12h10 > 12h50

Oups, il y a quelqu'un dans mon package manager !

#security #php

Thomas Chauchefoin - SonarSource

Package managers are essential components of the modern developer toolkit. They give the ability to deploy and update dependencies from a central repository in a click, significantly reducing operating costs. These tools are often open-source, and the backend infrastructure behind whole ecosystems is run by volunteers. These services are provided on a best-effort basis and offer no guarantees, both in terms of availability and security.

Yet, virtually all software companies need these package managers to operate: compromising this segment of their supply chain is a very effective and subtle attack vector. A recent report by the European Union Agency For CyberSecurity (ENISA) studied 24 attacks reported between January 2021 and early July 2021 and highlighted that 50% of these attacks came from known threat actors and predicted a fourfold increase in 2021 as ransomware groups are joining the trend.

This talk presents the technical details of the vulnerabilities that allowed us to compromise the infrastructure behind the two PHP package managers, Composer (twice!), and PEAR. Together, they serve more than a billion monthly package downloads: threat actors exploiting these bugs would have led to a massive disruption of all companies using PHP. We will also present how we could reduce the impact of such an attack and the actions package managers could take to protect themselves.