Fix released for decade-old supply chain vulnerability impacting Composer

PHP package manager security flaw left millions of web apps open to abuse

Security researchers are warning that a software supply chain vulnerability impacting PHP could put millions of websites at risk.

The flaw, discovered by security researchers at SonarSource, affects Composer, the main tool used to manage and install dependencies for PHP.

Composer itself uses Packagist, an online service for managing PHP package requests, which is where the flaw was found.

SonarSource discovered a vulnerability allowing attackers to execute arbitrary system commands on the Packagist server. This could be used to obtain maintainers’ credentials, or to redirect package requests.

“An attacker changing the URL associated with the package symfony/symfony by one under their control would trick Composer into downloading the wrong source code, and with that deploy the attacker’s backdoor on the server running Composer,” Thomas Chauchefoin, vulnerability researcher at SonarSource told The Daily Swig.

Supply chain attack

According to Chauchefoin, SonarSource discovered the flaw when researching software supply chain attacks and investigating the components of the PHP packages ecosystem.

SonarSource believes the flaw has gone undetected for 10 years, even though a vulnerability was found in the same code by researcher Max Justicz in 2018.

“Its exploitability is very dependent on the command that is being called,” Chauchefoin explained. “That is very easy to overlook as user-controlled data is often already correctly sanitized against other injection vulnerabilities.”

Read more of the latest open source software security news

The overall popularity of PHP, combined with the number of PHP projects that use Composer, increases the risk.

PHP runs on 80% of websites. SonarSource estimates that two-thirds of PHP projects use Composer to manage their dependencies.

“The public Packagist infrastructure facilitates the downloads, but doesn’t directly host the source code,” said Chauchefoin.

“It is estimated that the public Packagist infrastructure serves around 100 million metadata requests per month. These could have been backdoored with the vulnerability we reported.”

Patch released

The flaw has now been fixed, and the researchers say the risks posed to sites using PHP is limited.

“However, if you give users control to your composer.json or use the internal APIs VcsRepository / VcsDriver and derivatives, you should definitely upgrade to Composer 1.10.22 and 2.0.13,” he added.

Nonetheless, web developers should stay vigilant, Jed Kafetz, head of pen testing
at Redscan told The Daily Swig.

“If an attacker can backdoor a common software package, each further application attempting to make use of the tool or software will be affected,” he said.

RECOMMENDED Covid-19 test results of 164,000 Wyoming residents mistakenly exposed on GitHub

“An attacker may then leverage this access to exfiltrate data causing a large-scale breach, or compromise the underlying network, or alternatively use it as a base for further attacks,” added Kafetz.

“Supply chain compromise is a hugely advantageous route for an attacker to take. It goes beyond the realms of a targeted attack and can make a significant number of systems that were previously secure, suddenly vulnerable.”

Full technical details can be found in the SonarSource blog post.

YOU MIGHT ALSO LIKE Stored XSS vulnerability patched in open source firewall pfSense