Bug#763399: Hardening dpkg/apt
Package: apt
Version: all
Sometimes apt/dpkg can contain vulnerable, remotely exploitable bugs
which s a big risk when used over the untrusted internet. As it happens,
anyone could have been in a position to run man-in-the-middle attacks
with the latest security hole [CVE-2014-6273] in apt-get. What makes
this bug cripling is that updating apt to fix it would have exposed it
to what the fix was supposed to rpevent, so manually downloading the
package out of band was the safest option this time.
In order to drastically limit an attackers options I recommend creating
a seccomp-bpf filter for apt and dpkg to limit what they can do should a
weak function be remotely exploited. Other options include enabling any
and all compile-time binary hardening such as PIE, RELRO, CANARY etc.
Seccomp Resources:
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
(Kernel documentation for the feature)
http://outflux.net/teach-seccomp/ ( A guide on writing a simple filter
and using error checking. Note that seccomp supports whitelists which
can make it easier, you simply allow only the bear minimum of safe
syscalls needed to make curl function).
Reply to: