Slashdot Mirror

← Back to Stories (view on slashdot.org)

Package Managers As Achilles Heel

Posted by timothy on from the dip-your-computer-in-the-styx dept.

An anonymous reader writes "Researchers from the University of Arizona have released a study that takes a look at the security of ten popular package managers. They were able to show all ten were vulnerable to attacks from a mirror or man-in-the-middle that allow an attacker to (along with other things) crash the system or obtain root access. Furthermore, the researchers created a fictitious administrator and company name and were able to lease a server and get it listed as an official mirror for all the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and OpenSUSE). This raised the question: What keeps you up at night, the thought of attacks on your package manager or previously discussed and patched vulnerability in DNS?" justin samuel (one of the Arizona researchers) also points out a synopsis on CERT's blog.

2 of 263 comments (clear)

  1. The actual vulnerability by jmorris42 · · Score: 5, Interesting

    > The article actually discusses attacks that can be made by a malicious mirror...

    Yes a mirror can keep you from getting a security update. But if you don't contact that mirror every day you will eventually get a good mirror and update, and since none of the package managers will downgrade automatically this is a mostly theoretical exploit.

    Yes if a really BIG bug hits somebody could keep some subset of machines from updating, and since they would also KNOW the ip of each vulnerable host it could be very bad. That is the part that worries me, hell, they could even deliver the update from their perfectly up to date repo of signed packages, signed metadata AND perfectly in sync with the distro prime mirror.... and root your ass while the update is in flight. This gets to the real security vuln involved, telling an untrusted entity exactly which version (sorta) of a package you are running.

    --
    Democrat delenda est
  2. Re:Package are already *signed* by Zero__Kelvin · · Score: 5, Interesting
    Actually, what they are saying is that they can set up a mirror with older packages that have known flaws in them and in effect downgrade you from having the latest security fixes to having one with vulnerabilities.

    The packages are still signed with an a valid key. They are just older packages rather than the latest ones.

    I have to give more thought to think if this will work, but I doubt that this has not occured to anyone else. I certainly thought of it before. Most likely the package managers have a way to keep this from happening already.

    Their entire Proof of Concept seems to be:
    1. We asked to be added as a mirror
    2. We succeeded without the distributions doing a cavity search
    3. A11 y0ur L1nux are b3l0ng t0 us!

    I wouldn't panick until I see a CERT advisory, or as someone else pointed out, at least one real world incedent.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun