired skills in vulnerability research and exploitation as well as software development on a variety of platforms. Guy served as a security researcher and engineer with the Israeli Defense Forces Intelligence. Whenever Guy is not breaking things for profit, he loves scuba diving.
Gal Elbaz
Oligo Security
Co-Founder and CTO
Gal is the co-founder and CTO at Oligo Security, where he leverages his decade-long experience in vulnerability research and ethical hacking. Previously, he served as a Senior Security Researcher at CheckPoint, specializing in vulnerability research, exploitation, and fuzzing across various platforms.
His journey in cybersecurity began in the Israeli Defense Forces' Intelligence unit, where he held the role of a security researcher and engineer. When not 'breaking things' for his work, Gal spends his free time playing in Capture The Flag (CTF) competitions, constantly honing his cybersecurity skills.
Managed by the OWASP® Foundation
owasp.org/