Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2021-24105 · Package Managers Configurations Remote Code Execution Vulnerability

Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm. Attack scenarios An attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. With basic knowledge of the target ecosystems, an attacker could create an empty shell for a package and insert malicious code in the install scripts, give it a high version, and publish it to the public repository. Vulnerable victim machines will download the higher version of the package between the public and private repositories and attempt to install it. Due to code incompatibility it will probably error out upon import or upon c...

Severity
n/a
Impact
n/a
CVSS
8.4 base · 7.6 temporal
Release
2021-02-09
Signals
Developer Tools Unknown impact Exploited: No Publicly disclosed: No Exploitability: Exploitation Less Likely
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm. Attack scenarios An attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. With basic knowledge of the target ecosystems, an attacker could create an empty shell for a package and insert malicious code in the install scripts, give it a high version, and publish it to the public repository. Vulnerable victim machines will download the higher version of the package between the public and private repositories and attempt to install it. Due to code incompatibility it will probably error out upon import or upon c...
FAQ / Articles
FAQ
How do I protect my systems or organization from this vulnerability? This remote code execution vulnerability can only be addressed by reconfiguring installation tools and workflows, and not by correcting anything in the package repositories themselves. Some package repositories may be able to reduce the likelihood of a successful attack. Where can I find guidance for configuring my installation tools and workflows to be protected from this vulnerability? Depending on the package manager used and how it is configured, there are several mitigations available to protect against this vulnerability. Follow the guidance for your specific language as outlined in 3 Ways to Mitigate Risk Using Private Package Feeds See also Changes to Azure Artifact Upstream Behavior. References 3 Ways to Mitigate Risk Using Private Package Feeds Changes to Azure Artifact Upstream Behavior Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies.