Only a handful of authors (like Microsoft) publish packages that way. The problem is, that author signatures are not required when submitting packages to. In theory this would be a great way to control which packages you accept but in reality it’s not really useful to prevent this kind of attack. It allows you to create a list of allowed authors and/or repositories. There’s a nuget feature called trusted-signers. A nuget restore will always ask all available sources at the same time and restores a package from the source which answers first. If you think you can simply change the order of your feeds and move the feed at the very top to ensure it the last source to ask for a package, you are on the wrong path. You will get something like this: Note that I have a couple of local nuget sources, nuget sources from 3rd party vendors like DevExpress, my private nuget feed “Royal Nuget” and, of course “” at position 1. The default nfig contains as a source and this way it’s easy to just “replace” a private package you are using with a malicious public one. All an attacker needs to do is to publish a package with the same name (id) and the version you are using on which contains custom malicious code. Since we developer are always keen to follow conventions when it comes to naming and versioning, one could guess package names as well. So, what’s the problem having as a source in your build pipeline? Problem 1: Package Id and VersionĪs described in the link above, an attacker could quite easily “guess” a package name (package id) and the version of one of one of your packages. If you have a private nuget feed for closed, in-house packages, an attacker could easily “inject” a malicious package in your deployment. My colleague Felix did a quick proof of concept and it was shockingly easy to break our build or even inject malicious code in our build without us even noticing. Since our old build server died we needed to rebuild a new one and coincidently we were also looking at some security aspects while building the new server. using a so called “software supply chain attack”. Some of you may already be aware that a researcher was able to hack over 35 top tech companies like Microsoft, Apple, PayPal, etc.
0 Comments
Leave a Reply. |