Microsoft published a white paper on Tuesday 10th Feb saying “Dependency Confusion” attacks are possible against application packages of privately and publicly held components in a hybrid configuration.
Why might this be a problem?
Software is developed using a wide range of packages assembled to create applications. Packages are sourced in house, purchased from third party suppliers, and downloaded free from public sources. When software components from multiple sources are used new interactions arise which can result in malware being introduced into hybrid configurations. Execution of malware payloads incorporated into private packages is trivial.
What is a Dependency Confusion Attack?
A common hybrid component configuration manages private packages developed in house and publicly available packages which are automatically downloaded when a new version is released. The risk of public packages being hijacked, downloaded and for malware to be introduced in a dependency confusion attack is the result.
Am I impacted?
If you download and use code from public open-package index web sites in your applications, you may be at risk from this form of attack. Even if your code packages are managed internally using private feeds it is possible that you are at risk if you consume components from public indexes such as Maven Central, npm, NuGet Gallery, and the Python Package Index (PyPI).
What can I do?
Eliminating the risk of this form of attack is straightforward.
- Use a package manager that enforces controlled scopes, namespaces or prefixes
- Enforce version pinning or integrity verification mechanisms to ensure only intended functionality is present and prevent substitution attacks
- If your package manager doesn’t support the above, then consider disabling automatic download of updated packages from public sources
- All packages used should be signed and from a verified source where possible
If you have any concerns and would like to speak in confidence with one of our Security Consultants, please contact Ross Holmes.
Cyberfort Deep Dives
Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >