CAPEC-538: Open-Source Library Manipulation
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
Last updated
Overview
CAPEC-538 (Open-Source Library Manipulation) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria:
- Step 2Experiment
[Develop a plan for malicious contribution] The adversary develops a plan to contribute malicious code, taking the following into consideration:
- Step 3Exploit
[Execute the plan for malicious contribution] Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.
What the attacker needs
Prerequisites
- Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.
Skills required
- High skill: Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.
Examples
An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.
Terminology & mappings
Mapped taxonomies
- ATTACK: Supply Chain Compromise: Software Dependencies and Development Tools (1195.001)
Frequently asked questions
Common questions about CAPEC-538.
- What is CAPEC-538?
- Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
- How does a Open-Source Library Manipulation attack work?
- It typically unfolds over 3 phases. It begins with: [Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria:
- What weaknesses does CAPEC-538 target?
- CAPEC-538 exploits 2 CWE weaknesses, including CWE-494 (Download of Code Without Integrity Check), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
- How severe is CAPEC-538?
- MITRE rates CAPEC-538 as High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-538
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.