Re: Study: Attacks on package managers (inclusing apt)
Micah Anderson <firstname.lastname@example.org> writes:
> * Michael Stone <email@example.com> [2008-07-17 08:09-0400]:
>> On Thu, Jul 17, 2008 at 04:46:54PM +0200, Daniel Leidert wrote:
>>> Today there were some news about a study from the University of Arizona
>>> regarding security issues with package management systems (like apt). I
>>> did not yet read the whole study, but probably it's interesting for the
>>> project (they write about "vulnerabilities"). The study is here:
>> It doesn't appear that they had a firm grasp of how package distribution
>> actually works in debian, at least. Mostly it seems like
>> oversensationalized attention-grabbing.
> The relevant point for Debian seems to be limited to the issue that
> man-in-the-middle attacks are easily done against
> http://security.debian.org because those mirrors are not using HTTPS.
> Although PGP-signed Release file prevent tampering with files, the
> attack doesn't require tampering with files or tampering with signed
> release files. If I were to MitM security.debian.org, I could provide
> an outdated (yet properly signed) mirror of the security packages to
> you. I would simply supply, via a MitM, a mirror that was not updated,
> so that the packages you were getting were valid and signed. They just
> are out-dated, so that you would not receive critical security
> upgrades. Correlating the package skew, with known DSAs that had been
> released would eventually result in the right remotely exploitable
> root hole.
> The simple solution for this would be to require https for
> security.debian.org. As these machines are run by 'trusted' parties,
> simply stopping the MitM attack through authenticated https
> connections would suffice.
The simple solution would be to create a Timestamp.gpg file that is
signed daily (as oppsoed to Release.gpg being signed only on updates)
and have apt-get warn if it gets old.