Software Package Managers Laden with Security Weaknesses
Table of Contents
- By Steven
- Published: Mar 15, 2022
- Last Updated: Mar 18, 2022
Digital security specialists have discovered several security flaws within software package managers that have the potential to be abused for the purpose of running code that opens the door to highly sensitive information. Hackers using arbitrary code have the potential to access source code, including access tokens from target machines.
What Else is Known About the Software Security Flaws?
The vulnerabilities in question can only be exploited if the developers in hackers’ crosshairs handle a damage-inducing package with one of the compromised package managers. In other words, a digital attack cannot be levied directly against a targeted developer computer from a remote location. Furthermore, the hacker must succeed in fooling the target developer into loading the malicious files.
The challenge lies in determining if the owner of the packages provided by a party on the internet can be known and trusted. There is also a question as to whether the repositories within a company can be trusted.
What are Package Managers all About?
Package managers are a reference to tools or systems used for the installation, configuration, and improvement of third-party tools necessary for the ongoing development of applications. Though there are certainly digital security risks inherent in the form of rogue libraries shifting to package repositories, spurring the need for dependencies to be scrutinized to safeguard against dependency confusion threats and typosquatting, the mere management of such dependencies is not considered to be risky in and of itself.
However, the recently discovered flaws within package managers indicate there is the potential for them to be used by digital miscreants in a weaponized fashion, tricking targets into executing code that is malicious. The digital security flaws in question have been pinpointed in package managers such as Composer 1.x < 1.10.23, Composer, 2.x < 2.1.9, Bundler < 2.2.33, Bower < 1.8.13, and Poetry < 1.1.9.
Why are Digital Security Specialists Worried About the Command Injection Flaw?
The command injection weakness within the browser command of Composer is especially concerning. This flaw has the potential to be abused for the execution of arbitrary code with the use of a URL within a malicious package that has already been made available to computer users.
If the package in question makes use of typosquatting or a dependency confusion technique, it has the potential to spur a situation where operating the library’s browse command has the potential to obtain next-stage payloads used for additional attacks.
What Other Software Manager Packagers Have Digital Security Specialists Worried?
Industry veterans are also concerned about untrusted search path and argument injection flaws within Pipenv, Pip, Composer, Poetry, Bundler, and Yarn. These weaknesses present opportunities for digital criminals to obtain code execution through a git executable that contains malware or a Gemfile that is controlled by attackers for the specification of Ruby program dependencies.
Are any Fixes Available?
Indeed, fixes were released to address the problems in Pnpm, Poetry, Bower, Yarn, Bundler, and Composer. However, a search path vulnerability within Pipenv, Pip, and Composer makes these three vulnerable. Hackers may take advantage of such software flaws to engage in espionage, implement harmful code inside software products and set the stage for digital attacks through the supply chain.