* Michael Stone <email@example.com> [2008-07-17 08:09-0400]: > On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote: >> Today there were some news about a study from the University of Arizona >> regarding security issues with package management systems (like apt). I >> did not yet read the whole study, but probably it's interesting for the >> project (they write about "vulnerabilities"). The study is here: > > It doesn't appear that they had a firm grasp of how package distribution > actually works in debian, at least. Mostly it seems like > oversensationalized attention-grabbing. The relevant point for Debian seems to be limited to the issue that man-in-the-middle attacks are easily done against http://security.debian.org because those mirrors are not using HTTPS. Although PGP-signed Release file prevent tampering with files, the attack doesn't require tampering with files or tampering with signed release files. If I were to MitM security.debian.org, I could provide an outdated (yet properly signed) mirror of the security packages to you. I would simply supply, via a MitM, a mirror that was not updated, so that the packages you were getting were valid and signed. They just are out-dated, so that you would not receive critical security upgrades. Correlating the package skew, with known DSAs that had been released would eventually result in the right remotely exploitable root hole. The simple solution for this would be to require https for security.debian.org. As these machines are run by 'trusted' parties, simply stopping the MitM attack through authenticated https connections would suffice. Following on that attack is the fact that its easy to join the mirror network and once you are in, you can do the same thing as above and keep your mirror a day or four out of date, so that people who use your mirror aren't getting updates for issues that enter through the normal channels. You also have a list of IPs that use your mirror that don't have these updates. There are some (IMHO) less interesting attacks they detail, such as convincing apt to download 18,000,000 TB, but I think the more problematic attacks are the previous ones. It seems worthwhile to examine these issues and make some determinations about what steps (if any) Debian can do to mitigate some of these attacks.
Description: Digital signature