Supply chain flaws in PHP package manager PEAR lay undiscovered for 15 years

PEAR was ripe for exploitation via cryptographic flaw and bug in outdated dependency

Attackers could have wreaked havoc on the PHP ecosystem by exploiting a pair of longstanding vulnerabilities that were only recently patched in package manager PEAR, according to security researchers.

PEAR developer accounts were left at risk of malicious takeover by a flaw arising from weak entropy on the password reset function, revealed Thomas Chauchefoin, a vulnerability researcher at Swiss security firm SonarSource, in a blog post.

Attackers could then poison the PHP ecosystem with malicious releases of existing packages, before securing persistent access to the central PEAR server via abuse of a separate vulnerability in an outdated version of a bundled dependency.

SonarSource has published a video explaining the two-pronged attack scenario.

‘Minimal technical expertise’

PEAR has fallen out of favor amid the rise to dominance of rival PHP package manager Composer, in whose principal repository SonarSource disclosed a similarly serious vulnerability last year.

BACKGROUND PHP package manager flaw left millions of web apps open to abuse

However, the most popular packages downloaded via PEAR – the PEAR client itself, Console_Getopt, Archive_Tar, and Mail – still rack up several thousand downloads per month.

The supply chain vulnerabilities, which lay undiscovered for more than 15 years, “could have been easily identified and exploited by threat actors with only minimal technical expertise, causing important disruption and security breaches across the world”, according to Chauchefoin.

Software supply chain attacks targeting PEAR and similar developer tools have a particularly significant impact given developers “are likely to run it on their computers before deploying it on production servers, creating an opportunity for attackers to pivot into companies’ internal network”, he added.

Weak PRNG

PEAR’s password reset function used to generate random values, even though the technique is obsolete and unsuitable for generating cryptographically secure values.

Once the values were concatenated and hashed with , “the final value is only based on two unknowns, which are the output of and ,” said Chauchefoin.

“The first one cannot yield many values (10), and the second one can easily be approximated by the attacker. In addition, the HTTP server of pear.php.net adds a Date header to its responses, narrowing it down to only a few values (< 5).”

The researchers concluded that attackers could secure a valid password reset token within 50 attempts.

Read more of the latest software supply chain attack news

The other bug provided a backdoor for continuing attacks even if the first bug had been fixed. “It could also help them to hide their tracks by modifying access logs,” said Chauchefoin.

The flaw arose because pearweb pulled version 1.4.7 of , which was vulnerable to CVE-2020-36193, a directory traversal issue that could lead to remote code execution (RCE) on PEAR.

Timeline

SonarSource warned the maintainers of PEAR about the bugs on July 30, 2021.

They were patched in pearweb version 1.32, released on March 13, with all previous versions affected.

The flaws’ survival in PEAR’s codebase for more than 15 years raises “questions about the lack of security contributions [audits] from companies relying on it”, said Chauchefoin.

They advised PEAR users to “consider migrating to Composer, where the contributors community is more active and the same packages are available”.

YOU MIGHT ALSO LIKE GitLab addresses critical account hijack bug