--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-11-2008, 12:55 PM
"Steinar H. Gunderson"
Package management unsafe?
On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?
It's been known for quite a while. (I asked one of the guys publishing it,
and he was fully aware of that, but felt it was still important to bring
light to it.)
In any case, it's pretty hard to exploit as long as you have security updates
on a different (trusted) server. The best thing you can do is DoS the process
so the user's package management software crashes, or simply never update
your mirror so users don't get updates.
/* Steinar */
--
Homepage: http://www.sesse.net/
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-11-2008, 03:48 PM
"Michael Casadevall"
Package management unsafe?
Maybe a check should be added to APT to flag a warning if there has been no updates for a significant period of time? That way if a mirror ever does that, its more detectable.
Michael
On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson <sgunderson@bigfoot.com> wrote:
> On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
>> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>>
>> What are people's thoughts on this?
>
> It's been known for quite a while. (I asked one of the guys publishing it,
> and he was fully aware of that, but felt it was still important to bring
> light to it.)
>
> In any case, it's pretty hard to exploit as long as you have security updates
> on a different (trusted) server. The best thing you can do is DoS the process
> so the user's package management software crashes, or simply never update
> your mirror so users don't get updates.
>
> /* Steinar */
> --
> Homepage: http://www.sesse.net/
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
07-11-2008, 03:51 PM
Florian Weimer
Package management unsafe?
* Ron Johnson:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors.
The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay
attack.
Apart from that, this is clearly a PR stunt. Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-12-2008, 12:39 AM
Frank Lichtenheld
Package management unsafe?
On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> Maybe a check should be added to APT to flag a warning if there has been no
> updates for a significant period of time? That way if a mirror ever does
> that, its more detectable.
That really doesn't make any sense for stable users since our point
releases aren't exactly weekly
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-12-2008, 12:50 AM
"Michael Casadevall"
Package management unsafe?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It doesn't have to have updated packages, maybe have something like this
APT-Ping: *timestamp*
and then push out a new packages file with just an updated timestamp in it.
rddl6+w/Kw+7UBVNQLjLplE=
=fGdJ
-----END PGP SIGNATURE-----
On Fri, Jul 11, 2008 at 8:39 PM, Frank Lichtenheld <djpig@debian.org> wrote:
On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> Maybe a check should be added to APT to flag a warning if there has been no
> updates for a significant period of time? That way if a mirror ever does
> that, its more detectable.
That really doesn't make any sense for stable users since our point
releases aren't exactly weekly
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
07-12-2008, 01:07 AM
Don Armstrong
Package management unsafe?
On Sat, 12 Jul 2008, Frank Lichtenheld wrote:
> On Fri, Jul 11, 2008 at 11:48:03AM -0400, Michael Casadevall wrote:
> > Maybe a check should be added to APT to flag a warning if there has been no
> > updates for a significant period of time? That way if a mirror ever does
> > that, its more detectable.
>
> That really doesn't make any sense for stable users since our point
> releases aren't exactly weekly
It wouldn't be a huge deal to re-sign the package list every n days
and warn if the package list was signed more than n+r days ago. [This
would even be useful to handle properly mirrors which are just out of
date even without nefarious behavoir.]
Don Armstrong
--
Quite the contrary; they *love* collateral damage. If they can make
you miserable enough, maybe you'll stop using email entirely. Once
enough people do that, then there'll be no legitimate reason left for
anyone to run an SMTP server, and the spam problem will be solved.
-- Craig Dickson in <20020909231134.GA18917@linux700.localnet>
http://www.donarmstrong.com http://rzlab.ucr.edu
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-12-2008, 06:12 AM
Joe Smith
Package management unsafe?
Florian Weimer <fw <at> deneb.enyo.de> writes:
>
> * Ron Johnson:
>
> >
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
> >
> > What are people's thoughts on this?
>
> HTTPS doesn't help against non-trusted mirrors.
>
> The difficult question is how to tell an APT source which is not updated
> regularly from an APT source that has been rolled back in a replay
> attack.
Actually the attack works just fine without rolling back for a replay attack.
I have my mirror stop updating. If I can assume that most clients use only my
mirror, and not others, then once a major security flaw comes out in a package
version my mirror uses, then I have a list of IP addresses (from my server logs)
that may be exploitable.
So there is no reason to differentiate between a stale mirror and a potential
attack mirror. Any mirror more than say 7-days out of date should be considered
potentially unsafe, and the user should be warned that the mirror is stale,
which may be an attack attempt, and that they should consider choosing a new
mirror. Having the signature on the package file update daily, even if the
package file contents have not changed would be an easy way to detect a stale
mirror. Just add a check on the signature time-stamp as part of checking the
package signature, and warning if signature is too old.
But the attack is not really applicable to Debian, where security updates come
from trusted security mirrors, and not the general mirrors. If this were not the
case, then the following statement from the site would be concerning:
>For example, it is known that an earlier version of OpenSSL for Debian has a
>security flaw. The list of files from the repository that previously included
>this package is still correctly signed. Using this old signed file list, a
>malicious mirror can keep a client on the insecure version of OpenSSL by
>responding to the client's package manager with the old list of files.
As it is, the mirror can do no such thing. (Only a security mirror could do
this) This is a very good thing.
Indeed there is a second possible attack vector if the general mirrors were used
for security updates. I could set my mirror up to watch for people requesting a
specific security update. While the file is being downloaded, a script could
automatically attempt to exploit the vulnerability on the system that requested
the update. The idea is that there is a high probability that the system
requesting the update has the insecure version installed, and is thus
exploitable.
However, if the security updates come from trusted security mirrors rather than
a general mirror, that attack would fail too. So with the exception of Sid or
Testing users that do not use the testing-security system to receive security
updates, Debian really is not terribly vulnerable to this.
But I still strongly recommend the signature time-stamp solution (which Don
Armstrong suggested first) as it would let us notify users that a mirror is
stale regardless of whether this is malicious, and it would help protect Sid and
testing users. It would even add some additional security to Debian-derived
distros that do not use a separate security mirror system. (Although they would
still be vulnerable to the exploit while downloading issue.)
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-12-2008, 06:56 AM
Andrei Popescu
Package management unsafe?
On Sat,12.Jul.08, 06:12:33, Joe Smith wrote:
> However, if the security updates come from trusted security mirrors rather than
> a general mirror, that attack would fail too. So with the exception of Sid or
> Testing users that do not use the testing-security system to receive security
> updates, Debian really is not terribly vulnerable to this.
How about distributing the Release files *only* from a trusted server?
Regards,
Andrei
--
If you can't explain it simply, you don't understand it well enough.
(Albert Einstein)
07-12-2008, 11:13 PM
Joe Smith
Package management unsafe?
Andrei Popescu <andreimpopescu <at> gmail.com> writes:
> How about distributing the Release files *only* from a trusted server?
>
> Regards,
> Andrei
That is problematic, as it does not deal with mirror synchronization properly.
If a mirror takes a few hours to update, it's Packages files may not be up to
date during those hours, resulting in apt claiming the Packages file is not
validly signed.
I see no benefits over re-signing the Release file daily, even if none of the
Packages files (and hence the checksums and Release file itself) have changed,
with apt then complaining if Release.gpg has a signature that is too old.
This adds security against the published attack for testing users who do not use
testing-security as well as sid users. It also helps warn users about
non-malicious stale mirrors. As my post made clear, stable is already secure
against the published attacked.
The other attack I mentioned (the attack of attempting to exploit a flaw in any
client that requests a security update) cannot be fixed in the general case,
except by clients using a trusted server, or a trusted proxy that does not
reveal the true requesting system's IP.
Stable is safe because the security servers are trusted. Users of testing or sid
should choose servers they trust or some form of trusted proxy.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Package management unsafe?
