[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Study: Attacks on package managers (inclusing apt)

* Michael Stone <mstone@debian.org> [2008-07-17 08:09-0400]:
> On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote:
>> Today there were some news about a study from the University of Arizona
>> regarding security issues with package management systems (like apt). I
>> did not yet read the whole study, but probably it's interesting for the
>> project (they write about "vulnerabilities"). The study is here:
> It doesn't appear that they had a firm grasp of how package distribution 
> actually works in debian, at least. Mostly it seems like  
> oversensationalized attention-grabbing.

The relevant point for Debian seems to be limited to the issue that
man-in-the-middle attacks are easily done against
http://security.debian.org because those mirrors are not using HTTPS.

Although PGP-signed Release file prevent tampering with files, the
attack doesn't require tampering with files or tampering with signed
release files. If I were to MitM security.debian.org, I could provide
an outdated (yet properly signed) mirror of the security packages to
you. I would simply supply, via a MitM, a mirror that was not updated,
so that the packages you were getting were valid and signed. They just
are out-dated, so that you would not receive critical security
upgrades. Correlating the package skew, with known DSAs that had been
released would eventually result in the right remotely exploitable
root hole.

The simple solution for this would be to require https for
security.debian.org. As these machines are run by 'trusted' parties,
simply stopping the MitM attack through authenticated https
connections would suffice. 

Following on that attack is the fact that its easy to join the mirror
network and once you are in, you can do the same thing as above and
keep your mirror a day or four out of date, so that people who use
your mirror aren't getting updates for issues that enter through the
normal channels. You also have a list of IPs that use your mirror that
don't have these updates.

There are some (IMHO) less interesting attacks they detail, such as
convincing apt to download 18,000,000 TB, but I think the more
problematic attacks are the previous ones.

It seems worthwhile to examine these issues and make some
determinations about what steps (if any) Debian can do to mitigate
some of these attacks.

Attachment: signature.asc
Description: Digital signature

Reply to: