CAPEC-538

Open-Source Library Manipulation
LOW
HIGH
Stable
2014-06-23 00:00 +00:00
2023-01-24 00:00 +00:00

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

Informations

Execution Flow

1) Explore

[Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria:

  • The open-source code currently in use on a selected target system.
  • The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
  • The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
  • The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
  • The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.

2) Experiment

[Develop a plan for malicious contribution] The adversary develops a plan to contribute malicious code, taking the following into consideration:

  • The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
  • Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
  • Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.

3) Exploit

[Execute the plan for malicious contribution] Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

Prerequisites

Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.

Skills Required

Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.

Related Weaknesses

CWE-ID Weakness Name
CWE-494 Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References

REF-439

Supply Chain Attack Framework and Attack Patterns
John F. Miller.
http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00 Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Description, Execution_Flow, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated Execution_Flow, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2023-01-24 +00:00 Updated Related_Weaknesses
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.