Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Multiple Security Flaws Discovered in Popular Software Package Managers

Software Package Managers

Multiple security vulnerabilities have been disclosed in popular
package managers that, if potentially exploited, could be abused to
run arbitrary code and access sensitive information, including
source code and access tokens, from compromised machines.

It’s, however, worth noting that the flaws require the targeted
developers to handle a malicious package in conjunction with one of
the affected package managers.

“This means that an attack cannot be launched directly against a
developer machine from remote and requires that the developer is
tricked into loading malformed files,” SonarSource researcher Paul
Gerste said[1]. “But can you always
know and trust the owners of all packages that you use from the
internet or company-internal repositories?”

Automatic GitHub Backups

Package managers refer to systems[2]
or a set of tools that are used to automate installing, upgrading,
configuring third-party dependencies required for developing
applications.

While there are inherent security[3]
risks[4]
with rogue libraries making their way to package repositories –
necessitating that the dependencies are properly scrutinized to
protect against typosquatting and dependency confusion[5]
attacks – the “act of managing dependencies is usually not seen as
a potentially risky operation.”

But the newly discovered issues in various package managers
highlight that they could be weaponized by attackers to trick
victims into executing malicious code. The flaws have been
identified in the following package managers –

  • Composer 1.x < 1.10.23 and 2.x < 2.1.9
  • Bundler < 2.2.33
  • Bower < 1.8.13
  • Poetry < 1.1.9
  • Yarn < 1.22.13
  • pnpm < 6.15.1
  • Pip (no fix), and
  • Pipenv (no fix)

Chief among the weaknesses is a command injection[6]
flaw in Composer’s browse command[7]
that could be abused to achieve arbitrary code execution by
inserting a URL to an already published malicious package.

Prevent Data Breaches

Should the package leverage typosquatting or dependency
confusion techniques, it could potentially result in a scenario
where running the browse command for the library could lead to the
retrieval of a next-stage payload that could then be utilized to
launch further attacks.

Additional argument injection[8]
and untrusted search path[9]
vulnerabilities discovered in Bundler, Poetry, Yarn, Composer, Pip,
and Pipenv meant that a bad actor could gain code execution by
means of a malware-laced git executable or an attacker-controlled
file such as a Gemfile that’s used to specify the dependencies for
Ruby programs.

Following responsible disclosure on September 9, 2021, fixes
have been released to address the issues in Composer, Bundler,
Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all
three of which are affected by the untrusted search path flaw, have
opted not to address the bug.

“Developers are an attractive target for cybercriminals because
they have access to the core intellectual property assets of a
company: source code,” Gerste said. “Compromising them allows
attackers to conduct espionage or to embed malicious code into a
company’s products. This could even be used to pull off supply
chain attacks.”

References

  1. ^
    said
    (blog.sonarsource.com)
  2. ^
    systems
    (en.wikipedia.org)
  3. ^
    security
    (thehackernews.com)
  4. ^
    risks
    (thehackernews.com)
  5. ^
    dependency confusion
    (thehackernews.com)
  6. ^
    command
    injection     (cwe.mitre.org)
  7. ^
    browse
    command     (getcomposer.org)
  8. ^
    argument
    injection     (cwe.mitre.org)
  9. ^
    untrusted search path
    (cwe.mitre.org)

Read more