May 24, 2021
Dependency Confusion - A New Supply Chain Attack Technique
May 24, 2021
Supply chain attacks are not new to the industry. They have been used in several high-profile breaches across. Supply chain attacks target less secure parts of an organization's supply chain to breach them.
A Brief History of Supply Chain attacks
The SolarWinds breach led to the compromise of various government and cybersecurity agencies due to a sophisticated supply chain attack. It targeted SolarWinds infrastructure, eventually making its way into its client's infrastructures. Hence, a supply chain attack can usually be targeted towards many organizations by simply compromising a single vendor, which is familiar to them (a certain vulnerable element in Solarwinds, in this example). Thus, it's very impactful.
More recently, a vulnerability in Microsoft Exchange servers was used to deliver malware and target attack companies. It's estimated that over 20,000 U.S. organizations were targeted in this attack. Microsoft Exchange is an essential part of many infrastructures, and hence it's targeted by attackers to infiltrate into companies and exfiltrate data.
There have been many well-known supply chain attacks like the Target breach and the Stuxnet worm in the past. Both of which managed to attack at a huge scale and in a sophisticated manner. Such attacks might allow remote attackers to execute arbitrary code and extract data by infiltrating your supply chain.
How can dependencies in the supply chain be attacked?
Attack techniques keep evolving, and so do the elements in the supply chain. Attackers have been quick at adapting to such changes. They have been able to find new novel ways to attack companies to successfully infiltrate into them through a single element in the supply chain network. One such element in the supply chain is dependency.
Software dependencies are a critical element of the supply chain. In simple words, often, one software relies on another piece of code or software, which is termed as a dependency. It forms a crucial part of the software supply chain and can be leveraged by attackers to breach companies.
The latest type of supply chain attack was discovered by a security researcher, Alex Birsan, who found out that sometimes private dependencies can be taken advantage of by attackers to target companies. This attack heavily relies on the way dependencies are being used in software and their implementation. He called this type of attack dependency confusion.
What is a dependency confusion attack?
If a codebase contains a mix of private and public dependencies, it might be possible to upload malicious packages to public repositories. For this, the attacker needs to know the names of such private dependencies and must be able to hijack the names of these packages on public package repositories.
What leads to Dependency Confusion attacks?
Applications work by using various dependencies. But if an attacker can control a particular dependency, essentially, this opens a vulnerable element in the supply chain, or infrastructure, leaving it open to malicious infiltration. Suppose an attacker can hijack a private namespace of a dependency (or package) and upload malicious code by uploading it to the public package repositories like npm, PyPI, and Ruby Gems. In that case, an attacker might execute code when the application is being built or developed in the enterprise environment.
How widespread is it?
Probably hundreds of thousands of applications belonging to various companies may be affected. Applications heavily rely on dependencies. Also, in certain cases, 3rd party dependency names may change, making them susceptible to namespace attacks. There are a lot of dependencies and public package repositories. Hence, it may not be an easy job to assess how this might impact many applications or codebases.
Alex says in his article that most companies with a large number of employees (more than 1000) are at a higher risk due to the nature of this issue. Additionally, he was able to amass $130,000 by reporting this vulnerability to bug bounty programs. As per Alex, he found this vulnerability in Apple, Microsoft, and dozens of companies.
How to mitigate such attacks?
Monitoring for private dependencies:
Several tools like confused can be used to scan public projects if they have any references to private dependencies. If Confused finds any dependencies that are not public packages, it alerts so that the repo owner can be alerted of such dependencies, which can help prevent them.
Install GoLang and then proceed to install Confused,
get -u github.com/visma-prodsec/confused
This tool can be used to monitor private dependencies.
Checking for private dependencies in package.json using the confused tool
./confused -l npm package.json
If issues are found, the tool will output the private dependency names found in the package.json file.
Issues found, the following packages are not available in public package repositories:
- [!] some_internal_package1*
- [!] @company/some_internal_package1*
- [!] @company/some_internal_package2*
Microsoft published a whitepaper on dependency confusion attacks. They mentioned some strategies in-depth on how such attacks can be prevented and mitigated. Here are some of their recommendations to mitigate the risk of this kind of attacks:
- Instead of referencing multiple private feeds, reference one
- Protect packages using controlled scopes
- Utilize client-side verification features
More ways to secure dependencies
General checklist for protecting against supply chain attacks targeted towards vulnerable dependencies:
- Track the dependencies - both public and private
- Ensure that the namespaces for the private dependencies have been claimed
- Eliminate ones that are no longer used to prevent the risk of vulnerabilities
- If an audit functionality is a built-in feature of the package manager, use it. For example, always run npm audit to ensure no vulnerabilities are present in the dependencies
- Last but not least, ensure dependencies are from a reliable source, with an active maintainer
Start learning more about the latest supply chain attacks and understanding how to defend against such attacks.