Researchers have disclosed particulars a couple of now-patched high-severity safety flaw in Packagist, a PHP software program bundle repository, that might have been exploited to mount software program provide chain assaults.
“This vulnerability permits gaining management of Packagist,” SonarSource researcher Thomas Chauchefoin mentioned in a report shared with The Hacker Information. Packagist is utilized by the PHP bundle supervisor Composer to find out and obtain software program dependencies which can be included by builders of their initiatives.
The disclosure comes as planting malware in open supply repositories is popping into a horny conduit for mounting software program provide chain assaults.
Tracked as CVE-2022-24828 (CVSS rating: 8.8), the subject has been described as a case of command injection and is linked to a different comparable Composer bug (CVE-2021-29472) that got here to mild in April 2021, suggesting an insufficient patch.
“An attacker controlling a Git or Mercurial repository explicitly listed by URL in a venture’s composer.json can use specifically crafted department names to execute instructions on the machine operating composer replace,” Packagist disclosed in an April 2022 advisory.
A profitable exploitation of the flaw meant that requests to replace a bundle might have been hijacked to distribute malicious dependencies by executing arbitrary instructions on the backend server operating the official occasion of Packagist.
“Compromising [the backend services] would enable attackers to drive customers to obtain backdoored software program dependencies the following time they do a contemporary set up or an replace of a Composer bundle,” Chauchefoin defined.
That mentioned, there isn’t any proof the vulnerability has been exploited to this point. Fixes have been deployed in Composer variations 1.10.26, 2.2.12, and a pair of.3.5 after SonarSource reported the flaw on April 7, 2022.
Open supply code has more and more develop into a profitable goal of selection for menace actors owing to the benefit with which they are often weaponized in opposition to the software program provide chain.
Earlier this April, SonarSource additionally detailed a 15-year-old safety flaw within the PEAR PHP repository that might allow an attacker to acquire unauthorized entry and publish rogue packages and execute arbitrary code.
“Whereas provide chains can take totally different kinds, one in every of them is considerably extra impactful: By having access to the servers distributing these third-party software program elements, menace actors can alter them to acquire a foothold within the programs of their customers,” Chauchefoin mentioned.
