Slashdot Mirror

← Back to Stories (view on slashdot.org)

Package Managers As Achilles Heel

Posted by timothy on from the dip-your-computer-in-the-styx dept.

An anonymous reader writes "Researchers from the University of Arizona have released a study that takes a look at the security of ten popular package managers. They were able to show all ten were vulnerable to attacks from a mirror or man-in-the-middle that allow an attacker to (along with other things) crash the system or obtain root access. Furthermore, the researchers created a fictitious administrator and company name and were able to lease a server and get it listed as an official mirror for all the distributions they tried (Ubuntu, Debian, Fedora, CentOS, and OpenSUSE). This raised the question: What keeps you up at night, the thought of attacks on your package manager or previously discussed and patched vulnerability in DNS?" justin samuel (one of the Arizona researchers) also points out a synopsis on CERT's blog.

2 of 263 comments (clear)

  1. Vendors sign with keys. by Zombie+Ryushu · · Score: 0, Redundant

    Every Linux Vendor I can think of signs the package with a key. Just make sure that the package manager won't install the application without a key.

  2. MD5 by InlawBiker · · Score: 1, Redundant
    The summary is a little misleading because you can't just replace, say, 'ls' with 'exploit-binary-named-ls' because it'd fail the MD5 check. But a MITM constructed like they suppose could easily work. Briefly, it is:

    1. Set yourself up as a mirror
    2. Put old packages up with known vulnerabilities.
    3. Distribute "updates" listing the old packages as new updates.
    4. Watch your logs to see who updated with old packages, then go PWN them.

    It also counts on lazy admins, but garsh how rare are those.

    I guess it comes down to controlling distribution of the updates. Kudos to these Arizona guys. This is a really simple method that can cause complete mayhem in uncountable ways.