Microsoft published a white paper on Tuesday 10th Feb saying “Dependency Confusion” attacks are possible against application packages of privately and publicly held components in a hybrid configuration.

 

Why might this be a problem?

Software is developed using a wide range of packages assembled to create applications. Packages are sourced in house, purchased from third party suppliers, and downloaded free from public sources. When software components from multiple sources are used new interactions arise which can result in malware being introduced into hybrid configurations. Execution of malware payloads incorporated into private packages is trivial.

 

What is a Dependency Confusion Attack?

A common hybrid component configuration manages private packages developed in house and  publicly available packages which are automatically downloaded when a new version is released. The risk of public packages being hijacked, downloaded and for malware to be introduced in a dependency confusion attack is the result.

 

Am I impacted?

If you download and use code from public open-package index web sites in your applications, you may be at risk from this form of attack. Even if your code packages are managed internally using private feeds it is possible that you are at risk if you consume components from public indexes such as Maven Central, npm, NuGet Gallery, and the Python Package Index (PyPI).

 

What can I do?

Eliminating the risk of this form of attack is straightforward.

  • Use a package manager that enforces controlled scopes, namespaces or prefixes
  • Enforce version pinning or integrity verification mechanisms to ensure only intended functionality is present and prevent substitution attacks
  • If your package manager doesn’t support the above, then consider disabling automatic download of updated packages from public sources
  • All packages used should be signed and from a verified source where possible

If you have any concerns and would like to speak in confidence with one of our Security Consultants, please contact Ross Holmes.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >