Executive Summary

Informations
Name CVE-2021-24105 First vendor Publication 2021-02-25
Vendor Cve Last vendor Modification 2023-12-29

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 8.4
Base Score 8.4 Environmental Score 8.4
impact SubScore 5.9 Temporal Score 8.4
Exploitabality Sub Score 2.5
 
Attack Vector Local Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe this vulnerability affects multiple package managers across multiple languages, including but not limited to: Python/pip, .NET/NuGet, Java/Maven, JavaScript/npm.

Attack scenarios

An attacker could take advantage of this ecosystem-wide issue to cause harm in a variety of ways. The original attack scenarios were discovered by Alex Birsan and are detailed in their whitepaper, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies.

  • With basic knowledge of the target ecosystems, an attacker could create an empty shell for a package and insert malicious code in the install scripts, give it a high version, and publish it to the public repository. Vulnerable victim machines will download the higher version of the package between the public and private repositories and attempt to install it. Due to code incompatibility it will probably error out upon import or upon compilation, making it easier to detect; however the attacker would have gained code execution by that point.

  • An advanced attacker with some inside knowledge of the target could take a copy of a working package, insert the malicious code (in the package itself or in the install), and then publish it to a public repository. The package will likely install and import correctly, granting the attacker an initial foothold and persistence.

These two methods could affect target organizations at any of these various levels:

  • Developer machines
  • An entire team if the configuration to import the malicious package is uploaded to a code repository
  • Continuous integration pipelines if they pull the malicious packages during the build, test, and/or deploy stages
  • Customers, download servers, production services if the malicious code has not been detected

This remote code execution vulnerability can only be addressed by reconfiguring installation tools and workflows, and not by correcting anything in the package repositories themselves. See the FAQ section of this CVE for configuration guidance.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24105

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

Source Url
N/A https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-2...

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2023-12-29 21:27:58
  • Multiple Updates
2021-05-04 14:07:22
  • Multiple Updates
2021-04-22 03:12:38
  • Multiple Updates
2021-03-26 12:38:16
  • First insertion