Monday, October 30 • 11:30am - 12:15pm
Discovering Shadow Vulnerabilities in Popular Open-Source Projects: A Journey Through Reverse-Fuzzing

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In a world full of vulnerabilities, there is an untold story of those libraries that are insecure by design. For example, libraries that by using them in a certain way, the application could be compromised. Not all libraries' security issues are treated as vulnerabilities and addressed with a patch or CVE, hence addressed with minor documentation warnings at best. These vulnerabilities pose a significant risk to organizations as they are nearly impossible to detect, we named them "Shadow Vulnerabilities".

We discovered a new shadow vulnerable code pattern in a widely used OSS library and wondered who might be vulnerable.

We developed a tool that automatically analyzed more than 100k repositories to determine whether each repository is vulnerable and prioritized them based on their potential to create vast damage. We were able to validate the exploitability of hundreds of high-profile targets such as Apache Cassandra, Prometheus, PyTorch, and many more…

In this presentation, we will review the discovered vulnerabilities, and discuss the challenges of scaling the triage, validating exploitation, and building a reliable infrastructure. We will use Apache Cassandra to demonstrate how we validated the attack vector for each target, sharing the exploitation details of the critical RCE we found, and its implications on a database-as-a-service used by multiple cloud providers.

Both project owners and library owners claimed the responsibility to use it “safely” is on the users themselves. The result is that most users are vulnerable and have no process to fix this or even be aware of it.

We believe it is vital to raise community awareness of shadow vulnerabilities, as we only scratched the surface with one example out of many more that are still out there.

avatar for Guy Kaplan

Guy Kaplan

Security Researcher, Oligo Security
Guy Kaplan is a Security Researcher in the CTO Office of Oligo Security. His experience in software development and vulnerability research spans more than a decade. In his previous jobs, Guy held various roles in various cyber security startups in which he acquired skills in vulnerability... Read More →
avatar for Gal Elbaz

Gal Elbaz

Co-Founder and CTO, Oligo Security
Gal is the co-founder and CTO at Oligo Security, where he leverages his decade-long experience in vulnerability research and ethical hacking. Previously, he served as a Senior Security Researcher at CheckPoint, specializing in vulnerability research, exploitation, and fuzzing across... Read More →

Monday October 30, 2023 11:30am - 12:15pm EDT
Room: Archives