SonarSource researcher Paul Gerste reported that ,” This means that an attack cannot be launched directly against a developer machine from a remote location, and the developer must be duped into loading malformed files.
Multiple security flaws in popular package managers have been disclosed, which could be used to run arbitrary code and access sensitive information, such as source code and access tokens from compromised machines.
Package managers are systems or a collection of tools used to automate the installation, upgrading and configuration of third-party dependencies required for developing applications.
While there are inherent security risks associated with rogue libraries making their way into package repositories, requiring that dependencies be properly evaluated to protect against typosquatting and dependency confusion attacks, the “act of managing dependencies is usually not seen as a potentially risky operation.”
However, newly discovered vulnerabilities in various package managers suggest that they could be weaponized by attackers to trick victims into executing malicious code. The flaws were discovered in the following package managers:
- Composer 1.x < 1.10.23 and 2.x < 2.1.9
- Bundler < 2.2.33
- Bower < 1.8.13
- Poetry < 1.1.9
- Yarn < 1.22.13
- pnpm < 6.15.1
- Pip (no fix), and
- Pipenv (no fix)
If the package makes use of typosquatting or dependency confusion techniques, running the browse command for the library could result in the retrieval of a next-stage payload which could then be used to launch additional attacks.
Additional argument injection and untrusted search path vulnerabilities discovered in Bundler, Poetry, Yarn, Composer, Pip and Pipenv meant that a bad actor could gain code execution through a malware-laced git executable or an attacker-controlled file such as a Gemfile which is used to specify Ruby programme dependencies.
Following responsible disclosure on September 9, 2021, fixes for the issues in Composer, Bundler, Bower, Poetry, Yarn and Pnpm were released. However, Composer, Pip and Pipenv, which are all affected by the untrusted search path flaw, have chosen not to address the issue.
Finally the researchers concluded that ,” Developers are an appealing target for cybercriminals because they have access to a company’s core intellectual property assets: source code. By breaching them, attackers can conduct espionage or embed malicious code in a company’s products. This could be used to launch supply chain attacks.”