Dependency Confusion

Dependency Confusion

Risk: critical

Description

Dependency confusion or substitution attack is a new attack technique that can lead to remote code execution. The attack typically affects build environments, CI/CD pipelines and developer workstation.

In most programming languages, external package management systems are available to fetch 3rd party dependencies.

Package managers usually offer the possibility to deploy private repositories to host internal-only packages.

During the build process, the package manager does not prioritize the private repositories, but the ones with the highest version. This behavior can be leveraged by an attacker by creating a malicious package on the public repository and using a high enough version to ensure the malicious package is the one used during build time.

Recommendation

NPM packages offer the possibility to set scopes to packages. Scoped packages on the public npm registry may only be published by the user or organization associated with it, and packages within that scope may be made private. Also, scope names can be linked to a given registry.

{
  "name": "@ostorlab/dep1",
  "version": "1.2.3",
  "description": "Scoped dependency 1",
  "dependencies": {
    "@ostorlab/dep2": "1.2.3"
  }
}

The used scope must be created beforehand to ensure an attacker can't take it over. To create a public scope, apply the following instructions: https://docs.npmjs.com/creating-an-organization

Scoped registry can be configured by including a similar line in the .npmrc file:

@ostorlab:registry = https://reg.ostorlab.internal/

Links

• Microsoft warns enterprises of new 'dependency confusion' attack technique
• Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
• Avoiding npm substitution attacks

Standards

• OWASP_MASVS_L1:
  • MSTG_CODE_5
• OWASP_MASVS_L2:
  • MSTG_CODE_5
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3