Dettaglio CAPEC-695

CAPEC-695

Repo Jacking
Medio
Alto
Stable
2022-09-29
00h00 +00:00
2023-01-24
00h00 +00:00
CAPEC Mitre.org
Avviso per un CAPEC specifico
Rimani informato su qualsiasi modifica relativa a un CAPEC specifico.
Gestione notifiche

Informazioni CAPEC

Flusso di esecuzione

1) Explore

[Identify target] The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.

2) Experiment

[Recreate initial repository path] The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.

3) Exploit

[Exploit victims] The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.

Prerequisiti

Identification of a popular repository that may be directly referenced in numerous software applications
A repository owner/maintainer who has recently changed their username or deleted their account

Competenze richieste

Ability to create an account on a VCS hosting site and recreate an existing directory structure.
Ability to create malware that can exploit various software applications.

Mitigazioni

Leverage dedicated package managers instead of directly linking to VCS repositories.
Utilize version pinning and lock files to prevent use of maliciously modified repositories.
Implement "vendoring" (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.
Leverage automated tools, such as Checkmarx's "ChainJacking" tool, to determine susceptibility to Repo Jacking attacks.

Vulnerabilità correlate

CWE-ID Nome della vulnerabilità

CWE-494

 Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

CWE-829

 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Riferimenti

REF-722

Repo Jacking: Exploiting the Dependency Supply Chain
Indiana Moreau.
https://www.concretecms.org/about/project-news/security/supply-chain-hack-phpass-repo-jacking

REF-732

CyRC Vulnerability Analysis: Repo jacking in the software supply chain
Theo Burton.
https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-repo-jacking/

REF-733

Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials
Jossef Harush.
https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials/

REF-734

GitHub RepoJacking Weakness Exploited in the Wild by Attackers
Jossef Harush.
https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/

Invio

Nome Organizzazione Data Data di rilascio
CAPEC Content Team The MITRE Corporation 2022-09-29 +00:00

Modifiche

Nome Organizzazione Data Commento
CAPEC Content Team The MITRE Corporation 2023-01-24 +00:00 Updated Related_Weaknesses
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.