Curl Is Yet Another Example of Software Supply Chain Vulnerability Being a Perennial Problem
By John Trest, Chief Learning Officer, VIPRE Security Group
With the patch for Curl – an open source tool that has an install base of over 20 billion and is used for data transfer – infosecurity professionals, including those in the financial sector, have their work cut out for them. Remediation is going to be painstaking and onerous. Why? Every modern operating system running on the host now needs to be updated as Curl is bundled by default almost everywhere – Windows 11, MacOS, and various distributions of Linux.
To further illustrate what is entails – nearly every Container (e.g., HTTPD, Python, MySQL and more) – the software packaging formats with downloads in the billions used by nearly every cloud-native app including those in the finance space, have to be updated, re-built, and re-deployed.
This Curl vulnerability is yet another reminder of how weak the software supply chain can be. Developers rely on open source software (OSS) to include as components in their business applications for ease and quicker turnaround times. The downside is that they also inherit the security risk, but have no control over the code they use or influence over the developers of the open source software.
The financial sector is not immune to the impact of such events. Ransomware attacks in the financial services sector have increased from 55% in 2022 to 64% in 2023. The root causes? Exploited vulnerabilities, compromised credentials and email phishing feature on top of the list. Looking at ransomware attacks alone, it is estimated that a ransomware attack will occur every two seconds by 2031.
The direct cost of breaches and attacks are eye-watering for any organisation. Recovering from certain cyberattacks, like ransomware, is reported to have cost businesses an average of $1.85 million in 2021. Cyber-attacks have the potential to impact business profitability, stock price and most critically, reputation, which is perhaps the hardest to “remediate”. Many in the financial industry will still remember the impact of Log4j and MOVEit. The latter is widely regarded as the largest hack in recent history. Even months after the release for the patch for MOVEit, the remediation work continues.
The “vulnerabilities” keep coming
The challenge is that these vulnerabilities aren’t sporadic, and neither are they staggered. Cybercriminals are constantly launching such vulnerabilities in software. Last week, just as the patch for Curl was launched, the threat actors hurled “HTTP/2 Rapid Reset”. This new vulnerability affects an underlying protocol which is implemented by many different components, and now all those components need to be updated too – alongside Curl.
Operational and remediation costs for a financial services organisation can be substantial, based on the severity and size of the business. These costs include activities such as patching the vulnerable systems, potential system downtime, and implementing security enhancements.
Mitigating software supply chain risk
Mitigating the impact of Curl and HTTP/2 Rapid Reset needs a two-pronged approach. Immediately of course, remediation is logical – understanding what software is running and where these components are in use. Tooling to generate a Software Bill of Materials (SBOM) will help to identify usage of these OSS components. That SBOM must then be analysed.
For the longer term, organisations must devise and continually hone their strategy to help to pre-empt the risks of software supply chain attacks. Foremost, this requires a well-defined, proactive strategy to evaluate the possibility of an attack so that preventative measures can be applied alongside an emergency plan to reduce the risk of a vulnerable component in the software supply chain.
Adopting software composition analysis (SCA) helps to create an inventory of all third party components in use within the enterprise’s infrastructure. This tool is valuable as it can also compare the inventory of third party components against a database of known exploitable vulnerabilities, such as the MITRE CVE List.
Techniques such as code signing must be adopted. Code signing helps to confirm who the software component author is and offer a guarantee that the code used in the components have not been altered since it was originally signed.
To secure the software supply chain, ensuring authenticity and integrity of the people, processes and technologies involved across the IT infrastructure is essential, which is a highly complex process. It encompasses securing the components, activities, and practices involved in the creation and deployment of software end to end – from third-party and proprietary code, interfaces and protocols and deployment methods and infrastructure, through to developer practices and development tools. This in turn requires a conscious and premediated approach across every stage in the software development lifecycle – development, where the software is written, the build or the package phase and finally, the deployment phase where it is released and consumed.
Vigilance makes security awareness training indispensable
In spite of all this, the threat landscape is growing – malware, viruses, ransomware, and phishing attacks are ever-increasing – making the management of supply chain security progressively more difficult. Also, once threat actors have identified a vulnerability, they can be in organisations’ network for months before they are detected. So, in many instances the damage could already be done.
Therefore, alongside all the latest tools and techniques deployed to proactively secure supply chain software, vigilance is crucial. Both product development teams and end users, must be equipped with the tool, processes and knowledge to react in a way that helps to mitigate the impact of software vulnerability – should a security attack of any kind be successful. Security awareness training is the indispensable wrap around for all the process and technology measures installed, to help mitigate an attack – because a single, seemingly innocuous component or click can open the floodgates.
