lazyllama - Fotolia

EU patches 20-year-old open source vulnerability

Ethical hackers taking part in a bug bounty programme on behalf of the European Union have uncovered a 20-year-old vulnerability

A 20-year-old vulnerability in PuTTY, an open source network file transfer application, has been tracked down and patched during a wide-ranging bug bounty programme conducted by HackerOne on behalf of the European Union Free and Open Source Software Audit (EU-FOSSA).

The vulnerability could potentially have allowed a malicious actor to crash the programme and use it to achieve remote code execution. It was first spotted on 27 June 2019 and publicly disclosed on 20 September, netting its discoverer a €3,250 (£2,782) bonus.

HackerOne technical programme manager Shlomie Liberow said it was not necessarily a surprise that the vulnerability had lain undiscovered for two decades.

“Tools like PuTTY are complex and it contains some functionality that isn’t always used, and therefore it may be harder to uncover some security issues,” he said.

“Ultimately, it’s less surprising that security flaws from way back exist, but – what’s more phenomenal – is that the right level of attention went into auditing a commonly used tool in such a thorough way, with many bugs squished as a result.”

The PuTTY flaw was just one of 133 uncovered during the EU-FOSSA bug-tracking programme, which paid out a total of €87,990 (£75,330) in bounties to researchers.

Established after the crisis occasioned by the disclosure of the Heartbleed OpenSSL vulnerability in 2014, EU-FOSSA exists to secure Europe’s vast open source software estate – long-championed by the European Commission (EC) as a manifestation of its goals around transparency and egalitarianism.

Besides PuTTY, the EU also runs Drupal, KeePass, FileZille, Apache Kafka, Notepad++, VLC Media Player and MidPoint, among many others.

“The Commission’s Directorate General for Informatics has been introducing Free and Open Source Software in its IT stack since at least the year 2000, when the first version of the Commission’s Open Source Software Strategy was created,” an EU-FOSSA spokesperson explained.

“The use of free and open source software has increased and become strategic in several areas – Linux is used at 80% of the servers of the Commission’s datacentre, and the Europa website is running on Drupal, to name a few.”

With the Heartbleed bug effectively demonstrating that vulnerabilities were likely to be present in many central elements of the global internet infrastructure, the spokesperson said the EU had a clear responsibility to ensure the reliability of its open source software estate.

“This way, we not only protect ourselves, but add value to the open source community and to the general public, who increasingly use open source software on their devices,” they said.

EU-FOSSA ran a successful pilot bug bounty programme alongside HackerOne in 2018, after which it became clear both to the EU-FOSSA team and to several interested MEPs, that the scope of the initial pilot should be widened.

Given its successes to date, it is likely to be widened further still, said the spokesperson: “Continuation of the project is currently being considered, we are looking at different options. We are also sharing our experience, encouraging other projects and public organisations in Europe to follow our path.”

For HackerOne, working with open source products bore the added complication of building new relationships between hackers and the open source community – despite its longevity and its capabilities, the open source movement remains a largely volunteer effort, and is rarely if ever backed by the kind of “slick, resource rich corporate organisations” with which it usually works.

“There’s something rather exciting about having the opportunity to audit tools used by millions,” said Liberow.

“Communication and collaboration were a big factor in the security finds. To some security researchers, it was a new experience to work with teams of volunteers and devise patches to address the bugs they found, which is harder to do when working with proprietary software.”

Read more about open source software

Read more on Application security and coding requirements

Data Center
Data Management