11 old software bugs that took way too long to squash

In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old—and there was no patch available, and no expectation that one would be forthcoming.

Fortunately, that’s because the system in question was Marvin Minsky’s 1967 implementation of a Universal Turing Machine, which, despite its momentous theoretical importance for the field of computer science, had never actually been built into a real-world computer. But in the decade or so after Minsky’s design, the earliest versions of Unix and DOS came into use, and their descendants are still with us today in the 21st century. Some of those systems have had bugs lurking beneath the surface for years or even decades.

Here are 11 noteworthy and venerable bugs that were discovered in recent years.

Nissan telematics control module baseband vulnerability

Age: 7 years
Date introduced: 2010
Date fixed: 2017

Way back in 2011, security researcher Ralf-Philipp Weinmann discovered a recently introduced flaw in the baseband processor used in mobile phones that could conceivably be used in an attack: hackers could set up a fake cell tower, trick the phone into connecting to it, and then hijack its network connection. The flaw was corrected relatively quickly by cell phone manufacturers and then just as quickly forgotten about.

There was one problem: cell phones weren’t the only devices that used those chips. “Essentially, the same cellular baseband chipset was in the telematics unit in the Nissan Leaf and a variety of other vehicles,” says Jesse Michael, Principal Cyber Security Researcher at security firm Eclypsium. Several researchers (who would go on to join Eclypsium) discovered the vulnerability by experimenting with a car they got from a junkyard.

“This was a vulnerability that had been publicly known in a different market segment for almost seven years before we discovered it in the automotive segment,” said Michael. “Since it was in a widely different market segment that had its own complex supply chain, no one realized that the cars were also vulnerable to the exact same exploit as the phones.” It’s a real cautionary tale about industry siloing.

Python vulnerability first discovered 15 years ago still in play

Age: 15 years
Date introduced: 2007
Date fixed: 2007

Cybersecurity company Trellix has discovered that CVE-2007-4559, a vulnerability affecting Python’s tarfile module first identified in 2007, continues to affect hundreds of thousands of repositories.

“While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module,” Kasimir Schulz, a vulnerability researcher for Trellix’s Threat Labs, wrote on the firm’s blog. “Initially we thought we had found a new zero-day vulnerability. As we dug into the issue, we realized this was in fact CVE-2007-4559.”

According to the National Institute of Standards and Technology (NIST), CVE-2007-4559 is a directory traversal vulnerability in the extract and extractall functions in the tarfile module in Python that allows user-assisted remote attackers to overwrite arbitrary files via a “..” sequence in filenames in a TAR archive.

Bad actors can create exploits with as few as six lines of code added to the tarfile module, which allows users to add a filter to parse and modify a file’s metadata before it is added to the tar archive, Schulz said. CVE-2007-4559 “is incredibly easy to exploit, requiring little to no knowledge about complicated security topics. Due to this fact and the prevalence of the vulnerability in the wild, Python’s tarfile module has become a massive supply chain issue threatening infrastructure around the world.” Trellix has found more than 300,000 repositories affected by the vulnerability.

Trellix has developed a scanning utility to identify the vulnerability and has patched a number of open-source repositories.

sudo’s Baron Samedit

Age: 9 years, 6 months
Date introduced: July 2011
Date fixed: January 2021

The sudo command is an important tool in any Unix admin’s toolkit, granting superpowered user privileges to those who have the correct permissions to invoke it. But with great power comes great responsibility, and it’s important that there be hedges around the command so that users don’t run amok through the system. For instance, you can invoke sudo in shell mode with the -c flag, which you can follow with a series of shell commands that will be executed with superuser privileges. This mode is potentially vulnerable to a buffer overflow attack, where special characters inserted into those commands trick the system into writing code outside the allocated memory buffer, potentially granting access to root privileges.

In general, sudo protects against such attacks by recognizing such special characters before they’re processed. However, in 2011, a vulnerability was accidentally inserted into sudo that made buffer overflow attacks possible, and it lurked in plain sight for nearly a decade. The flaw wasn’t in the sudo command proper, but instead in the auxiliary sudoedit command, which allows users to use superuser privileges to access and edit a file without granting full superuser privileges to the editor program itself. As outlined on the Qualys blog in January 2021, the vulnerability allows serious privilege escalation and patching it is crucial. Affected systems include almost all Unix variants, including Linux, Solaris, and macOS.

Linux GRUB2 Secure Boot hole

Age: 10 years
Date introduced: 2010
Date fixed: July 2020

When UEFI was introduced as a replacement for BIOS, it was deemed the cutting edge of security, with features designed to fight attacks that operated on the level of the bootloading software that starts up an operating system. Key to this is an interlocked chain of signed cryptographic certificates that verifies each bootloader program as legit, a mechanism known as Secure Boot. The root certificate for UEFI is signed by Microsoft, and Linux distributions put their own bootloaders, each with its own validated certificate, further down the chain.

