PHP Composer flaw that could affect millions of fixed sites
Governance and risk management, IT risk management, patch management
Experts emphasize importance of tool upgrade and audit files
Prajeet Nair (@prajeetspeaks) •
May 5, 2021
A patch has been released for a severe vulnerability that affects PHP Composer – a tool used to manage and install software dependencies in the PHP ecosystem. Security researchers at According to SonarSource, this flaw could endanger millions of websites.
See also: Forrester Consulting: Tense Relations Between Security and IT Operations Teams Put Businesses at Risk
Developers around the world use Composer to ease the update process and ensure that applications work in all environments and versions.
SonarSource discovered a vulnerability in Packagist, which Composer uses to handle PHP package requests, that could allow attackers to force Composer to download the wrong source code, which could potentially download a backdoor to the server running Composer.
“If you are using Composer and VcsRepository with user-controlled URLs or if you have your own Packagist instance, be sure to upgrade further,” says Thomas Chauchefoin, vulnerability researcher at SonarSource.
After updating Packagist and Composer, users should audit the composer.lock files to ensure that they do not contain URLs that could be seen as command line options, advise Packagist maintainers, the largest PHP repository.
Packagist reports that it is not aware of any exploitation of the vulnerability, which is tracked as CVE-2021-29472.
SonarSource says the vulnerable code has been around since the first versions of Packagist appeared 10 years ago. SonarSource explains that it reported all issues to the team running Packagist on April 22, and a fix was deployed within 12 hours.
Packagist determines the appropriate supply chain for PHP – or Hypertext Preprocessor – open-source general-purpose scripting language package downloads. In just one month, Packagist’s public infrastructure responded to around 1.4 billion source code download requests, according to a SonarSource blog post.
Nils Adermann, co-founder of Packagist, says the organization has adjusted all external shell commands where possible to separate arguments from options with the POSIX separator, which should make it impossible to create similar attacks. anywhere in Composer or Packagist.
SonarSource researchers discovered the critical vulnerability in the way that Packagist uploaded the source code of various open source software libraries to Composer, which allowed them to execute arbitrary system commands through the Packagist.org server.
A vulnerability in such a central component serving more than 100 million packet metadata requests per month could potentially have a huge impact, says Chauchefoin. Indeed, this access could be used to steal maintainer credentials or to redirect package downloads to third-party servers providing retrospective dependencies, allowing attackers to control websites and steal information.
An attacker could trick Composer to download the wrong source code by manipulating the URL and then deploying the attacker’s backdoor to the server running Composer, Chauchefoin explains.
An alarming flaw
The flaw in Composer is alarming because the tool is so widely used, says Matthew Gribben, former cybersecurity and crypto consultant at UK government communications headquarters and current CTO of online retailer Farmison & Co.
“In this case, the security researchers failed to increase or establish the user privileges they had. But once that first door is opened, it at least unlocks the potential for an exploit with a significant impact, ”says Gribben.
Securing the development lifecycle
Jonathan Knudsen, senior security strategist at Synopsys, the security company, says application teams who want more secure software must embrace a secure development lifecycle, in which security is a part of every phase of the process. design to implementation, testing and maintenance.
“Part of the SDLC uses Software Composition Analysis, which is an automation that helps teams know what open source components they’ve used and understand the risks from a vulnerability perspective as well as a risk perspective. licenses, ”he says. “Even after the application is released, vulnerabilities will continue to accumulate in the components used. A good SCA solution alerts you when new vulnerabilities are detected so you can fix them quickly.”
Security experts recommend that companies put more effort into auditing all the software tools they use.
“In general, we always recommend that you review any changes you make to your lock files to make sure that no untrusted dependencies or external URLs are introduced into your application,” Packagist explains. “Please note that Packagist.org is only a metadata server and the package content is downloaded from a location chosen by the package maintainers.”
James McQuiggan, a security awareness advocate at KnowBe4, says cybercriminals will exploit these vulnerabilities when they encounter PHP systems during their discovery or attack phases.
“Knowing that there is a high-risk vulnerability and given the recent large-scale attacks on the supply chain, organizations want to avoid falling victim to a readily available exploit,” he says. “By quickly assessing and reviewing this vulnerability with their risk management and change management teams, they can implement the update as soon as possible.”