undefined | Better HN

0 pointsCriticalRegion2d ago0 comments

This is a baffling take.. These exploits are local privilege escalations for linux systems. They'll allow an attacker with a foothold in a shared environment or with low privilege access to a system to affect the rest of the system. They aren't RCEs and won't let attackers access environments that they couldn't before other than the shared hosting scenarios. That is absolutely not how most supply chain attacks are carried out. Most supply chain attacks are performed via credential theft and social engineering. The more sophisticated ones are APT style attacks like the Solarwinds one (which were carried out by organisations that would already have exploits like these) or more creative stuff like the Shai-Hulud fiasco. All of these options existed before these LPEs. If you're worried about supply chain attacks you've been worried for longer than Mythos has been out. Not updating your software is never good security advice.

0 comments

AntiUSAbah2d ago

The supply chain attack in this case, would be injecting the exploit on a ci/cd system and escalating the local user who runs the npm code to root.

The proper response from them and you, should be to make sure to have some isolatin between user space and root like gvisor.

Phelinofist2d ago

Either my reading of your comment is wrong or you misunderstood the supply chain comment by OP I think: what they mean is that a supply chain attack that gets the exploit on a system would be great now because the reported vulns are unfixed pretty much everywhere

CriticalRegionOP2d ago

No, you read it right. I just misunderstood the post's message as "these exploits will enable more supply chain attacks". I'll probably delete my comment since it's debating a strawman. It is absolutely right that these exploits might enable these attacks to have a larger impact. I still don't think that I agree with the message since a malicious npm package already installed can get its payloads from a C2 server, it doesn't need an npm update.

Phelinofist1d ago

> since a malicious npm package already installed can get its payloads from a C2 server, it doesn't need an npm update

In general I agree, but I think these two vulns are 0day-y and pretty much every major distro is affected AFAIU, so there is perhaps slightly more potential than usual

asqueella23h ago

Thanks for not deleting your question — I misunderstood the OP in the same way.

throawayonthe2d ago

yeah but i mean installing an npm package in a container is giving it low privilege access

traderj0e1d ago

Well it does say "install" new software, as in run code locally

j / k navigate · click thread line to collapse