CAPEC-446

Malicious Logic Insertion into Product via Inclusion of Third-Party Component
Moyen
Haute
Stable
2014-06-23
00h00 +00:00
2022-09-29
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

Informations du CAPEC

Conditions préalables

Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.

Atténuations

Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.
Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.

Références

REF-379

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)
Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook, Matthew Fallon.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf

REF-707

How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It
Thomas Brewster.
https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776

REF-708

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections
Dan Goodin.
https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

REF-709

Extracting the SuperFish certificate
Rob Graham.
https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE

REF-713

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
Jordan Robertson, Michael Riley.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Nom Organisation Date Commentaire
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Example_Instances, References
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00 Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, References, Related_Attack_Patterns, Taxonomy_Mappings
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.