Hacker News new | ask | show | jobs
by CriticalRegion 43 days ago
This is a baffling take.. These exploits are local privilege escalations for linux systems. They'll allow an attacker with a foothold in a shared environment or with low privilege access to a system to affect the rest of the system. They aren't RCEs and won't let attackers access environments that they couldn't before other than the shared hosting scenarios. That is absolutely not how most supply chain attacks are carried out. Most supply chain attacks are performed via credential theft and social engineering. The more sophisticated ones are APT style attacks like the Solarwinds one (which were carried out by organisations that would already have exploits like these) or more creative stuff like the Shai-Hulud fiasco. All of these options existed before these LPEs. If you're worried about supply chain attacks you've been worried for longer than Mythos has been out. Not updating your software is never good security advice.
4 comments
AntiUSAbah 43 days ago
The supply chain attack in this case, would be injecting the exploit on a ci/cd system and escalating the local user who runs the npm code to root.

The proper response from them and you, should be to make sure to have some isolatin between user space and root like gvisor.

link
Phelinofist 43 days ago
Either my reading of your comment is wrong or you misunderstood the supply chain comment by OP I think: what they mean is that a supply chain attack that gets the exploit on a system would be great now because the reported vulns are unfixed pretty much everywhere
link
CriticalRegion 43 days ago
No, you read it right. I just misunderstood the post's message as "these exploits will enable more supply chain attacks". I'll probably delete my comment since it's debating a strawman. It is absolutely right that these exploits might enable these attacks to have a larger impact. I still don't think that I agree with the message since a malicious npm package already installed can get its payloads from a C2 server, it doesn't need an npm update.
link
Phelinofist 43 days ago
> since a malicious npm package already installed can get its payloads from a C2 server, it doesn't need an npm update

In general I agree, but I think these two vulns are 0day-y and pretty much every major distro is affected AFAIU, so there is perhaps slightly more potential than usual

link
asqueella 42 days ago
Thanks for not deleting your question — I misunderstood the OP in the same way.
link
throawayonthe 43 days ago
yeah but i mean installing an npm package in a container is giving it low privilege access
link
traderj0e 43 days ago
Well it does say "install" new software, as in run code locally
link