Supply chain attacks may have been enabled by a 15-year-old bug in PEAR PHP


Supply chain attacks may have been enabled by a 15-year-old bug in PEAR PHP

In the PEAR PHP repository, a security vulnerability that has been present for 15 years has been discovered that could allow an attacker to conduct a supply chain attack, which would allow them to gain unauthorized access to publish rogue packages and run arbitrary code.

SonarSource vulnerability researcher Thomas Chauchefoin wrote in a write-up published this week that "an attacker who exploited the first bug could take over any developer account and publish malicious releases, whereas an attacker who exploited the second bug could gain persistent access to the central PEAR server."

In order to gain initial access, the adversary must combine the second vulnerability with the first one. This is due to pearweb's reliance on an older version of Archive Tar, which is susceptible to a high-severity directory traversal bug (CVE-2020-36193, CVSS score: 7.5), which can result in arbitrary code execution if it is not properly patched in time.

It was trivial to identify and exploit these flaws, which raised concerns about the lack of security contributions from the companies that rely on it, according to Chauchefoin. "These vulnerabilities have been present for more than a decade and were trivial to identify and exploit," Chauchefoin said.

After discovering security issues in the PHP supply chain in less than a year, the researchers have now discovered a third instance of such issues. Critical vulnerabilities in the Composer PHP package manager were publicly disclosed in late April 2021, with the potential for an adversary to execute arbitrary commands as a result of exploiting them.

With the emergence of software supply chain attacks as a dangerous threat in the wake of protestware incidents targeting widely-used libraries in the NPM ecosystem, security issues tied to code dependencies in software are once again in the spotlight, prompting the Open Source Initiative to call the "weaponization of open source" an act of cyber vandalism that "outweigh[s] any potential benefits."

It is abbreviated as PEAR for PHP Extension and Application Repository. PEAR is a framework and distribution system for reusably designed PHP components.

Another issue, which was introduced in a code commit made in March 2007 when the feature was first implemented, is the use of the cryptographically insecure mt rand() PHP function in the password reset functionality, which could allow an attacker to "discover a valid password reset token in less than 50 tries," according to the report.

Because of this vulnerability, a malicious actor could target existing developer or administrator accounts and hijack them, publishing new trojanized versions of packages already maintained by the developers and causing widespread supply chain compromise.


Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post