Re: thoughts on blocking and downgrade attacks agains secure APT
On Sunday, March 18, 2012 21:33:05, Christoph Anton Mitterer wrote:
> Hi.
>
> I recently played with Nagios' check_apt script (more on that later) and
> this brought my attention to the following issues.
>
>
> As everyone knows, our packages/archives are in principle fully secured
> ("secure APT")... via signed Release files and hashsums on the other
> files.
>
> I personally have still several open questions, one whether this is
> really securely used by all clients, e.g.:
> - Is APT (apt-get) using it in all places, i.e. not just apt-get
> upgrade/install/update but also source?
When using 'apt-get source <pkg>' the .dsc file downloaded contains both
checksums and a gpg signature, so I believe the answer is yes. I don't recall
if this is explicitly explained in the Debian New Maintainer's Guide, Policy
Manual, or the Reference Manual -- but those are three documents to look
through to get more specific answers for these issues.
However one of the exceptions has to do with packages that are actually
"application downloaders" which has recently been discussed on this list. How
the downloaded application files are checked in these types of packages
depends on the individual package, and could possibly not be done at all.
> - When verification fails for some reason, are the respective files
> in /var/log/apt removed and are any previous files removed before an
> update?
When a package is updated usually the files related to that package are
removed before the new version is installed. This does not guarantee that all
files related to the pacakge are removed though, because occasionally a
package creates a new file during the installation that is used by the
package, but is not "part of the package", so won't be removed. These files
are generally minor configs and not executable.
> - Do the clients further down (especially aptitude, but also all the
> others) use it in all places? E.g. I though "aptitude download" was an
> aptitude specific thing... does it verify the packages downloaded?
AFAIK Aptitude will throw a warning if you're about to try to install/download
a package that has an unknown gpg signature, and you have to override the
warning to continue.
> - Do the clients further down handle all security related errors by APT
> correctly?
I don't understand what this is asking.
> - Can I use all these commands (e.g. apt-get update) safely in
> scripting, e.g. will $? != 0, if just a single "small" problem arises in
> apt-get update (like a completely missing repo).
I think it's best to test it to find out.
> Well, this may all work and it's just me who is uncertain, ... but it
> seems to me the following is really still open:
>
> Generally an attacker could use blocking and downgrade attacks (two
> distinct things):
>
>
> I) Blocking attacks:
> He could prevent some files or all files from one or several given
> repositories from being downloaded at all (or correctly).
>
> If they're incorrectly downgraded, I hope/assume, that APT already
> removes them immediately.
> But even then (at least) two attack vector may be left (which is
> basically the same as when blocking whole repositories):
If you look at 'man 5 apt_preferences' you'll see that apt gives default
preference to installing the most up-to-date version. Downgrading a package
requires root access, and at the point an attacker has local root access
security is already moot.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
Reply to: