As everyone in the industry knows, all software vulnerabilities are not equal—some are trivial, some are irrelevant, and some are severe. Obviously, you should focus your attention on those that are characterized as severe.
The recently published Trojan Source (CVE 2021-42574) vulnerability falls into the severe category—meaning you should give it full attention. It’s classified as severe for multiple reasons: It’s damaging (the NVD has given it a 9.8 severity ranking), it’s pervasive, and it’s very hard to find.
Researchers at the University of Cambridge recently revealed a Trojan Source vulnerability that can affect any codebase regardless of the programming language. Thanks to Unicode, the rendering of source code can appear different from the actual parse structure. This vulnerability allows attackers to easily insert trojans into any application, creating a weakness to exploit.
For example, the following code snippet might appear to be safe, but the hidden Unicode control characters in it cause compilers to parse it in an unusual way.
/* begin sensitive block */ if (properlySanitized(user_input)==true) {
sensitive_api_call(user_input);
/* end sensitive block */}
The above gets parsed into
/* begin sensitive block */ if (properlySanitized(user_input)==true) {sensitive_api_call(user_input);/* end sensitive block */ }
Organizations need a solution to this problem because of how easily this vulnerability could be injected into codebases. For example, when a developer searches the web for a way to implement an algorithm or use an API, they might copy and paste a code snippet from the search results. If the copied snippet contains this attack, the trojan will be successfully planted. And this kind of vulnerability is difficult to catch with manual code review because most people aren’t looking for hidden characters when they review code.
This vulnerability can also enter a codebase via the supply chain of third-party components. A popular dependency could include the malicious code, and it might not be caught during code review because bidi character attacks are invisible to human reviewers.
But help is available via Rapid Scan Static, a self-contained and lightweight executable which uses the Sigma SAST engine (for Linux, Windows, and MacOS). Coverity® customers can download the latest version via the Black Duck community portal. Starting in version 2021.11.1, Rapid Scan Static detects the Unicode bidi Trojan Source vulnerability across all languages, including C/C++, Java, JavaScript, C#, Python, Go, PHP, Swift, Kotlin, and more.
The executable itself is about 50 MB and can be run standalone in the command line interface. Deploy it within a Docker container or wherever it suits your organization.
Black Duck plans to roll out additional improvements over upcoming releases. For now, it has to be explicitly enabled as shown in Figure 1 below.
The following output is from running Rapid Scan Static against the Linux kernel codebase—and thankfully this important codebase is safe from this vulnerability. Notice that the engine identified about 70,000 files, and Rapid Scan Static scanned roughly 55,000 source files in 11 seconds.
% git clone https://github.com/torvalds/linux.git% sigma analyze --enable trojan_source_bidi_char_anywhere linuxCopyright (c) 2021 Black Duck Software, Inc.For documentation and support, visit https://community.blackduck.comIdentified│ File Type │Occurrences│├──────────────────┼───────────┤│C │ 30678││C Header │ 22254││Device Tree │ 4008││ReStructuredText │ 2982││Makefile │ 2671││Plain Text │ 2452││YAML │ 2174││GNU Style Assembly│ 1201││Shell │ 679││JSON │ 412││Python │ 140││SVG │ 59││Perl │ 55││BASH │ 52││Properties │ 33││ASN.1 │ 17││... │ ...│No issues found after 11 seconds%
Figure 1: Rapid Scan Static output of the Linux kernel codebase
Given how easily this vulnerability can be introduced, and especially with it being made public now, Black Duck encourages CISOs, security professionals, and developers to scan all codebases across their company to ensure that no Trojan Source vulnerabilities currently exist. Performing scans nightly or during any other scans in the CI/CD pipeline will catch any future introductions of this vulnerability.
If you are an existing Coverity customer, you can download the latest Rapid Scan Static version via the Black Duck community portal.