Israel-based Synk Security has reported a new critical vulnerability with the name Zip Slip. It is an arbitrary file overwrite vulnerability via path traversal in archive formats, which can result in remote command execution (RCE).
According to the researchers who identified the vulnerability, “Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.”
Zip Slip affects:
- Thousands of projects, including ones from Hewlett Packard, Amazon, Apache Foundation, Pivotal, and others
- Multiple languages and platforms including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java.
- Numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.
CVEs and full list of projects affected can be found here: https://github.com/snyk/zip-slip-vulnerability
Action Steps
Waratek Enterprise customers are protected by the standard Path Traversal Rule that remediates this vulnerability.
Waratek Patch customers will receive a virtual patch that corresponds to the vulnerability for each affected project.
Non-Waratek Customers should search through your code bases for vulnerable code and search their dependencies for vulnerable libraries and frameworks. Vulnerable code must be manually fixed and tested. Vulnerable libraries and frameworks must be upgraded to the latest patched release.
For more information about the Zip Slip vulnerability or how Waratek protects against it, please contact your Waratek representative or schedule a demonstration.