Apr 23, 2024NewsroomSupply Chain Attack / Application Security
Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness.
Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository.
This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as installing all downstream customers that install the package.
A May 2023 analysis of npm and PyPI packages stored in cloud environments by cloud security company Orca revealed that nearly 49% of organizations are vulnerable to a dependency confusion attack.
While npm and other package managers have since introduced fixes to prioritize the private versions, application security firm Legit Security said it found the Cordova App Harness project to reference an internal dependency named cordova-harness-client without a relative file path.
The open-source initiative was discontinued by the Apache Software Foundation (ASF) as of April 18, 2019.
As Legit Security demonstrated, this left the door wide open for a supply chain attack by uploading a malicious version under the same name with a higher version number, thus causing npm to retrieve the bogus version from the public registry.
With the bogus package attracting over 100 downloads after being uploaded to npm, it indicates that the archived project is still being put to use, likely posing severe risks to users.
In a hypothetical attack scenario, an attacker could hijack the library to serve malicious code that could be executed on the target host upon package installation.
The Apache security team has since addressed the problem by taking ownership of the cordova-harness-client package. It’s worth noting that organizations are advised to create public packages as placeholders to prevent dependency confusion attacks.
“This discovery highlights the need to consider third-party projects and dependencies as potential weak links in the software development factory, especially archived open-source projects that may not receive regular updates or security patches,” security researcher Ofek Haviv said.
“Although it may seem tempting to leave them as is, these projects tend to have vulnerabilities that are not getting attention and not likely to be fixed.”