SQ30102
Detected presence of software components commonly abused for malicious application loading.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | medium | None | malware: warning Reason: riskware applications found |
About the issueโ
Some software components may allow arbitrary code execution. Due to their design, applications may not check the type of content they are tasked to load or execute. Failing to enforce such checks may even lead to elevated privilege execution of unverified code. In those cases, malicious code can achieve stealth by being invoked through digitally signed and highly trusted applications. Those software components are known as Living off the Land binaries (LOLBins) among security professionals.
How to resolve the issueโ
- Whenever possible, release software packages without components commonly abused by attackers.
- This policy may also detect script language interpreters and compilers. In such cases, you should review runtime code generation and allow it only when strictly required by the application.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Arbitrary code execution (External resource - Wikipedia)
- LOLBAS Project (External resource)
- Bring your own LOLBin (External resource - Microsoft Security blog)