Microsoft warns enterprises of new ‘dependency confusion’ attack technique
Reading Time: 1 Minute
New “dependency confusion” technique, also known as a “substitution attack,” allows threat actors to sneak malicious code inside private code repositories by registering internal library names on public package indexes.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
When apps are built, the company’s developers will mix these private libraries with public libraries downloaded from public package portals like npm, PyPI, NuGet, or others.
NEW “DEPENDENCY CONFUSION” ATTACK
In research published on Tuesday, a team of security researchers has detailed a new concept called “dependency confusion” that attacks these mixed app-building environments inside large corporations.
Researchers showed that if an attacker learns the names of private libraries used inside a company’s app-building process, they could register these names on public package repositories and upload public libraries that contain malicious code.
The “dependency confusion” attack takes place when developers build their apps inside enterprise environments, and their package manager prioritizes the (malicious) library hosted on the public repository instead of the internal library with the same name.
See Also: Offensive Security Tool: JTR – John the Ripper
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
The research team said they put this discovery to the test by searching for situations where big tech firms accidentally leaked the names of various internal libraries and then registered those same libraries on package repositories like npm, RubyGems, and PyPI.
Using this method, researchers said they successfully loaded their (non-malicious) code inside apps used by 35 major tech firms, including the likes of Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, and others.
But besides npm, RubyGems, and PyPI, other package managers are also vulnerable, researchers said, including the likes of JFrog, Maven Central, and NuGet.
MICROSOFT URGES COMPANIES TO ANALYZE INTERNAL PACKAGE REPOS
While the research team said it notified all the affected companies and package repositories, Microsoft appears to have understood the severity of this issue more than the others.
After the research team’s work went public on Tuesday, the OS maker, which also runs the NuGet package manager for .NET developers, has published a white paper
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
The white paper warns companies about hybrid package manager configurations, where both public and private library sources are used, but also details a series of mitigations that companies can apply to avoid dependency confusions within their build environments.
Among some of the listed recommendations there are:
- Reference one private feed, not multiple
- Protect your private packages using controlled scopes on public package repositories
- Utilize client-side verification features, such as version pinning and integrity verification
More inside the white paper.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
Source: www.zdnet.com
(Click Link)
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
