Hex Package Manager Checksum Verification Vulnerability in Lockfile Integrity Bypass

A vulnerability in the Hex package manager, specifically in versions 0.16.0 prior to 2.4.2, allows for a bypass of dependency integrity checks. This issue arises in the Hex.RemoteConverger module, where the verification of lockfile checksums is improperly handled. The lockfile, mix.lock, is intended to ensure reproducible builds by storing checksums for dependencies. However, the verification process is flawed: it compares atom-based dependency names against string-based names in the lockfile, leading to a silent omission of checksum checks. While checksums are validated when packages are downloaded from the registry, discrepancies between the lockfile and resolved dependencies go undetected. This vulnerability could be exploited by an attacker who can manipulate cached packages, such as through local cache poisoning or a compromised registry, to introduce modified dependency contents that are accepted without scrutiny. The mix.lock file would then be updated with the tampered checksum values, erasing any trace of the modification.

Impact

Exploitation of this vulnerability undermines the integrity of the mix.lock file, which is crucial for maintaining a consistent and reliable dependency management process. The flaw allows for undetected alterations to dependency contents, potentially leading to the introduction of malicious or harmful changes in the application's dependencies.

Reproduction

To reproduce this vulnerability, first modify the checksum values of a dependency in the mix.lock file. Then, run the 'mix deps.get' command. No warning or error will be raised, and the dependency will be accepted. The mix.lock file will be silently updated with the correct checksum values from the registry, demonstrating that the checksum verification process is not functioning as intended.

Remediation

Users can update to Hex version 2.4.2, where this vulnerability has been fixed.