Security researcher Alex Birsan has successfully demonstrated a potential supply chain attack, and in the process the proof-of-concept exploit was installed on systems in Apple, Microsoft and thirty three other companies. Multiple organisations have paid the researchers “bug bounties” totalling $130,000 so far for finding these vulnerabilities.
Like other supply chain attacks, notably the recent Solar Winds hack, the attack works by subverting trusted upstream systems such that the real target downloads and installs a compromised update. However, in this case the target systems were tricked into replacing internal packages with compromised versions from an external source.
The attack worked by “dependency confusion” – the researcher created external packages with the same names but higher version numbers than the real internal dependencies, and this tricked the target system into automatically “upgrading” and thus installing the exploit. The researcher identified the names of internal dependencies, and set up external versions in open source repositories for Node, Python and Ruby libraries.
In order to identify the affected systems, a specifically crafted DNS request was used to “phone home” with minimal risk of being blocked by the victim’s firewall.
There are three levels to the deception: –
- The sources (NPM, PyPI, RubyGems) were trusted because they are legitimate sources of public packages.
- The package names were trusted because they were legitimate internal package names, leaked via a list of dependencies.
- The spoofed packages were installed preferentially because they were set to have higher version numbers.
Multiple update mechanisms were tested in this exercise, and of those that were found vulnerable some are easy to address with good practice – the checks to avoid this type of vulnerability existed, but were not configured.
“From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.”
This incident raises a number of interesting issues. This exploit specifically attacks a “mixed ecosystem” of open source and proprietary code, and it exposes a lack of maturity in both the technology and common practice.
There is a tension between timeliness and validation in patching software. Delaying a patch could leave a system vulnerable to being exploited, but installing a compromised patch could be equally dangerous. This exploit demonstrates that there are still vulnerabilities both in technology and they way that it is used.