Bug#491374: Package managers vulnerable to replay and endless data attacks
Package: Apt, Aptitude, Synaptic
Version: all
Cross-posting from:
https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/247445
apt and possibly other Debian package managers capable of downloading
packages are vulnerable to two kinds of attacks.
1. Replay attack, where an attacker, by operating a malicious mirror
or by spoofing the address of a valid mirror, serves correctly signed
but outdated packages lists. As new vulnerabilities are discovered and
patched, the users who are using the malicious mirror won't be
receiving any updates and will continue running vulnerable software.
See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
2. Endless data attack, where an attacker serves very long files to a
package manager that uses his malicious mirror. That might prevent the
package manager from ever completing, leading to the same problem as
described above. It might also consume all disk space preventing
logging, mail delivery and other system services from running
properly.
See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata
There is also an entry on Ubuntu and Debian in the FAQ at
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html
See also this post in the CERT vulnerability analysis blog:
http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html
They have assigned a vulnerability number to this issue (VU#230187)
but it doesn't seem to be public yet.
Reply to: