This week in software supply chain security: January 24 - 31, 2024

🚨 Recent Security Incidents

A selection of the most impactful security breaches or threats in supply chains

Jenkins CVEs

Sonarsource discovered a few remote vulnerabilities in Jenkins:

• The discovered Critical vulnerability tracked as CVE-2024-23897 allows unauthenticated attackers to read a limited amount of arbitrary files’ data, and "read-only" authorized attackers to an entire arbitrary file from Jenkins’ server.

• The discovered High severity, cross-site WebSocket hijacking (CSWSH), vulnerability tracked as CVE-2024-23898, allows an attacker to execute arbitrary CLI commands by manipulating a victim to click on a link.

PyPI Malware

Fortinet analyzed a number of malicious PyPI packages attributed to the same malware author.  The sophistication of the attacks increased over time, targeting both Windows and Linux systems with information stealers and code that targeted cryptocurrency wallets.

Don’t Let Those Maven Domains Lapse

Oversecured reported on vulnerabilities in the Java (Maven) ecosystem where attackers could potentially take over abandoned packages by acquiring the associated domain name. According to their research, about 15% of projects may be vulnerable.

Vulnerable GitLab Servers

The Shadowserver account on Mastodon reports at least 5300 GitLab servers vulnerable to CVE-2023-7028 (patched on Jan 11).  The vulnerability allows attackers to takeover accounts via password reset with no user interaction, though it can be blocked by the use of 2FA.

I Saw It On TVNPM

Sonatype uncovered a series of 748 NPM packages containing clips from movies. The packages, which all began with wlwz-, contained video clips with Mandarin subtitles. The packages have been reported to NPM, which has marked them as malicious.

Updates Over HTTP In 2023?

Targeting much later in the software supply chain, ESET has reported on a group called Blackwood compromising software update mechanisms.  The group is distributing an implant via Adversary-in-the-Middle attacks on software update mechanisms for Tencent QQ, Sogou Pinyin, WPS Office, and others.  The targeted software update mechanisms all rely on unencrypted HTTP and do not seem to have other signing mechanisms in place.

Mercedes-Benz Attack

Mercedes-Benz accidentally exposed their internal GitHub Enterprise Server with an employee's authentication token in a public GitHub repository.  The token had unrestricted read access to Mercedes' internal repos, including both intellectual property and design documents as well as connection strings, access keys, SSO passwords, and API keys.

When contacted, Mercedes revoked the API token and removed the public repository.

💡 Free Tools and Tips

New open-source and free (as in beer) supply chain security news

Private Sigstore? Yahoo!

Yahoo!’s security team described how they adopted sigstore within their enterprise. Highlights include SPIFFE and mTLS, integrations with Yahoo!’s build system, and keyless signing with Athenz OIDC, as well as a series of documented upstream contributions.

👀 Community and Public Sector Updates

News from key open source security projects and communities, and regulatory updates related to OSS security

Sigstore Monthly

Sigstore has started a monthly news update. In this issue, they cover a Cryptographic Agility proposal for sigstore signing algorithms, as well as improvements in Python and Go library support.

Eclipse Integrates Sigstore

Sigstore added support for OIDC identities representing the Eclipse Foundation’s Jenkins instances. The Eclipse Foundation is encouraging implementation of sigstore signing across their projects.

Evan Anderson

Principal Software Engineer

Evan Anderson On LinkedIn