Hodgins Family wrote:
> Are net installs (let's say for a Desktop environment) totally without
> vulnerability risks?
>
> When, during an installation, do/should people think about
> security/vulnerability issues of the software they are installing?
Well, let's see.. to perform a network install, you download a netinst
iso from the web. This is an excellent opportunity for an attacker to
feed you a compromised image that will be running as root on your
computer. You can avoid this risk by checking the MD5SUMS file in the
same directory as the iso, and using the MD5SUMS.sign file to check that
the MD5SUMS file isn't compromised too. Assuming that you have some way
of running gpg, and some way of trusting the person who signed the
image. Also assuming that the image you're downloading is a released
version of the installer; daily builds arn't signed.
Shortly after the installer boots up, it's connected to the network[4].
At this point it's vulnerable to anything that any linux kernel on the
network is vulnerable to. If there's a remote exploit in the linux
kernel, an attacker could compromise your installer as it's running.
Suitable remote exploits are fairly rare, and the installer is probably
not an ideal target to compromise, since it's not very similar to a
standard linux distribution[3].
The only network services that the installer uses are dns and http, with
the http being done by busybox wget and by apt. Any remote exploits in
those programs could also be used to exploit the installer. All data
received via http is required to be signed with gpg keys built into the
installer[2]. While this does mean that remote exploits in gnupg[0]
could also be used to exploit the installer, it cuts off most potential
for the packages that are downloaded to be compromised.
No additional services are started during the installation process[1].
Once the installation is complete and it boots into the installed
system, whatever services are started by the tasks you selected are
running, and any security issues with those have to be considered.
--
see shy jo
[0] Eg: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235
[1] Unless you tell the installer to open a ssh network console.
[2] Only true for the etch installer; the current stable
version of the installer does not use gpg signatures.
[3] Ie, it's running from a ramdisk, and is going to reboot in N minutes
into the installed system..
[4] Suppose I should mention that it uses dhclient, for completeness.
Attachment:
signature.asc
Description: Digital signature