Top JFrog Security Research Discoveries of 2024

In our previous round-up of security research for 2023,  we mentioned our surprise at the large volume of 29,000 vulnerabilities that were reported two years ago.  But that didn’t prepare us for the astounding 40% increase, reported by Cyber Press, resulting in over 40,000 CVEs that were published over the past year in 2024.

That is why we consider the work of the JFrog Security Research team as crucial in reporting and analyzing  the major threats facing our industry and coming up with strategies to safeguard software against exploitable vulnerabilities and malware.

As such, just in case you missed some of the major CVEs of 2024, we think it is really important to recap the top application security threats that we addressed over the past year in the list below: 

1. Exposing the Attack Surface of Machine Learning Platforms

The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational networks. We should never lose sight of the fact that AI Models are basically code that requires protection just like every other software application.   This is probably the most well-known inherent vulnerability in machine learning,  and also the most dangerous. It can lead to code execution even when ML users are aware of the dangers of loading untrusted ML models.

In this post , we ended up distinguishing between two types of vulnerabilities in MLOps platforms, inherent vulnerabilities and implementation vulnerabilities. For more information on this subject, see our complementary post  “From MLOps to MLOops – Exposing the Attack Surface of Machine Learning Platforms”.

2. Coordinated Attacks on Docker Hub that Planted Millions of Malicious Repositories

As you probably know Docker Hub, is a platform that delivers a lot of important functionality for developers, presenting numerous opportunities for collaboration through the distribution of Docker images. 

Typical flow of a Docker Hub attack

Unbelievably, the JFrog security research team discovered that ~4.6 million of the repositories in Docker Hub are imageless and have no content except for the repository’s documentation. Upon deeper inspection, the team discovered that the vast majority of these imageless repositories were uploaded with a malicious endgame, where their overview page tries to deceive users into visiting phishing websites or trick them into installing  dangerous malware. Read the full post to understand the powerful impact of this discovery.

3. Binary Secret Scanning Helped Us Prevent (what might have been) the Worst Supply Chain Attack you can Imagine

In this post, the JFrog Security Research team discovered and reported a leaked access token, with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub. The team leveraged JFrog’s secrets scanning engine that detected a “classic” GitHub token in one of the public Docker Hub repositories. The risk with “classic” GitHub tokens is that, unlike the newer fine-grained tokens, they grant similar user permissions across all repositories. 

4. Vanna.AI – Prompt Injection Attack Leading to Code Execution

Vanna.AI library is a Python-based library designed to simplify generating SQL queries from natural language inputs using large language models (LLMs). It helps people easily interact with DB without needing extensive knowledge of SQL.

JFrog found that the ask method in the library can lead to a python exec function and by writing a prompt that, among other things, asks to add the os.system(“\dir\”) command, we can see it successfully executed it and the content of the directory was printed.

A code snippet injected into the prompt code and running on the OS

As you can read in the full post,  using the Vanna.AI python library can lead to remote code execution on the host executing the library. This issue was assigned to the CVE-2024-5565 with a 8.1 High CVSS score.

5. Malicious Hugging Face ML Models Targeted Data Scientists With A Silent Backdoor

JFrog regularly monitors and scans AI models uploaded by users, which lead them to discover a malicious model uploaded to Hugging Face that used a  malicious pickle file, to enable a code execution attack.

The model’s payload grants the attacker a shell on the compromised machine, enabling them to gain full control over victims’ machines through what is commonly referred to as a “backdoor”. As a result, attackers can  gain access to critical internal systems, to perform large-scale data breaches.

This attack impacts not just individual users but potentially entire organizations, while leaving victims utterly unaware of their compromised state. The blog post suggests that while Hugging Face generally enforces  adequate security measures, that includes scanning pickle files, the recently published model serves as a stark reminder that the platform is not immune to all real-world threats.

6. 22K PyPI Packages at Risk – Hijack Technique Exploited In The Wild

JFrog’s security research team continuously monitors open-source software registries, identifying and addressing potential malware. As part of this ongoing process,  the team 

discovered  a “Revival Hijack” attack method that could potentially be used to hijack 22K existing PyPI packages and subsequently lead to hundreds of thousands of malicious package downloads.

The blog post relates how the issue was traced to a PyPI policy relating to removed packages, where  developers remove their projects from the PyPI repository, the associated package names immediately become available for registration by any other user. In this scenario,  attackers can target popular packages, by hijacking the same package name and subsequently infect any user that tries to update that package to the latest version or – reinstalls it from scratch, which is popular in CI/CD machines that run a static pipeline.

As a result, victims might be using these malicious packages that were not considered malicious at the time it was used in their code. 

7. Exploiting LibX11 Vulnerabilities

The JFrog Security Research team found two security vulnerabilities in X.Org libX11 CVE-2023-43786 and CVE-2023-43787 that can lead to denial-of-service and remote code execution attacks

LibX11 is a widely popular open-source graphical server protocol that enables the creation and management of graphical user interfaces in Unix-like operating systems. The CVE-2023-43786 vulnerability is essentially an endless loop resulting from an incorrect recursion stop condition calculation. Since CVE-2023-43787 is a heap-based buffer overflow vulnerability that occurs when parsing a malformed XPM image, it can be exploited to achieve remote code execution.  Read both part one and part two of this crucial discovery for more details. 

8. JFrog’s Analysis of the Infamous XZ Backdoor

On March 29th, it was reported that malicious code enabling unauthorized remote SSH access had been detected within XZ Utils, a widely used package present in major Linux distributions. This supply chain attack came as a shock to the OSS community, as XZ Utils was considered a trusted and well supported project. The attacker built up a credible reputation as an OSS developer over the span of a few years and used highly obfuscated code in order to evade detection by code reviews. In addition to our  initial research communication to this vulnerability, the blog post  also details its fundamentals of how it works and its impact for developers. 

JFrog Security Research Helps Protect the Community

It seems quite clear from the top security research blogs for 2024, that the JFrog security team plays an active role in reporting and advising remediation strategies for CVEs affecting the development community. In addition to the expertise of our security team, we also leverage many of the technologies which are integrated into the JFrog Platform.

Now it’s your turn to take advantage of the same technologies leveraged by our team which you can see first hand by taking an online tour or scheduling a one-on-one demo today.