10 old software bugs that took way too long to squash

As these examples show, vulnerabilities can lurk within production code for years or decades—and attacks can come at any time.

Digital bugs amid binary code. [security threats / malware / breach / hack / attack]
WhataWin / Getty Images

In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old—and there was no patch available, and no expectation that one would be forthcoming.

Fortunately, that's because the system in question was Marvin Minsky's 1967 implementation of a Universal Turing Machine, which, despite its momentous theoretical importance for the field of computer science, had never actually been built into a real-world computer. But in the decade or so after Minsky's design, the earliest versions of Unix and DOS came into use, and their descendants are still with us today in the 21st century. Some of those systems have had bugs lurking beneath the surface for years or even decades.

Here are ten noteworthy and venerable bugs that were discovered in recent years.

Nissan telematics control module baseband vulnerability

Age: 7 years
Date introduced: 2010
Date fixed: 2017

Way back in 2011, security researcher Ralf-Philipp Weinmann discovered a recently introduced flaw in the baseband processor used in mobile phones that could conceivably be used in an attack: hackers could set up a fake cell tower, trick the phone into connecting to it, and then hijack its network connection. The flaw was corrected relatively quickly by cell phone manufacturers and then just as quickly forgotten about.

There was one problem: cell phones weren't the only devices that used those chips. "Essentially, the same cellular baseband chipset was in the telematics unit in the Nissan Leaf and a variety of other vehicles," says Jesse Michael, Principal Cyber Security Researcher at security firm Eclypsium. Several researchers (who would go on to join Eclypsium) discovered the vulnerability by experimenting with a car they got from a junkyard.

"This was a vulnerability that had been publicly known in a different market segment for almost seven years before we discovered it in the automotive segment," said Michael. "Since it was in a widely different market segment that had its own complex supply chain, no one realized that the cars were also vulnerable to the exact same exploit as the phones." It's a real cautionary tale about industry siloing.

sudo's Baron Samedit

Age: 9 years, 6 months
Date introduced: July 2011
Date fixed: January 2021

The sudo command is an important tool in any Unix admin's toolkit, granting superpowered user privileges to those who have the correct permissions to invoke it. But with great power comes great responsibility, and it's important that there be hedges around the command so that users don't run amok through the system. For instance, you can invoke sudo in shell mode with the <code>-c</code> flag, which you can follow with a series of shell commands that will be executed with superuser privileges. This mode is potentially vulnerable to a buffer overflow attack, where special characters inserted into those commands trick the system into writing code outside the allocated memory buffer, potentially granting access to root privileges.

In general, sudo protects against such attacks by recognizing such special characters before they're processed. However, in 2011, a vulnerability was accidentally inserted into sudo that made buffer overflow attacks possible, and it lurked in plain sight for nearly a decade. The flaw wasn't in the sudo command proper, but instead in the auxiliary sudoedit command, which allows users to use superuser privileges to access and edit a file without granting full superuser privileges to the editor program itself. As outlined on the Qualys blog in January 2021, the vulnerability allows serious privilege escalation and patching it is crucial. Affected systems include almost all Unix variants, including Linux, Solaris, and macOS.

Linux GRUB2 Secure Boot hole

Age: 10 years
Date introduced: 2010
Date fixed: July 2020

When UEFI was introduced as a replacement for BIOS, it was deemed the cutting edge of security, with features designed to fight attacks that operated on the level of the bootloading software that starts up an operating system. Key to this is an interlocked chain of signed cryptographic certificates that verifies each bootloader program as legit, a mechanism known as Secure Boot. The root certificate for UEFI is signed by Microsoft, and Linux distributions put their own bootloaders, each with its own validated certificate, further down the chain.

But as CSO's Lucian Constantin explains, GRUB2, a widely popular Linux bootloader with a UEFI-ready certificate, contains a buffer overflow vulnerability that can be exploited by malicious code inserted into in its configuration file. (While GRUB2 itself is signed, its configuration file, meant to be editable by local admins, is not.) This hole was spotted by Eclypsium, and while an attacker would need to have a degree of local control of the target machine to implement this attack, if they pulled it off successfully, they could ensure that they remain in control of that computer going forward each time it boots up, making it difficult to evict them from the system.

LionWiki Local File Inclusion

Age: 11 years, 11 months
Date introduced: November 2008
Date fixed: October 2020

LionWiki is a minimalist wiki engine, programmed in PHP; unlike many popular wiki engines, like the one underlying Wikipedia, LionWiki doesn't use a database, and instead is entirely file-based. Since its goal is simplicity, this is one of its strengths, but it also makes a significant vulnerability possible.

In essence, the various files underlying a particular LionWiki instance are accessed by file and pathnames in the URL of the corresponding pages. This means that, with a correctly crafted URL, you could traverse the filesystem of the server hosting the LionWiki instance. There are URL-filtering provisions in place to block attempts to do this, but as Infosec Institute Cyber Range Engineer June Werner discovered, they could be defeated fairly easily.

One thing Werner notes is that this vulnerability persisted despite some attempts to correct it. "Some mitigations were first put in place in July of 2009, and then more extensive mitigations were put in place in January of 2012," she notes. "Despite these mitigations, the code was still vulnerable to the same type of attack. This vulnerability stayed in the code for another eight years until it was rediscovered, along with a way to bypass the mitigations, in October of 2020." After the bug was formally reported, it was patched by the developer.

