Nastier attack [LWN.net]

Nastier attack

Posted Jul 14, 2008 18:16 UTC (Mon) by rgmoore (✭ supporter ✭, #75)
Parent article: Study: Attacks on package managers

Someone on Slashdot pointed out a much nastier potential attack. The process is simple:

Set up a mirror.
Wait for the distro you're mirroring to send out a security update for a package with a remotely exploitable hole.
Root the box of everybody who starts to download the updated package.

The mirror can look completely legitimate, because it just passively harvests the IDs of vulnerable computers. You probably want to pass off the job of rooting vulnerable computers to a separate botnet to keep your mirror looking squeaky clean.

(Log in to post comments)

Nastier attack

Posted Jul 14, 2008 20:30 UTC (Mon) by dskoll (subscriber, #1630) [Link]

That is a very nasty attack.  To defend against this, an organization should have a dedicated
"mirroring" computer that runs almost nothing.  This computer does all the downloads and then
serves the updated packages to other machines.

By decoupling the machine doing the downloading from the machine being updated, you can
mitigate against evil mirrors.  (You can't completely block the attack because the downloader
machine itself might happen to require a package that is found to have a vulnerability.
That's really hard to protect against other than by upgrading the downloader machine manually.)

One solution to this problem

Posted Jul 14, 2008 21:03 UTC (Mon) by jmorris42 (subscriber, #2203) [Link]

> You can't completely block the attack because the downloader
> machine itself might happen to require a package that is found
> to have a vulnerability. That's really hard to protect against
> other than by upgrading the downloader machine manually.

Use an OS where security updates come from a trusted source for the key machine running your
local mirror.  Since you control the local mirror it should be trusted, thus solving the real
problem here.  This is a basic information disclosure attack, where an evil mirror can
convince machines/users to disclose their vulnerability to an untrusted entity.

So run the one mirror machine on Debian (their low installed base allows all security updates
to originate from security.debian.org) or use a paid support distro (SuSE, RHEL) where all
updates come from the OS vendor itself.

This closes the flaw for larger sites that can setup a dedicated local mirror, but the lone
Fedora user at home is still pretty much boned.  And until all communication to the
mirrors/master repo is via https with server keys precached during the OS install (or via
package updates which are signed) there is still some non-zero potential for DNS poisioning,
man in the middle  attacks, etc.

One solution to this problem

Posted Jul 15, 2008 12:22 UTC (Tue) by jmm (subscriber, #34596) [Link]

security.debian.org isn't a single machine, but a round-robin setup of several hosts
administrated by Debian. Last time someone published the stats they were serving ~ 30 MB/s
(which was two days after the last DSA being published, I suppose the peaks are higher)

Nastier attack

Posted Jul 15, 2008 4:46 UTC (Tue) by dvdeug (subscriber, #10998) [Link]

Why is this a nasty attack? Compare to:

1. Portscan a lot of computers; save the results
2. When there's a security update, hit the computers running that program

It doesn't require you to have a mirror (and hence a large traceable presence) and hits all
targets, not just one distro. It's less targetted, but how often has that been a problem in
Internet attacks?