The Risks Application Face From Central Package Repositories
Late last week, an older, currently less popular, yet still widely used repository for PHP packets called PEAR was apparently breached by unknown attackers. After gaining access, the attackers replaced a central part of the archive with malware. This means that users of the PEAR packet manager who tried to install or updated packages during this period in time were likely infected.
The PEAR project has since taken the drastic step of taking its service offline while investigations into the attack continue.
Why is this critical?
PEAR is an old and widely used packet manager for PHP. While most new projects elect to manage their packets using a software called 'composer' instead, a lot of older software relies on PEAR. This means that the breach and subsequent going offline of the service leaves these projects without automated ways of updating packets. This in turn can become a security concern when a vulnerability in one of the packets is discovered.
Another equally important aspect is the use of automation. Due to the increasingly popular paradigm of cloud-computing, many developers chose to automate the installation and updating of dependencies instead of manually installing them. This allows code to be quickly moved between different machines or scaled across several machines. It also prevents issues with unknown dependencies getting overlooked.
However, this automatic approach to packet maintenance also means that for the most part no human interaction is required when packets are updated using packet-managers. Subsequently, for many developers and administrators, determining if their systems interacted with PEAR during the time of the attack can prove challenging. Furthermore, if the attack had gone unnoticed, potentially tens of thousands of servers may have become infected during routine update activities. This risk is likely why the PEAR team decided to take servers offline altogether.
The risks of central targets
As we have discussed in previous briefings, cyber security is always a relative trade-off. The higher the value of a target becomes to an attacker, the higher the security measures have to be to keep it safe - up to the point where it is questionable if extremely high-value targets can be secured at all. Centralized packet repositories represent extremely high value targets. While they don’t hold large incentives for attackers themselves, they can offer access to thousands or even millions of projects with commercial or ideological value.
While most packet repositories are important enough to attract top-talent during their heyday which keeps them secure, older, smaller or failing packet managers can quickly turn into an extreme liability. With developers moving between jobs and often poor documentation of legacy projects, many organizations are completely unaware that their custom software communicates with such repositories on a regular basis.
What can I do to protect myself?
Make sure that all projects that automatically install and update packets are under active development. This includes most applications deployed into a cloud infrastructure and many traditional applications. Old and unsupported projects should be taken offline. If you are currently using an old or declining packet management system for a project, consider switching to a more active option. Lastly, large organizations with dozens of projects are advised to set up local mirrors of packet repositories and have them actively monitored. This creates an additional layer of defense should the original repositories become compromised.