Vulnerable package managers

[smolloy]

I know the mods are worried about becoming a Slashdot mirror, but I think this story is interesting/important enough to post here as well.

It looks like some researchers have figured out a way to attack via package managers. This is something I've worried about, but since I've never heard of such an attack I thought there must be some technical issue that prevented this. Apparently not.

The most frightening thing is that they managed to set up and run package repos without any real security checking by the distro maintainers, and they managed this for *all* the package managers they tried. *All* of the big distro package management systems are vulnerable.

Hopefully this will get plugged soon enough.

[geniuz]

I shouldn't worry about it to much, why would anybody want to spend time on infecting linux computers ? I don't know exact numbers, but I do believe very little people on this world actually use linux full time compared to the ones using Windows, and Windows as we all know is much easier to hack.

And like you allready said yourself, I think maintainers will put a stop to it quite easily when they find out, so...

[jayd512]

I would have to agree with geniuz here. After all, if your downloading from official repo's, the maintainers are going to use every means possible to insure that the packages are good to go. And added to the fact that if the package has been altered the md5 sum won't match up... I don't think we've got to much to sweat about.

[Manchunian]

I don't agree with geniuz. Although at the moment Linux only reprsents around 2% of the desktop market, that number is increasing. More importantly, though, is the server share. Let's not forget that Linux is the most widespread server OS and that some of the world's most sensitive, high-level security institutions entrust their valuable data to Linux.

[geniuz]

I don't agree with geniuz. Although at the moment Linux only reprsents around 2% of the desktop market, that number is increasing. More importantly, though, is the server share. Let's not forget that Linux is the most widespread server OS and that some of the world's most sensitive, high-level security institutions entrust their valuable data to Linux.

I don't think a good server should use a distro with a package manager, if I'd had to build a server, I'd use Slackware or something and compile everything myself...might take more time, but you're 100% sure it's safe.

[Manchunian]

Yeah, but the distro that is most used on servers isn't Slackware but Debian stable. I'm sure one of the reasons why Debian is so used is because of its package manager, and because the stuff that's made available via apt is bomb-proof tested. But, anyway, are you sure that not using your package manager is a way to stay safe? You can still get nasties, even when you compile.

[fingal]

I can't get that link to work. Is there another source for this article? It might - in fact - be untrue. The Slashdot article links back to the dead web page.

[Thrillhouse]

I can't get the link to work either. The server hosting it must be suffering from the Slashdot popularity.

I definitely think this is a legitimate issue, though. I'll stick to talking about pacman because it's the package manager I know the best. There is little to no security built around pacman. I've read that they're working on that but right now it's definitely vulnerable. And jayd512, it's not just a matter of hashing the packages. An attacker can insert their malicious package in place of the real one, re-hash it and when you download it, the hash would check out. The packages need top be signed by a trusted certificate. Hopefully, the more popular distros will take note of this article and start implementing some solutions.

[fingal]

I can't get the link to work either. The server hosting it must be suffering from the Slashdot popularity.

Perhaps, but it seems odd that the University's entire site has gone down. And the comment that it was posted by an anonymous contributor. Academics love putting their names on papers!

There's one original article and 100s of others all pointing back to one domain, so that supports your idea that their site has crashed, but still... I can't even find a cached web page.

True site: The University of Arizona, Tucson Arizona
Strange site: http://cs.arizona.edu

Please note that the domain names are different in each case. Call me cynical but I think the article is disinformation.

I notice there is no report on the University's news page either: UANews.org

[smolloy]

I would have to agree with geniuz here. After all, if your downloading from official repo's, the maintainers are going to use every means possible to insure that the packages are good to go. And added to the fact that if the package has been altered the md5 sum won't match up... I don't think we've got to much to sweat about.

This isn't true. The authors of this paper showed how it was possible even with signed packages. It's called a replay attack. They set up a repo containing old versions of packages with known vulnerabilites. Since these were old, and therefore legitimate, versions of packages, they had the correct key. For example, someone could set up a repo to roll all debian machines back to the old, broken version of openssl. They'd then watch their logs to see which IP's had rolled back to the old version and then root them.

Signing doesn't help.

Also, "every means possible" isn't true either. They were able to set up a repo for all major distros with no significant checking of their identity.

This really is something to worry about, which is why I posted it here. There are ways to mitigate this, but it needs quick action from the distro maintainers. There's very little we can do about this ourselves.

EDIT: I can't see the article any more either. Slashdotted to hell and back Give it a day to roll off the Slashdot front page and then check back.