Multiple security flaws have been discovered in major package managers that, if exploited, might allow attackers to run arbitrary code and access sensitive data from vulnerable workstations, such as source code and access tokens. However, it’s worth mentioning that the issues require the targeted developers to use one of the vulnerable package managers to handle a malicious package.
“This means that an attack cannot be launched directly against a developer machine from remote and requires that the developer is tricked into loading malformed files,” SonarSource researcher Paul Gerste stated. “But can you always know and trust the owners of all packages that you use from the internet or company-internal repositories?” Package managers are systems or a collection of tools that automate the installation, upgrade, and configuration of third-party dependencies needed to create applications. While there are security risks associated with rogue libraries making their way into package repositories, which necessitates those dependencies be thoroughly scrutinized to avoid typosquatting and dependency confusion attacks, the “act of managing dependencies is usually not seen as a potentially risky operation.”
However, recently identified flaws in various package managers suggest that attackers may use them to fool victims into running malicious code. The following package managers have been shown to contain vulnerabilities:
· Composer 1.x < 1.10.23 and 2.x < 2.1.9
· Bundler < 2.2.33
· Bower < 1.8.13
· Poetry < 1.1.9
· Yarn < 1.22.13
· pnpm < 6.15.1
· Pip (no fix), and
· Pipenv (no fix) One of the most severe flaws is a command injection vulnerability in Composer’s browse command, which might be used to execute arbitrary code by adding a URL to a malicious package that has already been published. If the package makes use of typosquatting or dependency confusion tactics, it’s possible that invoking the browse command for the library may result in the retrieval of a next-stage payload, which can subsequently be used to launch more cyberattacks. Additional argument injection and untrusted search path security flaws found in Bundler, Poetry, Yarn, Composer, Pip, and Pipenv allowed a bad actor to gain code execution via a malware-laced git executable or an attacker-controlled file like a Gemfile, which is used to specify Ruby program dependencies. Fixes for Composer, Bundler, Bower, Poetry, Yarn, and Pnpm were published after responsible disclosure on September 9, 2021. However, Composer, Pip, and Pipenv, which are all impacted by the untrusted search path problem, have chosen not to fix it.