BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Discovering Shadow Vulnerabilities in Popular Open-S ource\n Projects: A Reverse-Fuzzing Journey\n When: Saturday\, Aug 12\ , 11:45 - 12:30 PDT\n Where: Flamingo - Savoy - AppSec Village - Main St age - [1]Map\n Speakers:Gal Elbaz\,Guy Kaplan\n\n SpeakerBio:Gal Elbaz \n Co-founder & CTO at Oligo Security with 10+ years of experience in\n vulnerability research and practical hacking. He previously worked as\n a Security Researcher at CheckPoint and served in the IDF\n Intelligen ce. In his free time\, he enjoys playing CTFs.\n Twitter: [2]@GalElbaz1\ n\n SpeakerBio:Guy Kaplan\n Guy Kaplan is a Security Researcher in the CTO Office of Oligo\n Security with more than a decade of experience in software development\n and vulnerability research.\n Twitter: [3]@gkp ln3\n\n Description:\n In a world full of vulnerabilities\, there is a n untold story of those\n libraries that are insecure by design. For exa mple\, libraries that by\n using them in a certain way\, the application could be compromised. Not\n all libraries' security issues are treated as vulnerabilities and\n addressed with a patch or CVE\, hence addressed with minor\n documentation warnings at best. These vulnerabilities pose a\n significant risk to organizations as they are nearly impossible to\ n detect\, we named them "Shadow Vulnerabilities".\n\n We discovered a new shadow vulnerable code pattern in a widely used\n OSS library and w ondered who might be vulnerable.\n\n We developed a tool that automatica lly analyzed more than 100k\n repositories to determine whether each rep ository is vulnerable and\n prioritized them based on their potential to create vast damage. We\n were able to validate the exploitability of hu ndreds of high-profile\n targets such as Apache Cassandra\, Prometheus\, PyTorch\, and many\n more…\n\n In this presentation\, we will revie w the discovered vulnerabilities\,\n and discuss the challenges of scali ng the triage\, validating\n exploitation\, and building a reliable infr astructure. We will use\n Apache Cassandra to demonstrate how we validat ed the attack vector for\n each target\, sharing the exploitation detail s of the critical RCE we\n found\, and its implications on a database-as -a-service used by\n multiple cloud providers.\n\n Although reporting and working with OSS projects security teams on\n resolving these issues was addressed quickly\, still no CVE was\n assigned. Both project owner s and library owners claimed the\n responsibility to use it “safely” is on the users themselves. The\n result is that most users are vulnera ble and have no process to fix\n this or even be aware of it.\n\n We b elieve it is vital to raise community awareness of shadow\n vulnerabilit ies\, as we only scratched the surface with one example out\n of many mo re that are still out there.\n\n '\n\n 1. #FlamingoThirdFloor\n 2. h ttps://twitter.com/GalElbaz1\n 3. https://twitter.com/gkpln3\n\n\n DTEND:20230812T193000Z DTSTART:20230812T184500Z LOCATION:APV - Flamingo - Savoy - AppSec Village - Main Stage SUMMARY:Discovering Shadow Vulnerabilities in Popular Open-Source Projects: A Reverse-Fuzzing Journey END:VEVENT END:VCALENDAR