But as CSO’s Lucian Constantin explains, GRUB2, a widely popular Linux bootloader with a UEFI-ready certificate, contains a buffer overflow vulnerability that can be exploited by malicious code inserted into in its configuration file. (While GRUB2 itself is signed, its configuration file, meant to be editable by local admins, is not.) This hole was spotted by Eclypsium, and while an attacker would need to have a degree of local control of the target machine to implement this attack, if they pulled it off successfully, they could ensure that they remain in control of that computer going forward each time it boots up, making it difficult to evict them from the system.

LionWiki Local File Inclusion

Age: 11 years, 11 months
Date introduced: November 2008
Date fixed: October 2020

LionWiki is a minimalist wiki engine, programmed in PHP; unlike many popular wiki engines, like the one underlying Wikipedia, LionWiki doesn’t use a database, and instead is entirely file-based. Since its goal is simplicity, this is one of its strengths, but it also makes a significant vulnerability possible.

In essence, the various files underlying a particular LionWiki instance are accessed by file and pathnames in the URL of the corresponding pages. This means that, with a correctly crafted URL, you could traverse the filesystem of the server hosting the LionWiki instance. There are URL-filtering provisions in place to block attempts to do this, but as Infosec Institute Cyber Range Engineer June Werner discovered, they could be defeated fairly easily.

One thing Werner notes is that this vulnerability persisted despite some attempts to correct it. “Some mitigations were first put in place in July of 2009, and then more extensive mitigations were put in place in January of 2012,” she notes. “Despite these mitigations, the code was still vulnerable to the same type of attack. This vulnerability stayed in the code for another eight years until it was rediscovered, along with a way to bypass the mitigations, in October of 2020.” After the bug was formally reported, it was patched by the developer.

Domain Time II man-on-the-side attack

Age: 14 years
Date introduced: 2007
Date fixed: April 2021

If two computers on the same network can’t agree on what time it is, the results can range from the annoying to the disastrous. This is a longstanding problem in computing, and one of the most mature and widely deployed enterprise solutions is a program known as Domain Time II, a closed-source application in use on Windows, Linux, and Solaris.

Domain Time II harbored for most of its existence a very serious vulnerability. At intervals or upon conditions that the user can set, the program sends UDP queries to an update server run by Greyware Automation Products, the software’s vendor. If the server replies with a URL, Domain Time II will run a program with administrator privileges to download and install an update from that URL.

The problem? If a malicious actor manages to reply to the query before Greyware’s update server does, that attacker can send its own reply, prompting Domain Time II to download whatever malware the attacker wants installed. In a true man-in-the-middle attack, the attacker would be intercepting communications in both directions; in contrast, this is what’s known as a man-on-the-side attack, in which the attacker can’t stop replies to its target machine getting through and so has to send its own reply more quickly. In practice, this means the attacker would need to already control a computer on the target’s local network to pull this off, but this attack represents a way an attacker could escalate their intrusion onto more valuable and secure machines within a local network. This vulnerability was spotted by the security firm Grimm, which noted that the flaw was present in versions of the software going back at least to 2007.

Linux SCSI subsystem bugs

Age: 15 years
Date introduced: 2006
Date fixed: March 2021

If you’re old school, you remember SCSI, a 1980s-era data transfer standard that might’ve been how your first hard drive connected to your IBM PC or classic Mac. It’s still in use in some contexts today, and Linux, always intended to be as flexible and universal as possible, still has an extensive SCSI subsystem for those systems that need it. These modules are available via what’s known as automatic module loading, in which the OS grabs and installs the system code it needs when it needs it—which is helpful if you find yourself plugging a SCSI drive into your Linux machine and don’t want to hunt down the necessary supporting code, but it’s also helpful to attackers who want to exploit errors in said code.

Cybersecurity consultancy Grimm posted an extensive breakdown of several bugs in this Linux SCSI code that they discovered in March 2021. One was a buffer overflow vulnerability that could allow a normal user to gain root privileges, and the others were errors where information from the kernel could be leaked to user space, and all could be used to get privileged information or as part of a DoS attack on the affected machine. Grimm dates the bugs back to 2006 and dryly notes that they’re “an indication of a lack of security-conscious programming practices that was prevalent at the time this code was developed.”

SIGRed

Age: 17 years
Date introduced: 2003
Date fixed: 2020

DNS is one of the underrated backbones of the internet, the system by which your computer knows what IP address correlates to any given URL. The system is hierarchical, with requests being sent up and down the pyramid looking for DNS servers that know the answer to the question, “Where is this computer?” As a result, DNS has been built into all major operating systems.

