SonarSource researchers found multiple security flaws in major package managers. These vulnerabilities, if exploited, might be used to run arbitrary code and access sensitive information. This includes source code and access tokens from compromised machines.
However, it is worth mentioning that the issues necessitate the targeted developers handling a malicious package in conjunction with one of the susceptible package managers.
“This usually means that an attack cannot be launched instantaneously from a developer’s equipment from afar and necessitates that the developer be duped into loading erroneous files,” SonarSource researcher Paul Gerste explained. “However, can you generally know and trust the creators of all packages you use from the internet or corporate-interior repositories?”
What are package managers?
Developers are an appealing target for hackers because they have access to a company’s most valuable intellectual property asset: source code. By breaching them, attackers might conduct espionage or embed malicious malware in a company’s products. This could be used to launch supply chain attacks.
Package managers are an essential component of modern software development and practically every programming language ecosystem. Package managers are systems or a collection of tools used to automate the installation, upgrading, and configuration of third-party dependencies required for developing applications.
They aid in the management and download of third-party dependencies; thus, developers must ensure that these dependencies do not contain dangerous code because they will be embedded in the products they create.
Vulnerability in package managers
When rogue libraries find their way into package repositories, they pose security problems. However, the process of managing dependencies is frequently not considered a potentially problematic operation. Thus, it necessitates that the dependencies be adequately inspected to prevent typo squatting and dependency confusion attacks.
However, newly identified vulnerabilities in multiple package managers suggest that attackers could exploit them to deceive victims into executing malicious code.
One of the most serious flaws is a command injection bug in Composer’s browse function. It might be used to execute arbitrary code by entering a URL to a previously released malicious package.
If the package makes use of typo squatting or dependency confusion tactics, invoking the browse command for the library could result in the retrieval of a next-stage payload, which could then be used to launch additional assaults.
The issues were discovered in the following package managers:
- Composer (Versions below 1.10.23 and 2.1.9)
- Bundler (Versions below 2.2.33)
- Bower (Versions below 1.8.13)
- Poetry (Versions below 1.1.9)
- Yarn (Versions below 1.22.13)
- pnpm (Versions below 6.15.1)
- Pip
- Pipenv
Researchers found argument injection and unsafe search path vulnerabilities in these package managers. A bad actor could exploit this issue to acquire code execution via a malware-laced git executable or an attacker-controlled file.
How does the attack occur?
The attacks described here can take place in two ways. In all cases, the victim is needed to use one of the aforementioned package managers to handle malicious files or packages. Remotely, the attack cannot be launched against a developer machine.
In the first scenario, an attacker would publish a malicious package and then force the victim to run the browse command in Composer with that package name. This could occur as a result of Social Engineering, Typo Squatting, or Dependency Confusion.
The victim in the second scenario must first download attacker-controlled files before using one of the vulnerable package managers on these files. This necessitates the attacker using social engineering or inserting malicious code into a codebase that the victim trusts.
Remedial measures
Following responsible disclosure on September 9, 2021, patches for the flaws in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were released. However, Composer, Pip, and Pipenv, which are all affected by the untrusted search route weakness, have chosen not to resolve the issue.
Stay up-to-date with the latest in cybersecurity by following us on LinkedIn and by subscribing to our newsletters. 😍