Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Code security company SonarSource today published details on a severe vulnerability impacting Packagist, which could have been abused to mount supply chain attacks targeting the PHP community.

Packagist is the default repository for PHP dependency manager Composer, aggregating public PHP packages that can be installed using Composer. Each month, Composer is used to download more than 2 billion packages.

According to Sonar’s security researchers, the recently identified vulnerability could have been used to hijack over 100 million requests to distribute malicious dependencies, leading to the potential compromise of millions of servers.

“Since Composer is the standard package manager for PHP, most open-source and commercial PHP projects would have been impacted,” Sonar says.

Tracked as CVE-2022-24828, the vulnerability is described as a command injection issue that could allow an attacker to control input that is interpreted as parameters for commands executed by Composer.

“The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used,” Composer’s maintainers explain.

The flaw was similar to CVE-2021-29472, a command injection bug identified last year, impacting the implementation of Version Control System driver (VcsDriver) sub-classes, which Composer invokes as external commands.

Because of this vulnerability, a user controlling a Git or Mercurial repository could target Packagist.org and Private Packagist by injecting parameters into the $file argument (impacting the Mercurial driver) or the $identifier argument (with impact on both Git and Mercurial drivers).

Advertisement. Scroll to continue reading.

“Composer itself can be attacked through branch names by anyone controlling a Git or Mercurial repository, which is explicitly listed by URL in a project’s composer.json,” Composer’s maintainers note.

According to Sonar, an attacker looking to exploit the vulnerability would need to create a project in a remote Mercurial repository, add a manifest to composer.json and create a malicious ‘readme’ entry, create a .sh payload to perform a desired action, and then import the package to Packagist.

“The next step would be to modify the definition of a package to point to an unintended destination and compromise the application in which they are used,” Sonar explains.

The vulnerability was reported to the Packagist maintainers on April 7 and a hotpatch was released the next day. The issue was addressed with the release of Composer versions 2.3.5, 2.2.12, and 1.10.26, and no evidence of in-the-wild exploitation was found.

Related: Critical Vulnerability Patched in PHP Package Repository

Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.