How to prevent package dependency confusion attacks
This article will discuss two key software security concepts:
- What is package dependency confusion
- How to prevent package dependency confusion attacks
Before we start, check out packagecloud. This package management platform helps users to avoid package dependency confusion and resolve other vulnerabilities caused in the software supply chain by verifying packages and maintaining secure repos.
What is package dependency confusion?
Package dependency confusion, also called a “substitution attack”, is a recently identified logic flaw in how software development tools fetch third-party packages from public and private repositories by default.
In other words, a user is tricked into installing a malicious dependency instead of the one they meant to install. It occurs when an attacker registers a public package index with the same name as a company’s internal library to send vulnerable or malicious code into the company’s private code repositories.
The term dependency confusion was first used in 2021 by security researcher, Alex Birsan. In the post, he announced that he had executed this type of attack against several major organizations. As a result, he made a sizable amount of money from the bug bounty programs.
According to the Synopsys 2020 report, most commercial applications used by enterprises contain open-source code, which accounts for at least 70% of their overall code base. What this shows us is that open source software is an integral part of software development.
Due to this large ecosystem of third-party components and packages, most of the popular programming languages have their own language-specific package manager. Normally, the user specifies the name and source of the library, and the rest is automatically handled by the package manager.
Third-party package repositories have been becoming more and more popular over time. For example:
- For Java, people use the Central Repository.
- For Python, it’s called PyPI (Python Package Index).
- For Ruby, there’s RubyGems.
Recently, it has come to light that dependencies on these open source packages and third-party package managers could cause security risks within your software supply chain.
Use Packagecloud to verify your packages and prevent package dependency confusion attacks
Because of potential risks caused by dependency confusion, packagecloud has recognized that companies need an agent to verify and authorize that the packages being deployed in their systems are safe.
One of the first things an organization should do is start keeping track of the package they’re using.
Packagecloud is a rigorous way to keep track of your packages, check dependencies, and make your software supply chain fully secure.
Packagecloud allows setting up unlimited repositories regardless of OS and programming language. Which means you can keep all of your packages in one place, making it easy to know what’s going on with your package dependencies.
It also supports advanced authentication, end-to-end SSL, Fastly CDN support, unlimited packages, built-in CI/CD support, and GPG signatures. Moreover, it provides high reliability and security for rollouts through Matrix42-certified and quality-assured packages.
What are the possible damages from dependency confusion
Is the potential damage caused by package dependency confusion great enough to warrant new security measures? Yes.
When an attacker enters into the system through dependencies, they can get to know the organization’s name, current path, IP address, package name and host name. That means they may gain access to critical information.
The risk can impose severe damages against organizations regardless of size and industry. As the attacker gains control over a private repository, the person can inject malicious code into the repo and have access to it.
There have been several glaring examples. A well-known incident was the 2014 breach of mega-retailer Target’s point-of-sale systems. Its hackers penetrated into one of the company’s vendors via a social engineering attack that delivered malware in an email. This breach compromised 41 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.
Who is at risk?
However, this does not mean that they are more or less vulnerable to an attack. In fact, we were able to find RubyGems that could be as susceptible to dependency confusion as npm.
Likely, anyone who is using internal packages that are similar or the same as open source packages is susceptible to a package dependency confusion attack.
How to check for vulnerability to prevent package dependency confusion
When developers build their apps inside business environments, their package manager might prioritize malicious libraries lurking in the public repository over the internal library with the same name.
A recent study put their discoveries to the test by looking for cases in which large fintech businesses unintentionally disclosed the names of various internal libraries and subsequently registered those same libraries on package repositories such as npm, RubyGems, and PyPI.
Using this approach, researchers claimed to have successfully installed their (non-malicious) code within apps used by 35 major technology companies.
A major issue is that some third-party solutions, such as JFrog Artifactory, which are used for package management and allow combining private and public repositories into a virtual feed, still exhibit this vulnerability to package dependency confusion.
How does Packagecloud tell if you’re at risk?
Packagecloud, is a cloud-based service that also can detect vulnerabilities, software supply chain poisoning, and trojan-horse attacks by comparing your packages with the SBOM, as well as via other strategies.
With Packagecloud, you can prevent package dependency confusion by making sure your packages are safe and keeping track of those packages. Packagecloud differs from other alternatives by allowing you to store all of your different language packages in one location. It also lets you control exactly which package you want to use.
Furthermore, it allows users to save time and money by setting up servers for hosting packages for each and every type of OS. All repositories have powerful tooling, security, and automation, so no additional software is required. The most appealing new benefit for users is the ability to set up and update machines faster and with less overhead than ever before.
In addition, you can track, analyze, and control access to your packages using this service and can buy plans according to the size of your organizational needs.
Packagecloud is a user-friendly environment. Packagecloud is extremely simple to integrate with CI/CD pipelines, simple to use, and reliable. The simplicity of the process and the GUI of the repo helps users to install and use the repo in a very easy way in no time.
You can check out the free packagecloud trial to see how simple it is to distribute packages across your entire workplace. Never be worried about the scalability, consistency, or security of your packages.
According to security researcher Alex Birsan’s experience and research, dependency confusion attacks have been detected inside more than 35 organizations to date. A vast majority of the affected businesses were in the 1000 or more employees category, which presumably reflects the higher prevalence of internal library usage within larger firms.
Packagecloud is the best solution to all of your problems related to preventing package dependency confusion and other software supply chain vulnerabilities. Packagecloud also sets you free from worrying about the scalability and consistency of your packages.
Try the packagecloud free trial today and start managing your packages safely!