• CramHacks
  • Posts
  • [CramHacks] Newsletter #4: WebP Hype & Secret Comments

[CramHacks] Newsletter #4: WebP Hype & Secret Comments

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

šŸ„³ Happy Monday! šŸ„³ 

Life Update

Very happy I made it home without substantial flight delays late last week. For some weird reason, I just donā€™t enjoy New Jersey as much as I do San Diego. If you didnā€™t know, there was some major flooding in NJ/NY which started the day I was flying out. ā›ˆļø ā›ˆļø 

Other stuff: šŸ„ā€ā™‚ļø šŸ„ā€ā™‚ļø Definitely have a healthy addiction to surfing going on - no complaints here. Just have to fight the urge to buy every surfboard I look at. Iā€™m not too great, but itā€™s crazy fun when each day is basically your best day ever.

Iā€™m still trying to figure out exactly what this newsletter will look like in the future and so Iā€™ll be experimenting a bit. As youā€™ll see, Iā€™ve only covered Software Supply Chain Security this week. Let me know what you think!

Software Supply Chain Security

Daniel Stenberg, Founder & Lead Developer of cURL, announced that on October 11th, 2023, curlā€™s release cycle will be cut short to patch a HIGH severity security issue. šŸ‘‹ I really appreciate & respect the way Daniel has handled this.

ā€œThis is probably the worst security problem found in curl in a long time.ā€-Daniel

CheckMarxā€™s Guy Nachshon details the discovery of malicious actors utilizing stolen GitHub personal access tokens to inject malicious code into hundreds of repositories, masquerading as Dependabot. The malicious code both exfiltrated project secrets and embedded password-stealing scripts into JavaScript files.

šŸ‘‹ I remember first using GitHub and thinking "so you're telling me I can make a commit as whoever the heck I want?" and then just being confused. I've gotten used to it and has has kind of become an afterthought. I don't expect these attack vectors to go anywhere given the limited knowledge/enforcement of verified commits. Don't get complacent people šŸ˜.

Macaron is a supply chain security analysis tool from Oracle Labs that checks conformance to the SLSA framework. Behnaz Hassanshahi, Principal Researcher @ Oracle, shared a 40 minute video detailing real-world risks associated with code build processes and how Macaron can detect these risks. A demo highlights displays how Macaron can determine whether the dependencies of a Java project are built and published via transparent CI workflows or manually uploaded to Maven Central. The latter case may indicate that malicious code has been embedded into the package.

šŸ‘‹ Okay, this is pretty sweet. I wanted to play with this locally but Iā€™m actually getting an error trying to run the install script and I donā€™t have time to troubleshoot šŸ˜…. Something to keep in mind, Macaron currently uses SLSA v0.1 and v1.0 has since been released. I suspect it will be difficult to maintain projects tied to SLSA due to its rapid growth in these early stages. Iā€™ll definitely be keeping my eye on this project.

AWS critiques the proposed SBOM requirements in CISA's SSDF, highlighting concerns about feasibility, security risks of a centralized repository, and limited applicability for SaaS solutions, echoing previous skepticism from major software vendors.

Jonathon Meadows highlights the work of the OpenSSF End Users Working Group whom has designed an initial threat model of Enterprise Open Source Supply Chains.

šŸ‘‹ OpenSSF is doing great work in the supply chain space; which makes sense given the importance of open source software in supply chain. Weā€™re fortunate to have so many industry leaders be transparent about how their organizations are solving these very sophisticated problems.

Fortinetā€™s Jin Lee and Jenna Wang detail several malicious NPM packages which exploit install scripts to exfiltrate sensitive user and system data, impacting various platforms and posing a high-severity threat by leaking credentials, source code, and other critical information.

šŸ‘‹ Malicious NPM packages is nothing new, but I thought it was pretty cool to see an AntiVirus solution combatting this risk. Itā€™s easy to say ā€œsoftware dependencies? thatā€™s an AppSec problemā€ and tbh, Iā€™d sort of expect that. So kudos to the team for identifying and developing a long list of indicators of compromise to protect your customers!

Okay, apparently Iā€™m new here ā†’ I now see that Fortinet has been doing this for a good while now. I look forward to keeping up with their latest discoveries šŸ˜€.

Ben Hawkes, Founder at Isosceles, provides a deep dive on the WebP 0day everyone is talking about.

Exploiting CVE-2023-4863 in libwebp involves a specially crafted WebP lossless file that can write data beyond the heap boundaries. The issue lies in the allocation of the HuffmanCode buffer within the ReadHuffmanCodes() function, where the buffer size fails to accommodate 15-bit codes.

šŸ‘‹ What the heckā€¦ is it CVE-2023-5129 or CVE-2023-4863??? We talked about the original CVE (CVE-2023-4863) in CramHacks Newsletter #2 and regardless of the CVSS score (8.8), it was quite obvious how serious this was. Then all of a sudden Google creates a new CVE (CVE-2023-5129) with a CVSS score of 10.0 and it is plastered all over the internet. To make matters even more confusingā€¦ CVE-2023-5129 was rejected by NVD.

Mark Curphey and the Crash Override team have released Chalk, an open source tool that embeds metadata into software builds, creating a traceable link from development to production. It aids various use-cases, such as compliance reporting and maintaining real-time application inventories, enhancing collaboration among development, operations, and security teams.

šŸ‘‹ Besides Chalk being open source, I appreciate the intention of the project. Similar to information security, you can only secure what you know. Software supply chain lacks many of the fancy tools IT has for automated asset discovery and management - Chalkā€™s documentation suggests that it may make life quite a bit easier to get the full view of the build process from dev to prod. Iā€™ll be following and hope to take a closer look in the near future!

Truffle Securityā€™s Joe Leon highlights the importance of scanning GH comments for exposed secrets and how using TruffleHog, over 721 live API keys and passwords were discovered on a small subset of GitHubā€™s public Pull Request and issue comments.

Until Next Time! šŸ‘‹ 

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! šŸ’Œ

If you think someone could benefit from this, donā€™t hesitate to forward.

See you next Monday!
-Kyle