This Week in Software Supply Chain Security: April 4 - April 10, 2024
Eclipse weeks are better than Easter weeks
Welcome to This Week in Supply Chain Security, your essential weekly resource for the latest developments in software supply chain security. Each week, we bring you critical insights and updates to help you stay ahead in safeguarding your software supply chain. Brought to you by the open source security experts at Stacklok.
🚨 Recent Security Incidents
A selection of the most impactful security breaches or threats in supply chains
End of Support Means “Replace Now”
A security researcher has published a pair of vulnerabilities in older D-Link NAS devices in the DNS-32x and DNS-34x lines. As the company declared the routers End of Service in 2020, it will not patch the vulnerabilites, which include hardcoded credentials and a command execution vulnerability. At least 92,000 devices remain connected to the internet and a threat to other systems when compromised.
CI / CD as a Path to GitHub data
Acuity, a tech consulting firm with government contracts, confirmed a breach of several GitHub repositories. This story claims that one of the attackers compromised the repos via credentials lifted from a Tekton CI/CD server. The compromised data apparently included classified data, which was described as “old and non-sensitive” by Acuity. A federal investigation is also underway.
Hugging Face Vulnerable to Shared Infrastructure Risks
Wiz security published a report in conjunction with HuggingFace about two critical risks to customers using HuggingFace’s inference-as-a-service architecture. In the first attack, customers could submit models using Python’s “pickle” format, including arbitrary executable code which could then persist and affect other customers’ models. The second attack targeted the CI/CD process of building an ML model, and could be used to insert malicious code into another customer’s machine learning model. HuggingFace has since fixed these vulnerabilities.
Noble Numbat Delayed Due to XZ
For those of you who track Ubuntu versions, Canonical delayed the latest release by a week to better analyze the impact of the xz attack.
Sophos Says Unpatched Vulnerabilities are the Worst
In a free report, Sophos claims that ransomware attacks which begin with unpatched vulnerabilities (rather than stolen credentials) have higher likelihood of both compromising backups and having the data encrypted, with overall 4x higher recovery costs. However, the study also points out:
The study focuses on correlation, and further exploration is needed into reasons behind these outcomes.
💡 Free Tools and Tips
New open-source and free (as in beer) supply chain security news
Awesome-Secure-Defaults
TL;DR Sec compiled a list of libraries that enforce secure defaults, organized by language. It’s on GitHub, and seems to have about 50 items across a range of ecosystems. PHP seems to have the slight edge, with 17 libraries, followed by 15 for Golang and JavaScript.
👀 Community and Public Sector Updates
Funding Open Source Infrastructure
The Matrix.org Foundation has published an open letter calling for public funding to support maintenance of existing projects (rather than adding new features). As the foundation points out, FOSS maintenance is a bit like maintenance of other shared public infrastructure like bridges, roads, and defenses. They suggest that government organizations which are directly dependent on OSS projects should aim to pay for maintenance on projects in the same way they would pay commercial vendors. They also have some good links to existing projects which are starting to operate in this model.
Microsoft :heart: CWEs
Microsoft announced last week that they will start including CWE root cause information in association with published CVEs. This should help better understand the root causes of Microsoft CVEs.
CycloneDX 1.6 Released
CycloneDX 1.6 has been released. New features include a Cryptographic Bill of Materials, additional Attestations, and support for environmental data related to AI and ML model cards, including information on energy and CO2 usage. This released was shepherded by the OWASP Foundation and ECMA TC54 as part of a move towards a standards process.
That’s all for this week! See you next Thursday…