Dependency Confusion

Dependency Confusion

Risk: critical

Description

Dependency confusion or substitution attack is a new attack technique that can lead to remote code execution. The attack typically affects build environments, CI/CD pipelines and developer workstation.

In most programming languages, external package management systems are available to fetch 3rd party dependencies.

Package managers usually offer the possibility to deploy private repositories to host internal-only packages.

During the build process, the package manager does not prioritize the private repositories, but the ones with the highest version. This behavior can be leveraged by an attacker by creating a malicious package on the public repository and using a high enough version to ensure the malicious package is the one used during build time.

Recommendation

When managing project dependencies, it's essential to leverage scoped packages for better organization and security. In the case of NPM, follow these steps to create a scoped package, set up a scoped registry, prevent scope takeover, and define dependencies effectively:

1. Create a Scoped Package:

If you haven't already, create a scoped package for your project. You can do this by following the instructions:

On the npm "Sign In" page, enter your account details and click Sign In.

1. On the npm "Sign In" page, enter your account details and click Sign In.
2. In the upper right corner of the page, click your profile picture, then click Add an Organization.
3. On the organization creation page, in the Name field, type a name for your organization. Your organization name will also be your organization scope.
4. Under the Name field, choose either the "Unlimited private packages" paid plan or the "Unlimited public packages" free plan and click Buy or Create.
5. (Optional) On the organization invitation page, type the npm username or email address of a person you would like to add to your organization as a member and select a team to invite them to, then click Invite.
6. Click Continue.

2. Set up Scoped Registry:

Configure your scoped registry by adding the following line to your .npmrc file:

@[ORG]:registry = https://reg.[ORG].internal/

3. Prevent Scope Takeover:

Ensure that the scope you intend to use (@ORG) is secured and cannot be taken over by an attacker. This includes verifying ownership and maintaining control over the associated organization or user account.

4. Define Dependencies:

Define dependencies within your package.json file, making sure to use the scope defined earlier. For example:

{
  "name": "@org/dep1",
  "version": "1.2.3",
  "description": "Scoped dependency 1",
  "dependencies": {
    "@ostorlab/dep2": "1.2.3"
  }
}

By following these actionable steps, you can effectively utilize scoped packages, ensure registry configuration, and mitigate the risk of scope takeover by unauthorized entities.

Links

• Microsoft warns enterprises of new 'dependency confusion' attack technique
• Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
• Avoiding npm substitution attacks

Standards

• OWASP_MASVS_L1:
  • MSTG_CODE_5
• OWASP_MASVS_L2:
  • MSTG_CODE_5
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3
• OWASP_MASVS_v2_1:
  • MASVS_CODE_3
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_4_2
  • CC_6_6
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5
  • CC_8_1
  • CC_9_1