[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for malicious software in PYPI

There’s a benefit to companies and tools that auto identify installed 
packages and report on associated vulnerabilities. These tools don’t 
get hung up on misreading a typo.

However, typo squatting is a problem any package management system is 
susceptible to. Without a gatekeeper system (gig signing with 
verification of authorship), there’s not much the PyPIs of the world 
can do. These incidents represent malware/spyware more than a flaw. The 
only real flaw would be in the publication process being easily 
confounded by social engineering.

I’m not against the assigning of CVE to these, though it’s probably 
ideal to count the incident and discoveries as one, i.e. one CVE for 
the 10 packages combined.

There quite a history of this behavior by researchers 
(http://incolumitas.com/2016/06/08/typosquatting-package-managers/) and 
malicious users 
(http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry).

--
William Cox
Senior Software Engineer
Black Duck Software
wcox@blackducksoftware.com

> On Sep 15, 2017, at 20:53, Kurt Seifried <kurt@seifried.org> wrote:
> 
> http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
> 
> TL;DR: Someone may PYPI packages that were malicious, and typo/close 
> names of legit things (e.g. acquisition / acqusition). I'd like to 
> assign CVEs to them so they are identified, so two thoughts:
> 
> 1) people uploaded code (meant to be malicious or not) to PYPI that 
> has flaws, so CVE right
> 2) the typo squatting aspect, should this get a CVE? There is obvious 
> intent of shenanigans, but... how do we count it?
> 
> -- 
> Kurt Seifried
> kurt@seifried.org
Page Last Updated or Reviewed: September 18, 2017