A Note on Package Safety Considerations

On 5 March, the United States Cybersecurity and Infrastructure Security Agency (CISA) released an advisory pertaining to a Zeek package hosted by CISA’s GitHub account. This is not a security issue in Zeek itself but in a third-party provided package. The Zeek project wants to take this opportunity to reiterate some safety considerations that you should be aware of when installing Zeek packages.

The Zeek package manager makes it easy to install third-party packages that provide additional functionality such as protocol analyzers, log writers, input readers, or detections.

The Zeek project does not perform any review of these packages. Similarly to other programming languages that have package managers, we cannot vouch for the functionality, the security, or the trustworthiness of packages that you can install.

As noted in the documentation, it is important that you consider the potential security impact of installing third-party packages on your system. Make sure that you only install packages that you trust. Suitable metrics could include the organization publishing it, project activeness, GitHub stars, or community reviews. Also consider reviewing the code of packages that you install, to verify the operations that it performs.

We also want to note that, even for seasoned experts, writing secure parsers in languages like C++ can be very difficult. To address this problem, the Zeek project has created the Spicy parser generator, which comes as a part of Zeek. Spicy makes the creation of secure, robust parsers much easier, and we recommend it for the development of new protocol parsers.

We appreciate that it is not possible to review the source code of every package that you install. It is nevertheless worthwhile to evaluate the potential security impact of every package that you add to your installation. In general, packages that only contain Zeek script code, or only Spicy-based parsers, are less likely to be affected by security issues than packages that are written in C++.

With respect to the Zeek code base itself, we encourage users to run versions of Zeek that are supported by security fixes and that are not end-of-life. The current Zeek LTS release, recommended for most users, is 6.0.3 and the current feature release is 6.1.1.The advisory issued by CISA does not involve the Zeek code base in any way, but we always recommend best system administration practices for defending your Zeek deployment.

1 Like