Slashdot Mirror

← Back to Stories (view on slashdot.org)

Package Managers As Achilles Heel

Posted by timothy on from the dip-your-computer-in-the-styx dept.

An anonymous reader writes "Researchers from the University of Arizona have released a study that takes a look at the security of ten popular package managers. They were able to show all ten were vulnerable to attacks from a mirror or man-in-the-middle that allow an attacker to (along with other things) crash the system or obtain root access. Furthermore, the researchers created a fictitious administrator and company name and were able to lease a server and get it listed as an official mirror for all the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and OpenSUSE). This raised the question: What keeps you up at night, the thought of attacks on your package manager or previously discussed and patched vulnerability in DNS?" justin samuel (one of the Arizona researchers) also points out a synopsis on CERT's blog.

3 of 263 comments (clear)

  1. Depends on bugs in old software by xZgf6xHx2uhoAj9D · · Score: 5, Informative

    Just in case anyone thought (like me) that the vulnerabilities they're talking about might let an attacker install arbitrary software just through the package manager, this doesn't seem to be the case.

    The attack might go like so:

    1. the attacker finds some really old version of some software that they know to be buggy. E.g., they find OpenSSH version negative 5 or something, which had a terrible buffer overflow bug in it. This software has already been signed (years ago) by the package authorities
    2. the attacker then sets up a mirror with only the broken version of OpenSSH on it
    3. when a hapless Linux user goes to update OpenSSH, your mirror replies saying "the newest version is negative 5. See! I even have a 5 year-old certificate for it"
    4. your client says "...oh...okay"
    5. you install the old, buggy version of OpenSSH
    6. the attacker has your IP address and knows that you downloaded (and presumably installed) the old version of OpenSSH
    7. the attacker haxx0rz you

    The simple fix is to change the client so that it never regresses (e.g., never installs software older than what it already has installed).

  2. Sounds real and exploitable.. by moreati · · Score: 5, Informative

    Until I RTFA, I was ready to dismiss this as 'failing to understand signed packages. Wrong, they understand package signatures all too well.

    The basic attacks seems to be.

    1. Obtain old, signed packages.
    2. Become a mirror for debian|fedora|ubuntu|$distro.
    3. Wait for vulnerabilities to be found in some package.
    4. Do not serve the updated packages, continue to serve the vulnerable version.
    5. Log IPs of machines downloading from your mirror.
    6. Root them.

    This works because some package manager software will download and use package metadata even if it's older than what's cached.

    One long term solution would be to sign package metadata and serve it only from one central location, over https/sftp. There may be others.

    Alex

  3. Re:Vendors sign with keys. by kwalker · · Score: 5, Informative

    What package manager silently downgrades packages?

    I can see a package mirror (maliciously) refusing to stock updates, but yum at least picks a mirror at random by default. Apt didn't last I saw, but if you picked your own mirror, you already trust them.

    --
    ... And so it comes to this.