Hex package registry vulnerability

https://blog.voltone.net/post/22

• Fixed in rebar3-3.8.0 and Hex-0.19.0
• When you add a depp you should trust:
  • author of the code
  • the source code repo
  • package manager
  • package manager’s hosting and CDN
  • package repository mirror
• We should also trust their ability to protect their systems from attackers!!
• The simplest protection: checksum and digital signature
• Hex Package Registry:
  • For each package Hex maintain a registry with list of all releases + properties
  • SHA256 - one of the properties
  • The registry is protected by a signature, generated with the Hex Server’s private key
• Hex Client check registry signature, package SHA256 checksum
• Problem:
  • Hex server signed any package, and didn’t include package name.
  • Send malicious package (that’ll execulte bad code during mix compile)
  • Substitute the package on mirror
• Fix:
  • Include package name and organization name into the package on Hex server before singature
• IMHO:
  • Very difficult to foresee the problem
  • Do we have a ‘all-purpose-security-check-list’?
  • Hackerone?
  • https://theupdateframework.github.io/ - is a solid approach