Beyond Known CVEs: Understanding Supply Chain Attacks

Published by Farrukh Jadoon (@fkj) and Umar Sikander (@us)
primo secondo
By @fkj  and  @us

What are the key differences between known vulnerabilities and support chain attacks?

As software developers, it’s important to understand the difference between supply chain attacks and known vulnerabilities (CVEs), as well as the limitations of traditional vulnerability scanning approaches in preventing them.

In this post, we’ll take a deeper dive into these topics and provide code examples to illustrate the key differences.

What are Known Vulnerabilities (CVEs)

A known vulnerability, also called a Common Vulnerabilities and Exposures (CVE), is a security flaw that has been identified and disclosed by researchers, vendors, or other parties. These flaws can be exploited by attackers to gain unauthorized access to a system, steal sensitive information, or launch other types of attacks.

For example, the Heartbleed vulnerability is a known vulnerability discovered in 2014. It affected the OpenSSL cryptographic software library. This vulnerability allowed attackers to access sensitive information such as passwords and encryption keys. As a result, many organizations and software vendors released patches to fix the vulnerability, and users were advised to update their systems as soon as possible.

Below is the code vulnerable to Heartbless, along with the patch that fixes it. The difference is just one line of code - the version of SSL method used.

/// VULNERABLE CODE:

#include <openssl/ssl.h>

int main() {
    SSL_library_init();
    SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
    SSL *ssl = SSL_new(ctx);
    SSL_connect(ssl);
    // ...
}

/// PATCHED CODE:

#include <openssl/ssl.h>

int main() {
    SSL_library_init();
    SSL_CTX *ctx = SSL_CTX_new(TLSv1_2_client_method());
    SSL *ssl = SSL_new(ctx);
    SSL_connect(ssl);
    // ...
}

Another notable example of a supply chain exploit is the Equifax breach in March 2017, which resulted from a known vulnerability (CVE-2017-5638) in the Apache Struts library.

What are Supply Chain Attacks

A supply chain attack is a type of cyber attack that targets the weak links in the software development process, such as third-party libraries, open-source components, or even the tools software development process. These attacks typically involve injecting malicious code into legitimate software by utilizing an entrypoint in the supply chain, which can then be distributed to end users and used to launch various forms of attacks.

One notable example of a supply chain attack is the Solarwinds attack from December 2020. In this attack, threat actors compromised the build process of SolarWinds Orion, a popular IT management tool, and inserted a malicious backdoor into the software. This allowed the crackers to gain access to the networks of organizations that had installed the compromised software.

Vulnerable != Malicious

The main difference between supply chain attacks and known vulnerabilities is that supply chain attacks target the weak links in the software development process with the sole intention of malice, and always cause harm if triggered. Conversely, known vulnerabilities are security flaws that have been identified and disclosed, and could only result in harm if an attacker decides to exploit them.

Supply chain attacks often involve unknown or zero-day vulnerabilities and can also involve legitimate software being compromised at the source. Known vulnerabilities, on the other hand, are security flaws that resulted due to some shortcoming in the software design and development, often due to a mistake or negligence.

The need for proactive measures

Traditional vulnerability scanning approaches are commonly used to identify and mitigate known vulnerabilities in open source software dependencies, but they are not sufficient to prevent against modern supply chain attacks. This is because vulnerability scanning tools typically rely on a database of known vulnerabilities (CVEs) and reference the packages being scanned to this database. Therefore, the security relies on how updated this database is, and often in case of supply chain attacks, significant harm is already done before the threat gets detected and published as a CVE.

However, supply chain attacks often involve unknown or zero-day vulnerabilities (such as malicous code in open source packages) that might not yet be included in those databases. As a result, traditional vulnerability scanning approaches will be reactive and not detect these types of attacks. Additionally, supply chain attacks can also involve legitimate software being compromised at the source, such as a malicious actor compromising a legitimate open source package supplier or developer machine.

This type of attack is difficult to detect with traditional approaches, because these approaches typically focus on identifying vulnerabilities in the software itself, rather than in the supply chain or development process.

In conclusion, supply chain attacks are a serious threat to software security that require a different approach than traditional vulnerability scanning. Software developers should consider taking a more proactive approach to managing supply chain risks and be aware of the limitations of traditional vulnerability scanning tools in preventing against supply chain attacks.