Dependency Confusion
Overview
Dependency confusion, also known as a supply chain substitution attack, occurs when a software installer script is tricked into pulling a malicious code file from a public repository instead of the intended file from an internal repository.
Attack Techniques
Reconnaissance:
Identifying Private Packages:
Scan for exposed
package.jsonor similar configuration files using tools like Shodan.Extract private package names from internal files, public repositories, or forums.
Use source maps to reconstruct front-end source code and identify import statements.
Exploitation:
Creating Malicious Packages:
Develop packages with the same names as the identified private dependencies but with higher versions.
So if the package indexing is not properly done, it will automatically pull the Higher version package from the Public Registry.
Upload these packages to public repositories such as npm, PyPI, or RubyGems.
Executing Malicious Code:
Utilize preinstall scripts to execute malicious code upon package installation.
Using Confused tool
It can be also found using
npm package.json disclosurenuclei template.
Data Exfiltration:
DNS Exfiltration:
Encode collected data (hostname, username, current path) in DNS queries.
Send these queries to a custom authoritative name server to log the information.
Real-world Impact
Case Study
Remote Code Execution (RCE):
Malicious packages executed on internal servers and developers' machines.
Exfiltrated data provided insights into vulnerable systems and potential attack vectors.
High-Profile Targets:
Exploitation affected major companies, leading to significant security concerns and financial bounties.
Common Vulnerabilities
Insecure Command Usage:
Use of
--extra-index-urlwith pip allows fallback to public repositories if a package isn't found internally.Similar issues with other package managers like npm and RubyGems.
Package Management Configurations:
JFrog Artifactory and Azure Artifacts using algorithms that default to higher version numbers from public repositories.
Misconfigured internal or cloud-based build servers and development pipelines.
Mitigation Strategies
Secure Package Management:
Index Configuration:
Use
--index-urlinstead of--extra-index-urlto ensure dependencies are pulled exclusively from trusted sources.
Repository Settings:
Prioritize internal packages over public ones in configuration settings.
Regularly audit and verify package sources.
Security Policies:
Access Control:
Implement strict access controls for internal repositories.
Developer Education:
Train developers on the risks of dependency confusion and best practices for secure dependency management.
Regular Audits:
Conduct periodic security assessments and vulnerability scans to identify and mitigate risks.
Detection and Response:
Monitoring:
Set up monitoring for unusual package installation activities.
Use automated alerts for newly published packages with internal names.
Incident Response:
Have a response plan in place for quickly addressing and mitigating discovered vulnerabilities.
Collaboration:
Work with security researchers and bug bounty programs to identify and fix issues proactively.
Conclusion
Dependency confusion vulnerabilities pose a significant threat to software supply chains. By adopting secure package management practices, implementing stringent security policies, and maintaining robust detection and response mechanisms, organizations can effectively mitigate the risks associated with these attacks.
References
Last updated