Domain Time II man-on-the-side attack

Age: 14 years
Date introduced: 2007
Date fixed: April 2021

If two computers on the same network can't agree on what time it is, the results can range from the annoying to the disastrous. This is a longstanding problem in computing, and one of the most mature and widely deployed enterprise solutions is a program known as Domain Time II, a closed-source application in use on Windows, Linux, and Solaris.

Domain Time II harbored for most of its existence a very serious vulnerability. At intervals or upon conditions that the user can set, the program sends UDP queries to an update server run by Greyware Automation Products, the software's vendor. If the server replies with a URL, Domain Time II will run a program with administrator privileges to download and install an update from that URL.

The problem? If a malicious actor manages to reply to the query before Greyware's update server does, that attacker can send its own reply, prompting Domain Time II to download whatever malware the attacker wants installed. In a true man-in-the-middle attack, the attacker would be intercepting communications in both directions; in contrast, this is what's known as a man-on-the-side attack, in which the attacker can't stop replies to its target machine getting through and so has to send its own reply more quickly. In practice, this means the attacker would need to already control a computer on the target's local network to pull this off, but this attack represents a way an attacker could escalate their intrusion onto more valuable and secure machines within a local network. This vulnerability was spotted by the security firm Grimm, which noted that the flaw was present in versions of the software going back at least to 2007.

Linux SCSI subsystem bugs

Age: 15 years
Date introduced: 2006
Date fixed: March 2021

If you're old school, you remember SCSI, a 1980s-era data transfer standard that might've been how your first hard drive connected to your IBM PC or classic Mac. It's still in use in some contexts today, and Linux, always intended to be as flexible and universal as possible, still has an extensive SCSI subsystem for those systems that need it. These modules are available via what's known as automatic module loading, in which the OS grabs and installs the system code it needs when it needs it—which is helpful if you find yourself plugging a SCSI drive into your Linux machine and don't want to hunt down the necessary supporting code, but it's also helpful to attackers who want to exploit errors in said code.

Cybersecurity consultancy Grimm posted an extensive breakdown of several bugs in this Linux SCSI code that they discovered in March 2021. One was a buffer overflow vulnerability that could allow a normal user to gain root privileges, and the others were errors where information from the kernel could be leaked to user space, and all could be used to get privileged information or as part of a DoS attack on the affected machine. Grimm dates the bugs back to 2006 and dryly notes that they're "an indication of a lack of security-conscious programming practices that was prevalent at the time this code was developed."

SIGRed

Age: 17 years
Date introduced: 2003
Date fixed: 2020

DNS is one of the underrated backbones of the internet, the system by which your computer knows what IP address correlates to any given URL. The system is hierarchical, with requests being sent up and down the pyramid looking for DNS servers that know the answer to the question, "Where is this computer?" As a result, DNS has been built into all major operating systems.

In 2020, Microsoft disclosed a critical vulnerability in its own version of DNS, which had been lurking in the code for 17 years, although there was no evidence that it had ever been exploited in the wild. The vulnerability, dubbed SIGRed by its discoverers at Check Point, was a buffer overflow flaw in Windows DNS servers that could be used triggered by exploit code tucked into a DNS packet's signature. A malicious nameserver could send such packets in response to requests, bypassing most security protections and potentially gaining remote access to the Microsoft DNS server. The attack would be potentially wormable, meaning that it could be automated and spread without user intervention.

PuTTY heap overflow

Age: 20 years, 9 months
Date introduced: January 1999
Date fixed: October 2019

PuTTY is a free and open source suite of tools including a serial console, a terminal emulator, and various network file transfer applications, with SSH and various other encryption schemes built in. It was originally released to bring the sorts of tools that Unix administrators took for granted to Windows and classic Mac OS, but has expanded its scope and is now in wide use on Unix systems as well. While PuTTY was designed to secure network connections, it turns out there was a vulnerability lurking at its heart. This was another form of buffer overflow problem (a heap overflow, in this case), and could be triggered by a too-short SSH key, which could result in crashing PuTTY or even remote code execution.

The vulnerability was submitted to HackerOne as part of the bug bounty program established by the European Union's EU-FOSSA program; it netted the submitter a $3,645 reward and a thank you from the PuTTY team, who noted that the bug had been present in the very earliest versions of the PuTTY source code they had, dating back to 1999.

win32k.sys vulnerabilities

Age: 23 years
Date introduced: 1996
Date fixed: 2019

Two big vulnerabilities were detected in the Win32 API in Microsoft Windows in 2019. The first, found in April, was a User-After-Free vulnerability, in which OS coding errors made it possible for programs to access system memory that should've been protected; this vulnerability was detected by security researchers when they discovered malicious hackers attempting to use it in the wild to gain control of computers. The other, discovered in December, was an elevation-of-privilege vulnerability lurking in the OS's window switching functionality; this vulnerability was similarly discovered in the course of active attacks, which were simulating keystrokes in an attempt to create memory leaks.

1 2 Page 1
Page 1 of 2
How to choose a SIEM solution: 11 key features and considerations