CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

High

Typical severity

Per MITRE

Medium

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component

Overview

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-446?

How do you prevent CAPEC-446?

How severe is CAPEC-446?

References

Defend against CAPEC-446

Overview

What the attacker needs

Prerequisites

Consequences

How to mitigate it

Examples

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-446?

How do you prevent CAPEC-446?

How severe is CAPEC-446?

References

Defend against CAPEC-446