This Week in Software Supply Chain Security: June 20 - July 3, 2024
Two slow news weeks while I go camping
Welcome to This Week in Supply Chain Security, your essential weekly resource for the latest developments in software supply chain security. Each week, we bring you critical insights and updates to help you stay ahead in safeguarding your software supply chain. Brought to you by the open source security experts at Stacklok.
🚨 Recent Security Incidents
A selection of the most impactful security breaches or threats in supply chains
Polyfill.io Fills In Malware
Polyfill.io, the hosting domain for the polyfill.js library, has been caught serving malware to mobile clients, according to research from Sansec. For those not familiar with the JavaScript ecosystem, polyfill.js provides implementations of modern browser features on older browsers. Unfortunately, it seems the domain was purchased earlier this year, and the new owners have been selectively injecting malware into requests which redirects to a sports betting site (or maybe elsewhere — the malware injection was dynamic based on time and client headers). Unfortunately, polyfill.io was depended on by JSTOR, Intuit, and the World Economic Forum and 100K+ other sites, so this had fairly broad impact. The malware has since been taken down by Namecheap and Cloudflare, but the recommended solution is simply to remove the use of polyfills — in 2024, even older browser versions have implemented these features.
Nuisance CVEs Highlighted
BleepingComputer has a story on a maintainer who was so frustrated with user complaints from npm audit
that they archived the project repo. The CVE in question was marginal (it involved passing a user-controlled IP address string in a security decision context), but the tooling for flagging CVEs in NPM dependencies caused a huge amount of noise and chaos for the project for minimal security benefit. They further explore the process of disputing CVEs, and the challenge of ensuring that CVEs are high-quality; they have another example of a 9.8 curl CVE that was reduced to 3.3 when it was disputed and investigated further. Clout-chasing in the vulnerability research world has real consequences for maintainers…
💡 Free Tools and Tips
New open-source and free (as in beer) supply chain security tools
Using CodeQL to Flag Unsafe Deserialization in Ruby
The GitHub blog has a lengthy explanation of how Ruby deserialization vulnerabilities work, followed by a much shorter example of leveraging CodeQL to detect these vulnerabilities automatically. The whole thing reads a bit like a love letter to vulnerability engineering, but it’s a fun read through … when is data not data? When your library attempts to construct class objects for it automatically!
Semgrep Rules for Security Errors
Trail of Bits has a public repo containing a number of Semgrep rules for detecting problematic coding patterns they’ve found in their research and audits. It’s not as good as getting an actual audit by professionals, but it can be a good lightweight checkup on your existing codebase. (Safe coding practices are part of supply chain security — it’s not just about defending about ne’er do wells.)
👀 Community and Public Sector Updates
Unreported Library Vulnerabilities
Chainguard has a blog post about some research they did looking for project security fixes which didn’t get assigned CVEs. The results are kinda fuzzy - with a bunch of LLMs and manual checking, they found 100 non-CVE security fixes across 600 projects. There are a couple examples; some are security-related improvements that the authors didn’t think were practically exploitable, while others were references of a “security fix” without reference to what was fixed at all. At the same time, there’s also academic research showing that these vulnerability fixes do exist — for example, what’s viewed as a simple bug fix could also fix a vulnerability that the author didn’t realize existed.
Securing Docker Images the Wrong Way
An amusing one to close out the week. I attended CloudNativeSecurityCon last week, and Duffie Cooley and Kyle Quest had a fun talk about container image scanners. This was a follow on to last year’s “Malicious Compliance” talk, and leveraged both container minimization (probably good) and a set of tools to adjust the remaining metadata to avoid detection of vulnerable files (clever, but not good).
That’s all for this week! See you next Thursday…