HIGHSupply chainexploited in the wild

SC-DEPENDENCY-CONFUSION-BIRSAN-2021

npm · Dependency confusion (Birsan research)

Résumé

In February 2021 researcher Alex Birsan published the dependency confusion technique, exploiting how package managers (npm, PyPI, RubyGems) resolve a public package over a private one of the same name with a higher version. By publishing packages matching leaked internal package names to public registries, he achieved code execution on internal build systems at more than 35 companies including Apple, Microsoft, PayPal, Shopify, Netflix, Tesla and Uber. The research was authorized and earned over $130,000 in bug bounties, reshaping enterprise understanding of supply-chain namespace risk.

Références

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
https://www.cybersecuritydive.com/news/dependency-confusion-supply-chain-attack-open-source-security/594838/
https://fossa.com/blog/dependency-confusion-understanding-preventing-attacks/

Vulnérabilités liées

Tout Supply chain →

HIGHPYPI-TORCHTRITON-2022
Between December 25 and December 30, 2022, a dependency confusion attack hit PyTorch-nightly. An attacker uploaded a malicious package named 'torchtriton' to the public PyPI index with a higher version than the legitimate one shipped on PyTorch's own index; because pip prioritized PyPI, the malicious package was installed by default. The payload collected system fingerprint data (IP, hostname, username, working directory), read sensitive files such as /etc/passwd and SSH keys, and exfiltrated them. PyTorch renamed the dependency to 'pytorch-triton' and reserved a dummy PyPI package to prevent recurrence.
MEDIUMGHSA-Q59X-JC9F-GFQF
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
MEDIUMGHSA-5739-39V2-5754
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
HIGHGHSA-JC38-X7X8-2XC8
PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks
HIGHGHSA-3PRJ-6HQW-CM82
PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
MEDIUMGHSA-6VVH-PXR4-25R7
PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption