Description: An attacker compromises a package in the vcpkg registry (or mirror). They inject malicious code into the library's source code, build scripts (portfile), or pre-built binaries. When developers install this package via vcpkg, the malicious code is incorporated into their application during the build process.
Impact: Critical. The application becomes compromised, potentially leading to:
* Data breaches (exfiltration of sensitive data).
* System compromise (remote code execution, privilege escalation).
* Denial of service (application crashes, resource exhaustion).
* Supply chain contamination (malware spread to end-users of the application).
Affected vcpkg Component: Package Registry, Portfiles, Downloaded Packages, Build Process.
Risk Severity: Critical.
Mitigation Strategies:
* Package Pinning: Use specific package versions in vcpkg.json.
* Source Code Auditing (for critical dependencies): Review source code of sensitive libraries.
* Use Official vcpkg Registry: Stick to the official Microsoft registry.
* Regularly Update vcpkg: Keep vcpkg updated for security patches.
* Checksum Verification (if implemented by vcpkg): Enable and verify package checksums.
Description: Attackers compromise the vcpkg GitHub repository or distribution infrastructure. They replace the legitimate vcpkg client executable with a backdoored version. Developers downloading and installing vcpkg from the compromised source unknowingly install the malicious client. Impact: Critical. A compromised vcpkg client can: * Inject malicious code into all subsequently installed packages. * Steal developer credentials or sensitive information from the development environment. * Manipulate the build process to introduce vulnerabilities. * Act as a persistent backdoor on developer machines. Affected vcpkg Component: vcpkg Client Distribution, Download Mechanism. Risk Severity: Critical. Mitigation Strategies: * Trust in Upstream Provider (Microsoft): Rely on Microsoft's security practices. * Monitor vcpkg Security Advisories: Stay informed about vcpkg security announcements. * Use HTTPS for vcpkg Download: Ensure vcpkg is downloaded via HTTPS (generally default). * Verify Download Source: Download vcpkg only from the official GitHub repository or Microsoft websites. * Consider using package managers provided by your OS for initial vcpkg installation if available and trusted.
Description: A portfile (portfile.cmake) contains vulnerabilities, such as command injection or insecure file handling. When vcpkg executes the portfile during package installation, an attacker can exploit these vulnerabilities to execute arbitrary code on the build machine. This could be achieved by crafting a malicious package or exploiting existing vulnerabilities in portfiles.
Impact: High. Successful exploitation can lead to:
* Compromise of the build environment.
* Supply chain contamination if malicious artifacts are built and deployed.
* Data exfiltration from the build machine.
* Denial of service on the build machine.
Affected vcpkg Component: Portfiles (portfile.cmake), Build Process, CMake Integration.
Risk Severity: High.
Mitigation Strategies:
* Portfile Review (for custom/uncommon ports): Review portfile.cmake for suspicious commands.
* Isolate Build Environment: Use containers or VMs for vcpkg builds.
* Principle of Least Privilege for Build Processes: Run build processes with minimal privileges.
* Static Analysis of Portfiles: Consider using static analysis tools to scan portfiles for potential vulnerabilities.