CAPEC-446

Malicious Logic Insertion into Product via Inclusion of Third-Party Component
Medium
High
Stable
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

Informations CAPEC

Prerequisites

Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.

Mitigations

Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.
Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.

References

REF-379

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)
Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf

REF-707

How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It
Thomas Brewster.
https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776

REF-708

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections
Dan Goodin.
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

REF-709

Extracting the SuperFish certificate
Rob Graham.
https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE

REF-713

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Jordan Robertson, Michael Riley.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Example_Instances, References
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, References, Related_Attack_Patterns, Taxonomy_Mappings
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.