Security flaws have been discovered in prominent package managers that might be exploited to execute arbitrary code and access sensitive information, such as source code and access tokens.
However, in order for the vulnerabilities to be exploited, the targeted developers need to use one of the vulnerable package managers in combination with a malicious package.
SonarSource researcher Paul Gerste explains that an attack cannot be performed directly against a developer computer from distance and requires that the developer be misled into loading malicious files.
In general, package managers make it possible to automate the installation, upgrade, and configuration of third-party dependencies necessary for software development.
When it comes to rogue libraries finding their way into package repositories, there are inherent security concerns, mandating that the dependencies be adequately inspected to prevent against typosquatting and dependency misunderstanding attacks.
The new vulnerabilities, found in a variety of package managers, however, demonstrate how attackers may use these tools to deceive their victims into running malicious code. As per the details that are available, the following package managers have been found to have flaws:
- Composer 1.x < 1.10.23 and 2.x < 2.1.9
- Bundler < 2.2.33
- Bower < 1.8.13
- Poetry < 1.1.9
- Yarn < 1.22.13
- pnpm < 6.15.1
- Pip (no fix), and
- Pipenv (no fix)
Among the most serious flaws is a Composer’s browse command with a command injection bug that may be used to execute arbitrary code if a malicious package URL is entered into the command line.
While typing the browse command, a payload might be retrieved from the library that could be used to launch further attacks. This could happen if this package uses typosquatting or dependency confusion tactics.
It was observed that a bad actor might acquire code execution by the use of malware-laced git executables or an attacker-controlled file like a Gemfile that specifies the dependencies for Ruby applications.
Composer, Bundler, Bower, Poetry, Yarn, and Pnpm have all been fixed after the September 9, 2021, responsible disclosure. The untrusted search route problem is present in Composer, Pip, and Pipenv, but they have decided not to fix it.
Cybercriminals are interested in developers because they have access to a company’s most valuable intellectual property asset – its source code, according to Gerste. Eavesdropping or inserting harmful code into a company’s products may be done by compromising them. Even a supply chain attack may benefit from this, the researcher explains.
Leave a Comment