FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 07-11-2008, 12:36 PM
Ron Johnson
 
Default Package management unsafe?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

What are people's thoughts on this?

- --
Ron Johnson, Jr.
Jefferson LA USA

"Kittens give Morbo gas. In lighter news, the city of New New
York is doomed."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkh3U88ACgkQS9HxQb37Xmf+2wCgvdLRdxkvuo oBUTfp3hDdmpuQ
VQsAoKROsnp8K0/OUiXlQBYD51JK3cLN
=lhx1
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-11-2008, 12:55 PM
"Steinar H. Gunderson"
 
Default Package management unsafe?

On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?

It's been known for quite a while. (I asked one of the guys publishing it,
and he was fully aware of that, but felt it was still important to bring
light to it.)

In any case, it's pretty hard to exploit as long as you have security updates
on a different (trusted) server. The best thing you can do is DoS the process
so the user's package management software crashes, or simply never update
your mirror so users don't get updates.

/* Steinar */
--
Homepage: http://www.sesse.net/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-11-2008, 03:48 PM
"Michael Casadevall"
 
Default Package management unsafe?

Maybe a check should be added to APT to flag a warning if there has been no updates for a significant period of time? That way if a mirror ever does that, its more detectable.
Michael

On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson <sgunderson@bigfoot.com> wrote:

> On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
>> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

>>
>> What are people's thoughts on this?
>
> It's been known for quite a while. (I asked one of the guys publishing it,
> and he was fully aware of that, but felt it was still important to bring

> light to it.)
>
> In any case, it's pretty hard to exploit as long as you have security updates
> on a different (trusted) server. The best thing you can do is DoS the process
> so the user's package management software crashes, or simply never update

> your mirror so users don't get updates.
>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org

> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
 
Old 07-11-2008, 03:51 PM
Florian Weimer
 
Default Package management unsafe?

* Ron Johnson:

> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?

HTTPS doesn't help against non-trusted mirrors.

The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay
attack.

Apart from that, this is clearly a PR stunt. Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-12-2008, 12:39 AM
Frank Lichtenheld
 
Default Package management unsafe?

On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> Maybe a check should be added to APT to flag a warning if there has been no
> updates for a significant period of time? That way if a mirror ever does
> that, its more detectable.

That really doesn't make any sense for stable users since our point
releases aren't exactly weekly

Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-12-2008, 12:50 AM
"Michael Casadevall"
 
Default Package management unsafe?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It doesn't have to have updated packages, maybe have something like this

APT-Ping: *timestamp*

and then push out a new packages file with just an updated timestamp in it.

Michael


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://getfiregpg.org

iD8DBQFId//JpblTBJ2i2psRAu6uAJ48+knPTzxi1InA/Wg3AN4m2Rt8WwCfa/ES

rddl6+w/Kw+7UBVNQLjLplE=
=fGdJ
-----END PGP SIGNATURE-----
On Fri, Jul 11, 2008 at 8:39 PM, Frank Lichtenheld <djpig@debian.org> wrote:

On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:

> Maybe a check should be added to APT to flag a warning if there has been no

> updates for a significant period of time? That way if a mirror ever does

> that, its more detectable.



That really doesn't make any sense for stable users since our point

releases aren't exactly weekly



Gruesse,

--

Frank Lichtenheld <djpig@debian.org>

www: http://www.djpig.de/
 
Old 07-12-2008, 01:07 AM
Don Armstrong
 
Default Package management unsafe?

On Sat, 12 Jul 2008, Frank Lichtenheld wrote:

> On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> > Maybe a check should be added to APT to flag a warning if there has been no
> > updates for a significant period of time? That way if a mirror ever does
> > that, its more detectable.
>
> That really doesn't make any sense for stable users since our point
> releases aren't exactly weekly

It wouldn't be a huge deal to re-sign the package list every n days
and warn if the package list was signed more than n+r days ago. [This
would even be useful to handle properly mirrors which are just out of
date even without nefarious behavoir.]


Don Armstrong

--
Quite the contrary; they *love* collateral damage. If they can make
you miserable enough, maybe you'll stop using email entirely. Once
enough people do that, then there'll be no legitimate reason left for
anyone to run an SMTP server, and the spam problem will be solved.
-- Craig Dickson in <20020909231134.GA18917@linux700.localnet>

http://www.donarmstrong.com http://rzlab.ucr.edu


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-12-2008, 06:12 AM
Joe Smith
 
Default Package management unsafe?

Florian Weimer <fw <at> deneb.enyo.de> writes:

>
> * Ron Johnson:
>
> >
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> >
> > What are people's thoughts on this?
>
> HTTPS doesn't help against non-trusted mirrors.
>
> The difficult question is how to tell an APT source which is not updated
> regularly from an APT source that has been rolled back in a replay
> attack.

Actually the attack works just fine without rolling back for a replay attack.
I have my mirror stop updating. If I can assume that most clients use only my
mirror, and not others, then once a major security flaw comes out in a package
version my mirror uses, then I have a list of IP addresses (from my server logs)
that may be exploitable.

So there is no reason to differentiate between a stale mirror and a potential
attack mirror. Any mirror more than say 7-days out of date should be considered
potentially unsafe, and the user should be warned that the mirror is stale,
which may be an attack attempt, and that they should consider choosing a new
mirror. Having the signature on the package file update daily, even if the
package file contents have not changed would be an easy way to detect a stale
mirror. Just add a check on the signature time-stamp as part of checking the
package signature, and warning if signature is too old.


But the attack is not really applicable to Debian, where security updates come
from trusted security mirrors, and not the general mirrors. If this were not the
case, then the following statement from the site would be concerning:

>For example, it is known that an earlier version of OpenSSL for Debian has a
>security flaw. The list of files from the repository that previously included
>this package is still correctly signed. Using this old signed file list, a
>malicious mirror can keep a client on the insecure version of OpenSSL by
>responding to the client's package manager with the old list of files.

As it is, the mirror can do no such thing. (Only a security mirror could do
this) This is a very good thing.

Indeed there is a second possible attack vector if the general mirrors were used
for security updates. I could set my mirror up to watch for people requesting a
specific security update. While the file is being downloaded, a script could
automatically attempt to exploit the vulnerability on the system that requested
the update. The idea is that there is a high probability that the system
requesting the update has the insecure version installed, and is thus
exploitable.

However, if the security updates come from trusted security mirrors rather than
a general mirror, that attack would fail too. So with the exception of Sid or
Testing users that do not use the testing-security system to receive security
updates, Debian really is not terribly vulnerable to this.

But I still strongly recommend the signature time-stamp solution (which Don
Armstrong suggested first) as it would let us notify users that a mirror is
stale regardless of whether this is malicious, and it would help protect Sid and
testing users. It would even add some additional security to Debian-derived
distros that do not use a separate security mirror system. (Although they would
still be vulnerable to the exploit while downloading issue.)




--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-12-2008, 06:56 AM
Andrei Popescu
 
Default Package management unsafe?

On Sat,12.Jul.08, 06:12:33, Joe Smith wrote:

> However, if the security updates come from trusted security mirrors rather than
> a general mirror, that attack would fail too. So with the exception of Sid or
> Testing users that do not use the testing-security system to receive security
> updates, Debian really is not terribly vulnerable to this.

How about distributing the Release files *only* from a trusted server?

Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
 
Old 07-12-2008, 11:13 PM
Joe Smith
 
Default Package management unsafe?

Andrei Popescu <andreimpopescu <at> gmail.com> writes:

> How about distributing the Release files *only* from a trusted server?
>
> Regards,
> Andrei

That is problematic, as it does not deal with mirror synchronization properly.
If a mirror takes a few hours to update, it's Packages files may not be up to
date during those hours, resulting in apt claiming the Packages file is not
validly signed.

I see no benefits over re-signing the Release file daily, even if none of the
Packages files (and hence the checksums and Release file itself) have changed,
with apt then complaining if Release.gpg has a signature that is too old.

This adds security against the published attack for testing users who do not use
testing-security as well as sid users. It also helps warn users about
non-malicious stale mirrors. As my post made clear, stable is already secure
against the published attacked.


The other attack I mentioned (the attack of attempting to exploit a flaw in any
client that requests a security update) cannot be fixed in the general case,
except by clients using a trusted server, or a trusted proxy that does not
reveal the true requesting system's IP.
Stable is safe because the security servers are trusted. Users of testing or sid
should choose servers they trust or some form of trusted proxy.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 09:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org