SEE presentation

1. Vulnerable and
outdated component
Suman Astani | sastani@bgsu.edu
CS6310 | http://www.sumanastani.com.np/

2. 1. Detail Description of Weakness
2. Real Vulnerability listed in CVE i.e PyYAML library
3. Explain code error,affected components, consequences
and fixes
4. Practical Demo explanation of the code.
5. How to identify it and mitigate it

3. Vulnerable and Outdated
Component
● Ranked in top 6 security risk in 2021 via
OWASP project.
● The components/system that is not up to date
and are vulnerable to any possible attacks
● Bootstrap,vuejs,jQuery,ReactJS, Angular are
popular web development framework, if these
libraries and framework are vulnerable, the
application is not secure.

4. How Attacker! Access
1. Attacker gains access to an organization's internal network.
2. Attacker runs a scanning tool to locate internal systems with unpatched
or outdated components.
3. Attacker exploits a flaw in the outdated component that allows them to
install malicious code on the application server.

5. Vulnerable Software Components
Parts of systems or application :
➔ Susceptible attacks
Code injection,buffer overflow, command Injection, Cross-Site-
Scripting(XSS)
➔ Different Components
Modules, framework, libraries, software packages, API, Web Server

6. Example:
Is update simple?
● Package might be
dependent
● App might break from
functioning as function
might be
renamed,deprecated.
● So, update is not simple
as it looks.
Example
Web application made
with Django framework.

7. 80% Open source code
Code from
Stackoverflow,github,
Quora, popular forum,blogs
Read more, Write less

8. CVE ID CVE Entry Bugzilla Report Bug Fix Github
CVE-2019-
20477
https://cve.mitr
e.org/cgi-
bin/cvename.c
gi?name=CVE-
2019-20477
https://bugzilla.
redhat.com/sho
w_bug.cgi?id=
1806005
https://github.c
om/yaml/pyya
ml/pull/257
Example : PyYAML
Library(V<5)

9. DEMO
https://github.com/adeyosemanputra/pygoat

10. Code Error,Affected Component
And Consequences
YAML? Yet Another Markup Language
Data serialization language used in writing config files
● Load() function execute arbitrary command.
● Eg:!!python/object/apply:subprocess.Popen
- ls
● Popen is a module that executes another program
from python code. like: Executes shell command list.
● Contains communicate methods which can pipe
different method for various functionality.eg:
shutdown the server, Gets file access

11. Fixes
● Use Base loader(), safe_load() instead of full_load()
and load()
● Update to latest version which is bug free
● https://github.com/yaml/pyyaml/pull/257

12. How to identify?
➔ Vulnerable Component
Look out for os/software packages,application, runtime environment in client and
server code
➔ Old unpatched dependencies
Review/research about components that you are using prior for possible vulnerability
in article,github issues, stackoverflow, etc.
➔ Use dependbot tools to keep track of dependencies

13. Possible Mitigation
The possible solution for the issues.
➔ Make sure the components used are up to date
➔ Remove unused dependencies to reduce the attacks
➔ Install components via trusted source and make sure to
validate the integrity, background study.
➔ Don't update to dependency as soon as it goes out. Wait
for possible issues update
➔ Also better to use signed package.Choose dependency
and component wisely. I.e well maintained, big user-base
and supporting community

14. Thank You!
References:
● https://yaml.readthedocs.io/en/latest/pyyaml.html
● https://www.cvedetails.com/cve/CVE-2017-18342/
● https://github.com/yaml/pyyaml
● https://yaml.org/
● https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20477
● http://pygoat-web.herokuapp.com
● https://medium.com/@shivam_bathla/a06-2021-vulnerable-and-outdated-
components-a5d96017049c