Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines.
It’s, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers.
“This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files,” SonarSource researcher Paul Gerste said. “But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?”
Package managers refer to systems or a set of tools that are used to automate installing, upgrading, configuring third-party dependencies required for developing applications.
While there are inherent security risks with rogue libraries making their way to package repositories – necessitating that the dependencies are properly scrutinized to protect against typosquatting and dependency confusion attacks – the “act of managing dependencies is usually not seen as a potentially risky operation.”
But the newly discovered issues in various package managers highlight that they could be weaponized by attackers to trick victims into executing malicious code. The flaws have been identified in the following package managers –
- Composer 1.x < 1.10.23 and 2.x < 2.1.9
- Bundler < 2.2.33
- Bower < 1.8.13
- Poetry < 1.1.9
- Yarn < 1.22.13
- pnpm < 6.15.1
- Pip (no fix), and
- Pipenv (no fix)
Chief among the weaknesses is a command injection flaw in Composer’s browse command that could be abused to achieve arbitrary code execution by inserting a URL to an already published malicious package.
Should the package leverage typosquatting or dependency confusion techniques, it could potentially result in a scenario where running the browse command for the library could lead to the retrieval of a next-stage payload that could then be utilized to launch further attacks.
Additional argument injection and untrusted search path vulnerabilities discovered in Bundler, Poetry, Yarn, Composer, Pip, and Pipenv meant that a bad actor could gain code execution by means of a malware-laced git executable or an attacker-controlled file such as a Gemfile that’s used to specify the dependencies for Ruby programs.
Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug.
“Developers are an attractive target for cybercriminals because they have access to the core intellectual property assets of a company: source code,” Gerste said. “Compromising them allows attackers to conduct espionage or to embed malicious code into a company’s products. This could even be used to pull off supply chain attacks.”