[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: thoughts on blocking and downgrade attacks agains secure APT

On Sunday, March 18, 2012 21:33:05, Christoph Anton Mitterer wrote:
> Hi.
> I recently played with Nagios' check_apt script (more on that later) and
> this brought my attention to the following issues.
> As everyone knows, our packages/archives are in principle fully secured
> ("secure APT")... via signed Release files and hashsums on the other
> files.
> I personally have still several open questions, one whether this is
> really securely used by all clients, e.g.:
> - Is APT (apt-get) using it in all places, i.e. not just apt-get
> upgrade/install/update but also source?

When using 'apt-get source <pkg>' the .dsc file downloaded contains both 
checksums and a gpg signature, so I believe the answer is yes.  I don't recall 
if this is explicitly explained in the Debian New Maintainer's Guide, Policy 
Manual, or the Reference Manual -- but those are three documents to look 
through to get more specific answers for these issues.

However one of the exceptions has to do with packages that are actually 
"application downloaders" which has recently been discussed on this list.  How 
the downloaded application files are checked in these types of packages 
depends on the individual package, and could possibly not be done at all.

> - When verification fails for some reason, are the respective files
> in /var/log/apt removed and are any previous files removed before an
> update?

When a package is updated usually the files related to that package are 
removed before the new version is installed.  This does not guarantee that all 
files related to the pacakge are removed though, because occasionally a 
package creates a new file during the installation that is used by the 
package, but is not "part of the package", so won't be removed.  These files 
are generally minor configs and not executable.

> - Do the clients further down (especially aptitude, but also all the
> others) use it in all places? E.g. I though "aptitude download" was an
> aptitude specific thing... does it verify the packages downloaded?

AFAIK Aptitude will throw a warning if you're about to try to install/download 
a package that has an unknown gpg signature, and you have to override the 
warning to continue.

> - Do the clients further down handle all security related errors by APT
> correctly?

I don't understand what this is asking.

> - Can I use all these commands (e.g. apt-get update) safely in
> scripting, e.g. will $? != 0, if just a single "small" problem arises in
> apt-get update (like a completely missing repo).

I think it's best to test it to find out.

> Well, this may all work and it's just me who is uncertain, ... but it
> seems to me the following is really still open:
> Generally an attacker could use blocking and downgrade attacks (two
> distinct things):
> I) Blocking attacks:
> He could prevent some files or all files from one or several given
> repositories from being downloaded at all (or correctly).
> If they're incorrectly downgraded, I hope/assume, that APT already
> removes them immediately.
> But even then (at least) two attack vector may be left (which is
> basically the same as when blocking whole repositories):

If you look at 'man 5 apt_preferences' you'll see that apt gives default 
preference to installing the most up-to-date version.  Downgrading a package 
requires root access, and at the point an attacker has local root access 
security is already moot.

  -- Chris

Chris Knadle

Reply to: