LWN.net Logo

Advertisement

VPS Hosting - $19.95/mo

Smart VPS: 192 MB RAM, 10 GB disc space, 50 GB data transfer and Virtuozzo OS virtualization solution.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

Trust and mirrors

By Jake Edge
July 16, 2008

A recent look at attacks on package managers has much of interest. None of the attack methods are particularly new at some level, but applying them to the update process is. When the mechanism that is used to keep one's system updated with respect to security vulnerabilities is itself susceptible, it is definitely worth a look.

Much of the problem stems from the fact that many community distributions rely on volunteer mirrors to distribute updates. These mirrors could be malicious which would allow them to distribute bad code to systems that are checking for updates. In addition, mirrors are perfectly placed to notice which machines are updating for particular vulnerabilities—information that could be used in attacks.

The study looked at ten of the most popular Linux and BSD package management systems and found all of them to be vulnerable to one or more of the flaws they identified. Package managers track metadata—information about what package versions and dependencies there are—as well as the packages themselves in formats like .rpm or .deb. Typically, the packages are cryptographically signed (using GPG for example) so that they can be verified as genuine by client systems. Some package managers also sign the metadata, but some do not, which allows for additional attacks.

The biggest issue with mirrors is the information that they gain. When a client requests a certain package, it is pretty easy to guess that it is probably vulnerable to whatever security flaw is being fixed in that new package. A malicious mirror—or one that has been subverted—could try to attack the client machine via the flaw being fixed. A suitable vulnerability could be used to completely compromise the client machine.

Once a particular chunk of data, either package or metadata, has been signed, it is valid more or less forever. This can be used by malicious mirrors in two ways: serving up old metadata that points clients at known vulnerable package versions or serving up old packages that are known to have flaws. In both cases, it is a kind of "replay" attack, using old, valid data for malicious purposes.

In most cases, package managers will not downgrade to previous package versions unless explicitly instructed to, so machines that have already upgraded are not generally vulnerable to a package replay. However, if a client reliably contacts a particular mirror for metadata, that mirror can continue serving an older version until an exploit of interest comes along. By knowing that the client has not upgraded—because it has been held back by the mirror-served metadata—an attacker can exploit the newly-discovered vulnerability at their convenience.

Mirrors can also perform "endless data" attacks where the data transfer for the package or metadata is never terminated. The mirror keeps sending more and more data until it fills the client disk. This is likely to "only" cause a denial of service on the machine that is being updated, but that can still be a serious result, especially when the update process is automated.

Unsigned metadata can allow for several other kinds of attacks. Manipulating the dependencies that are provided or needed by a package can lead to various kinds of problems. A dependency on a non-existent package will stop the update from happening, while a dependency on a package of the attacker's choosing can lead to complete compromise.

There is not a lot that can be done to solve the information gathering problem. Subscription-based distributions generally provide their own servers and do not rely upon mirrors to avoid this problem. For community distributions, there really is no central authority that has the resources to do that. Also, controlling all the mirrors only goes so far; if any are compromised, the same kinds of attacks are possible. Downloading the packages to a non-vulnerable host is probably the best avoidance technique, but is difficult to do in practice.

The lessons from this study are clear. Metadata should be signed and only downloaded from "trusted" servers. If there is a concern about man-in-the-middle attacks, an encrypted connection should be used between the clients and servers with certificates being checked to ensure the connection is going where expected.

In the end, it comes down to trusting the mirrors that one uses. It is not terribly surprising that mirrors can cause these kinds of problems, but the study authors did an excellent job pulling together the different kinds of attacks. The picture that they paint is not particularly pretty, but it is one we needed to see.

Comments (5 posted)

Security reports

Study: Attacks on package managers

The University of Arizona is publishing a study on security problems with package management systems. The core problem would appear to be that tools like yum and apt will happily install versions of packages with known vulnerabilities if they think that's the most recent version available. And feeding such packages to the package managers is not a big challenge: "To give an example of how easy it is for a malicious party to obtain a mirror, we ran an experiment where we created a fake administrator and company name and leased a server from a hosting provider. We were able to get our mirror listed on every distribution we tried (Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) and our mirrors were contacted by thousands of clients, even including military and government computers!"

Comments (76 posted)

New vulnerabilities

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CVE-2008-1678 CVE-2008-2364 CVE-2007-6420
Created:July 10, 2008 Updated:August 8, 2008
Description: The Apache has three vulnerabilities. From the Gentoo alert:

Dustin Kirkland reported that the mod_ssl module can leak memory when the client reports support for a compression algorithm (CVE-2008-1678).

Ryujiro Shibuya reported that the ap_proxy_http_process_response() function in the mod_proxy module does not limit the number of forwarded interim responses (CVE-2008-2364).

sp3x of SecurityReason reported a Cross-Site Request Forgery vulnerability in the balancer-manager in the mod_proxy_balancer module (CVE-2007-6420).

Alerts:
Fedora FEDORA-2008-6393 2008-08-07
Fedora FEDORA-2008-6314 2008-08-07
rPath rPSA-2008-0236-1 2008-07-28
Gentoo 200807-06 2008-07-09

Comments (none posted)

bluez: input validation flaw

Package(s):bluez-libs bluez-utils CVE #(s):CVE-2008-2374
Created:July 15, 2008 Updated:July 16, 2008
Description: From the Red Hat advisory: An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX® socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon.
Alerts:
Red Hat RHSA-2008:0581-01 2008-07-14
CentOS CESA-2008:0581 2008-07-14
Mandriva MDVSA-2008:145 2007-07-14

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):drupal CVE #(s):
Created:July 16, 2008 Updated:July 16, 2008
Description: Cross-site scripting, cross-site request forgery, session fixation and SQL injection as described in this Drupal advisory.
Alerts:
Fedora FEDORA-2008-6411 2008-07-15
Fedora FEDORA-2008-6415 2008-07-15

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2008-2785 CVE-2008-2933
Created:July 16, 2008 Updated:August 8, 2008
Description:

From the Red Hat advisory:

An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785)

A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933)

Alerts:
Fedora FEDORA-2008-6706 2008-08-07
Gentoo 200808-03 2008-08-06
Ubuntu USN-626-2 2008-08-04
Fedora FEDORA-2008-6737 2008-08-07
Ubuntu USN-629-1 2008-07-25
Red Hat RHSA-2008:0616-01 2008-07-23
Debian DSA-1615-1 2008-07-23
Debian DSA-1614-1 2008-07-23
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6518 2008-07-18
Mandriva MDVSA-2008:148 2008-07-17
Red Hat RHSA-2008:0597-01 2008-07-16
Red Hat RHSA-2008:0598-02 2008-07-16
CentOS CESA-2008:0598 2008-07-16
CentOS CESA-2008:0616 2008-07-24
rPath rPSA-2008-0238-1 2008-07-28
Ubuntu USN-626-1 2008-07-29
Mandriva MDVSA-2008:155-1 2008-07-27
Mandriva MDVSA-2008:155 2008-07-25
Debian DSA-1621-1 2008-07-27
Fedora FEDORA-2008-6518 2008-07-18
Fedora FEDORA-2008-6519 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6518 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6518 2008-07-18
Fedora FEDORA-2008-6518 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6518 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Fedora FEDORA-2008-6517 2008-07-18
Fedora FEDORA-2008-6491 2008-07-18
Ubuntu USN-623-1 2008-07-17
Red Hat RHSA-2008:0599-01 2008-07-16
CentOS CESA-2008:0597 2008-07-16
CentOS CESA-2008:0599 2008-07-16

Comments (none posted)

java-1.5.0-sun: multiple vulnerabilities

Package(s):java-1.5.0-sun CVE #(s):CVE-2008-3103 CVE-2008-3104 CVE-2008-3107 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114
Created:July 16, 2008 Updated:August 25, 2008
Description:

From the Red Hat advisory:

A vulnerability was found in the Java Management Extensions (JMX) management agent, when local monitoring is enabled. This allowed remote attackers to perform illegal operations. (CVE-2008-3103)

Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104)

A Java Runtime Environment (JRE) vulnerability could be triggered by an untrusted application or applet. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, or executing local programs. (CVE-2008-3107)

Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities may allow an untrusted Java Web Start application to elevate its privileges and thereby grant itself permission to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111)

Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113)

A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114)

Alerts:
Red Hat RHSA-2008:0790-02 2008-07-31
Red Hat RHSA-2008:0595-01 2008-07-14
Fedora FEDORA-2008-6439 2008-07-15
Red Hat RHSA-2008:0594-01 2008-07-14
SuSE SUSE-SA:2008:042 2008-08-25

Comments (none posted)

java-1.6.0-sun: multiple vulnerabilities

Package(s):java-1.6.0-sun CVE #(s):CVE-2008-3105 CVE-2008-3106 CVE-2008-3109 CVE-2008-3110
Created:July 16, 2008 Updated:August 25, 2008
Description:

From the Red Hat advisory:

Several vulnerabilities in the Java API for XML Web Services (JAX-WS) client and service implementation were found. A remote attacker who caused malicious XML to be processed by a trusted or untrusted application was able access URLs or cause a denial of service. (CVE-2008-3105, CVE-2008-3106)

Several vulnerabilities within the JRE scripting support were reported. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110)

Alerts:
Red Hat RHSA-2008:0790-02 2008-07-31
Fedora FEDORA-2008-6439 2008-07-15
Red Hat RHSA-2008:0594-01 2008-07-14
SuSE SUSE-SA:2008:042 2008-08-25

Comments (none posted)

java: multiple vulnerabilities

Package(s):java CVE #(s):
Created:July 10, 2008 Updated:July 17, 2008
Description: Java 1.7.0 has multiple vulnerabilities. The Fedora 8 alert descriptions include: OpenJDK JMX allows illegal operations with local monitoring. OpenJDK untrusted applet/application privilege escalation. OpenJDK JAX-WS unauthorized URL access. OpenJDK unauthorized access to certain URL resources.
Alerts:
Fedora FEDORA-2008-6271 2008-07-09

Comments (none posted)

newsx: stack overflow

Package(s):newsx CVE #(s):CVE-2008-3252
Created:July 16, 2008 Updated:July 31, 2008
Description:

Stack overflow caused by lines starting with '.' as described in the Red Hat bugzilla.

Alerts:
Debian DSA-1622-1 2008-07-31
Fedora FEDORA-2008-6321 2008-07-15
Fedora FEDORA-2008-6319 2008-07-15

Comments (none posted)

php: denial of service

Package(s):php CVE #(s):CVE-2007-4782
Created:July 16, 2008 Updated:July 24, 2008
Description:

From the Red Hat advisory:

It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782)

Alerts:
Ubuntu USN-628-1 2008-07-23
CentOS CESA-2008:0545 2008-07-16
CentOS CESA-2008:0544 2008-07-16
Red Hat RHSA-2008:0545-01 2008-07-16
Red Hat RHSA-2008:0582-01 2008-07-22
Red Hat RHSA-2008:0544-01 2008-07-16

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2008-3140 CVE-2008-3137 CVE-2008-3145 CVE-2008-3138 CVE-2008-3141 CVE-2008-3139
Created:July 15, 2008 Updated:August 29, 2008
Description: There are multiple problems in Wireshark versions 0.9.5 to 1.0.0 and in versions 0.8.19 to 1.0.1.
Alerts:
Gentoo 200808-04 2008-08-06
rPath rPSA-2008-0237-1 2008-07-28
Mandriva MDVSA-2008:152 2007-07-22
Fedora FEDORA-2008-6645 2008-07-23
Fedora FEDORA-2008-6440 2008-07-15
SuSE SUSE-SR:2008:017 2008-08-29

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds