LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Trust and mirrors

By Jake Edge
July 16, 2008

A recent look at attacks on package managers has much of interest. None of the attack methods are particularly new at some level, but applying them to the update process is. When the mechanism that is used to keep one's system updated with respect to security vulnerabilities is itself susceptible, it is definitely worth a look.

Much of the problem stems from the fact that many community distributions rely on volunteer mirrors to distribute updates. These mirrors could be malicious which would allow them to distribute bad code to systems that are checking for updates. In addition, mirrors are perfectly placed to notice which machines are updating for particular vulnerabilities—information that could be used in attacks.

The study looked at ten of the most popular Linux and BSD package management systems and found all of them to be vulnerable to one or more of the flaws they identified. Package managers track metadata—information about what package versions and dependencies there are—as well as the packages themselves in formats like .rpm or .deb. Typically, the packages are cryptographically signed (using GPG for example) so that they can be verified as genuine by client systems. Some package managers also sign the metadata, but some do not, which allows for additional attacks.

The biggest issue with mirrors is the information that they gain. When a client requests a certain package, it is pretty easy to guess that it is probably vulnerable to whatever security flaw is being fixed in that new package. A malicious mirror—or one that has been subverted—could try to attack the client machine via the flaw being fixed. A suitable vulnerability could be used to completely compromise the client machine.

Once a particular chunk of data, either package or metadata, has been signed, it is valid more or less forever. This can be used by malicious mirrors in two ways: serving up old metadata that points clients at known vulnerable package versions or serving up old packages that are known to have flaws. In both cases, it is a kind of "replay" attack, using old, valid data for malicious purposes.

In most cases, package managers will not downgrade to previous package versions unless explicitly instructed to, so machines that have already upgraded are not generally vulnerable to a package replay. However, if a client reliably contacts a particular mirror for metadata, that mirror can continue serving an older version until an exploit of interest comes along. By knowing that the client has not upgraded—because it has been held back by the mirror-served metadata—an attacker can exploit the newly-discovered vulnerability at their convenience.

Mirrors can also perform "endless data" attacks where the data transfer for the package or metadata is never terminated. The mirror keeps sending more and more data until it fills the client disk. This is likely to "only" cause a denial of service on the machine that is being updated, but that can still be a serious result, especially when the update process is automated.

Unsigned metadata can allow for several other kinds of attacks. Manipulating the dependencies that are provided or needed by a package can lead to various kinds of problems. A dependency on a non-existent package will stop the update from happening, while a dependency on a package of the attacker's choosing can lead to complete compromise.

There is not a lot that can be done to solve the information gathering problem. Subscription-based distributions generally provide their own servers and do not rely upon mirrors to avoid this problem. For community distributions, there really is no central authority that has the resources to do that. Also, controlling all the mirrors only goes so far; if any are compromised, the same kinds of attacks are possible. Downloading the packages to a non-vulnerable host is probably the best avoidance technique, but is difficult to do in practice.

The lessons from this study are clear. Metadata should be signed and only downloaded from "trusted" servers. If there is a concern about man-in-the-middle attacks, an encrypted connection should be used between the clients and servers with certificates being checked to ensure the connection is going where expected.

In the end, it comes down to trusting the mirrors that one uses. It is not terribly surprising that mirrors can cause these kinds of problems, but the study authors did an excellent job pulling together the different kinds of attacks. The picture that they paint is not particularly pretty, but it is one we needed to see.

(Log in to post comments)

Trust and mirrors

Posted Jul 17, 2008 3:59 UTC (Thu) by IkeTo (subscriber, #2122) [Link] 

Hm... if the worry is simply that some mirrors never updates, distributions can simply have a
canonical address (like "last updated") and have everybody contact it to know what is the
current version of the canonical server.  When one do an update, it checks whether the mirror
is too old, and if so, warns the user.  "Endless" data can also be easily dealt with: the
distribution can organize to accompany each transfer with a leading fixed-length, signed
fields that contains the expected length of the package.

So essentially, if cryptography didn't solve your problem, just use more of it.

Trust and mirrors

Posted Jul 17, 2008 8:44 UTC (Thu) by ttonino (subscriber, #4073) [Link] 

Yup. Just check the SHA1 of the metadata to a version at a trusted location.

Or figure out an incremental metadata format (append changes and append new signature), which
would make it possible to push an update out every day or even every hour. The client would
then refuse metadata with a time stamp that is too old. The possibility of incremental updates
makes these 'time stamp updates' cheap in bandwidth.

Trust and mirrors

Posted Jul 17, 2008 12:57 UTC (Thu) by tzafrir (subscriber, #11501) [Link] 

In the follow-ups to the previous story it has been pointed out that those concerens were
known and in some cases addressed.

In general, distributions consider the mirror systems as potentially unreliable copies of the
original archive. There is really no good way to assure no mirror is ever malicious.

In OpenSUSE, as of 10.3, the clients download the metadata separately from a central server.
The big bulk of the download is still from mirrors. But if they cheat, the metadata from the
main server fails to check.


Debian (and Ubuntu?) sign the metadata and propagate it as part of the mirrored context. So
far it seems that the described replay attack would work. But to avoid it, security updates
come from a smaller set of mirrors, which are all maintained by the Debian project directly
and thus are reliable.

Thus a signed metadata, on its own, is not good enough. It still allows a replay attack.
Encrypted connection does not help any bit. This is probably some confusion with the separate
guarantees that SSL provides.

As for the recommendation to only download from trusted mirrors: it is basically the same as
only browsing web sites you can trust.

Trust and mirrors

Posted Jul 18, 2008 0:33 UTC (Fri) by jgsack@san.rr.com (guest, #33287) [Link] 

Glancing at the article referenced, I didn't see any mention of another concern I have long
had. How can I be sure _I_ have not indadvertently accepted a bogus signature key.

Is there some kind of survey tool to validate the keys for all installed packages -- that is
verify that they are valid keys known to (trusted by) the distributor?

I sort-of remember accepting unknown keys, not paying attention to keys, or (not sure)
accepting unsigned packages if that is possible. 

I guess I'm saying that I don't trust myself to have always done the correct thing, so how do
I audit for this risk? ;-)

..j

Trust and mirrors

Posted Jul 21, 2008 11:45 UTC (Mon) by cate (subscriber, #1359) [Link] 

Debian uses only controlled server for security repositories (4 debian machine in
security.debian.org).

IMHO stable users updates system when they see an annoncement via debian security announce
mailing list (or via LWN), so people should notice updates and version eventually mismatches.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds