CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component
An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.
Last updated
Overview
The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.
What the attacker needs
Prerequisites
- Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.
Consequences
What a successful CAPEC-446 attack can achieve.
Execute Unauthorized Commands
Affects: Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-446.
- Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.
- Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.