In 2020, Microsoft disclosed a critical vulnerability in its own version of DNS, which had been lurking in the code for 17 years, although there was no evidence that it had ever been exploited in the wild. The vulnerability, dubbed SIGRed by its discoverers at Check Point, was a buffer overflow flaw in Windows DNS servers that could be used triggered by exploit code tucked into a DNS packet’s signature. A malicious nameserver could send such packets in response to requests, bypassing most security protections and potentially gaining remote access to the Microsoft DNS server. The attack would be potentially wormable, meaning that it could be automated and spread without user intervention.

PuTTY heap overflow

Age: 20 years, 9 months
Date introduced: January 1999
Date fixed: October 2019

PuTTY is a free and open source suite of tools including a serial console, a terminal emulator, and various network file transfer applications, with SSH and various other encryption schemes built in. It was originally released to bring the sorts of tools that Unix administrators took for granted to Windows and classic Mac OS, but has expanded its scope and is now in wide use on Unix systems as well. While PuTTY was designed to secure network connections, it turns out there was a vulnerability lurking at its heart. This was another form of buffer overflow problem (a heap overflow, in this case), and could be triggered by a too-short SSH key, which could result in crashing PuTTY or even remote code execution.

The vulnerability was submitted to HackerOne as part of the bug bounty program established by the European Union’s ; it netted the submitter a $3,645 reward and a thank you from the PuTTY team, who noted that the bug had been present in the very earliest versions of the PuTTY source code they had, dating back to 1999.

win32k.sys vulnerabilities

Age: 23 years
Date introduced: 1996
Date fixed: 2019

Two big vulnerabilities were detected in the Win32 API in Microsoft Windows in 2019. The first, found in April, was a User-After-Free vulnerability, in which OS coding errors made it possible for programs to access system memory that should’ve been protected; this vulnerability was detected by security researchers when they discovered malicious hackers attempting to use it in the wild to gain control of computers. The other, discovered in December, was an elevation-of-privilege vulnerability lurking in the OS’s window switching functionality; this vulnerability was similarly discovered in the course of active attacks, which were simulating keystrokes in an attempt to create memory leaks.

Both vulnerabilities have their origins in the early days of Windows. “The problem originates from the time when WIN32K made its debut with Windows NT 4.0, when much of Win32’s graphics engine was moved from user level to kernel to boost performance,” explains Boris Larin, senior security researcher at Kaspersky. And while these two specific vulnerabilities have been patched, that long-ago decision on the part of Microsoft has had much broader effects—and probably will continue to do so, Larin says. “Throughout the years, the WIN32K component has been responsible for more than a half of all kernel security vulnerabilities discovered in Windows.”

PrintDemon 

Age: 24 years
Date introduced: 1996
Date fixed: May 2020

Printers are a frequent pain point for IT because there are a lot of different kinds, they aren’t made by the same vendors who make computers and operating systems, and users expect to plug them in and just start printing. Microsoft in particular in its early years battled to make installing a printer driver relatively easy and painless. But a recent bug, dubbed PrintDemon, showed that maybe they took that a bit too far back in the ’90s—and are still paying for it today.

The core of the vulnerability lies in three facts: Non-administrative users can add printers to a Windows machine; the underlying mechanics make it possible to print to a file rather than a physical printing device; and crucial printing services on Windows run with SYSTEM privileges. That means that, if you do to it right, you can build a “printer” driver that can create a file (even an executable one) anywhere on the filesystem (even in privileged directories). There are plenty of exploits that have been cooked up over the years to take advantage of these design flaws—Stuxnet, it turns out, was one of them—but PrintDemon, discovered in 2020, was a real doozy, and was made possible because Microsoft’s fixes over the years had been patches rather than a complete rebuild of the printing subsystem. As Winsider describes it, “With very subtle file system modifications, you can achieve file copy/write behavior that is not attributable to any process, especially after a reboot … with a carefully crafted port name, you can imagine simply having the Spooler drop a [portable executable] file anywhere on disk for you.” Sounds like bad news!

Why it matters

These lists are fun to come up with—it always elicits a thrill to realize that your computer might be hacked due to a vulnerability in the printer subsystem from the Clinton years—but there’s a real-world importance to knowing about old bugs that goes beyond the immediate need to fix them. Adam Nichols, Principal at Grimm, says, “One of the things we do when we find a vulnerability in our independent research efforts is attempt to determine how long it has been present. This is unfortunately not the industry standard, but other researchers do sometimes do this as well. Going the extra mile to find out how long people were vulnerable is extra work, but I feel it’s an important part of the conversation.”

Nichols points to the research of Sandy Clark, who’s shown that extensive code reuse has resulted in a large attack surface of known vulnerabilities, and that a codebase in long active use may eventually have its lurking vulnerabilities turned into exploits. This flies in the face of traditional software engineering dogma, which believes that most flaws will be fixed in the early days of a codebase’s use as it encounters real-world problems and attacks. But it turns out that, in the words of Clark’s paper’s title, familiarity can breed contempt.  

Editor’s note: This article, originally published on June 18, 2021, has been updated with the Python tarfile vulnerability.