LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Attacks on package managers

April 8, 2009

This article was contributed by Koen Vervloesem

It is common for users to use package managers to update their system without considering the security implications. Unfortunately, the security of the package manager matters a great deal because it runs as root and a poor implementation might lead to installation of insecure or malicious packages. Last year, Justin Samuel of the University of Arizona and Justin Cappos of the University of Washington did an extensive research on vulnerabilities of the most common package managers for Linux. In the February 2009 issue of the USENIX magazine ;login:, they published an overview of their findings [PDF]. Although none of the attack methods and vulnerabilities they talk about are particularly new or surprising, the issues are serious enough to merit some attention.

Essentially, there is just one underlying method to all vulnerabilities in package managers: an attacker, rather than a legitimate repository of the distribution, responds to a client when the package manager downloads files. The simplest way to do this is of course becoming a public mirror for a distribution's repositories. When an attacker runs a mirror, he can reply to client requests with malicious content. Thus one question every user has to ask himself is: do you trust the mirrors you use? There was a lot of discussion about the security of mirrors last year and some responses by Linux distributions that were mentioned in the study.

The researchers looked at APT (used by Debian and Ubuntu), APT-RPM (used by PCLinuxOS), Pacman (used by Arch Linux), Portage (used by Gentoo), Slaktool(used by Slackware), Stork (a research project of the University of Arizona), URPMI (used by Mandriva), YaST (used by openSUSE and SUSE Linux Enterprise) and YUM (used by Fedora, Red Hat Enterprise Linux and CentOS). They didn't look at BSD systems for this research, although they are currently investigating the Portsnap tool for securely distributing the FreeBSD ports tree.

Cryptographic signatures

A vulnerability in a package manager can mean two things: either it installs a package the user doesn't want to install, such as an older, vulnerable version of the package or a dependency that isn't needed but hosts a Trojan horse; or it doesn't install a package the user wants to install, such as a security update. To make these events impossible, package managers can use cryptographic signatures. The differences in package managers largely come down to what is actually signed: the root metadata, the metadata that describes the packages, or the packages themselves.

The root metadata is the first file that a package manager downloads, which describes the contents and the layout of the repository, usually with the names and hashes of the files that have detailed information. If the root metadata is signed, the package manager can check if someone is tricking it into downloading a fake root metadata file. By verifying the integrity of the root metadata and then verifying the secure hashes of each downloaded file, the package manager is able to check the integrity of the information. This model is used by APT, APT-RPM and YaST.

Another approach is placing signatures on the files that directly contain the metadata of the packages, as Portage does. A third way is to not have signatures on the metadata, but on each individual package. Package managers like YUM and URPMI download a package and then check the signature before installing it. But even if the package manager uses one of these three types of cryptographic signatures, this doesn't mean it is safe.

The vulnerabilities

The possible vulnerabilities of package managers fall into three main categories: replay and freeze attacks, metadata manipulation attacks and denial-of-service attacks. A replay attack comes down to the following: when a package manager requests signed metadata, a malicious party responds with an old signed file. This is possible without the need to compromise the signing key, because once a file is signed, it is always trusted by clients. This works even after vulnerabilities are discovered in a package that was once considered safe: the attacker just has to respond with old metadata that lists package versions the attacker knows how to exploit. A freeze attack works in a similar way: an attacker keeps giving the client the same version of the metadata, essentially "freezing" the metadata at one point in time to prevent updates to vulnerable packages.

With a replay attack, the attacker is still rather limited in what he can do: he can only respond with packages from a single point in time. This means that if two packages were vulnerable at different times, the attacker cannot make both vulnerable versions available to the client with a replay attack. If the package manager does not use signed metadata, an attacker doesn't have to bother with a replay attack: the system is at risk because the attacker can just make up his own metadata. In one attack, he can make as many vulnerable packages available to the client as he wants, and thus he can increase significantly the chances of a client installing and using a vulnerable package.

If an attacker has the chance to manipulate metadata, he can also lie to the clients about what a package requires. If a package has a vulnerability the attacker knows how to exploit, he can provide metadata that says every package depends on this package. This ensures that the client installs it when installing any other package. Only a user with intimate knowledge of the packages and their dependencies will spot this.

The last category of vulnerabilities are the endless data attacks, which essentially are a form of denial-of-service. This attack is dead simple: the malicious party responds to a client request (metadata or a package) with an endless stream of data. Possible results are filling up the partition or exhausting memory.

What are the distributions doing about it?

Samuel and Cappos give a good overview of the security of the different package managers and distributions. Their paper outlines the situation from last year, so it's good to look at what has been done in the meantime. At one end of the spectrum, Slaktool on Slackware, Pacman on Arch Linux and Ports in the BSD world don't make any pretense of being secure. Justin Samuel said that he has the impression that the Slackware community is not currently focused on securing their package manager, but Arch Linux has an open bug related to adding support for signed packages and there has been community discussion following the publication of their research from last year.

Then there are the package managers that don't use signatures on root metadata, such as YUM, URPMI and Portage. These are all vulnerable to metadata manipulation attacks and hence not very secure. Since the study YUM developers have added the ability to use signed root metadata, but Fedora 10 is not using it yet and the mirrors don't contain root metadata signatures. The YUM developers are working on some of the other security issues, but it's not yet clear whether the changes will be part of Fedora 11.

Gentoo's Portage developers have also begun to address these vulnerabilities and are in the planning stage for adding a signed root metadata file to Portage. Gentoo Linux Enhancement Proposal 58 discusses the addition of what Gentoo calls a MetaManifest. The proposal is listed as having Draft status.

During the research of Samuel and Cappos, all package managers were vulnerable to replay and freeze attacks, but package managers that signed either the root metadata or package metadata don't require many changes to address this issue. This includes YaST and APT. Debian's APT developers have begun planning the necessary changes. A first attempt at a solution to replay attacks was added to experimental, and will probably be implemented in an upcoming point release of Lenny.

The endless data attacks also affected all package managers, and none has solved this at the moment. Samuel and Cappos have implemented protections against all of the attacks mentioned for Stork, their own package management system.

The authors warn that using a secure package manager doesn't mean that the distribution is using these security measures. One notable example is PCLinuxOS, which uses APT-RPM but doesn't make use of its support for root metadata signatures. And although the YUM developers have responded quickly by adding support for signed root metadata, distributions using YUM do not yet sign this metadata.

The verdict: use an enterprise Linux distribution

The best way to stay secure is to choose a distribution that takes these vulnerabilities seriously. The findings of the study show, unsurprisingly, that using an enterprise Linux distribution is a serious security advantage: SUSE Linux Enterprise and Red Hat Enterprise Linux are not vulnerable for these attacks, not because they have specifically protected against these attacks, but because of their use of SSL (which blocks man-in-the-middle attacks if correctly implemented) and by not using public mirrors.

The authors also praise openSUSE for offering almost the same level of protection as the enterprise distributions. According to Justin Samuel, openSUSE is the most secure community distribution due to only being vulnerable to man-in-the-middle attacks, and not from malicious mirrors. YaST supports expiry of metadata in openSUSE 11.1, but the metadata in the official update repository has no expiry time set at this time. According to Ludwig Nussel from the openSUSE security team, this will be fixed soon.

The authors have an accompanying web site with more background about package manager security and access to more papers.

Comments (16 posted)

New vulnerabilities

bugzilla: cross-site request forgery

Package(s):bugzilla CVE #(s):CVE-2009-1213
Created:April 7, 2009 Updated:June 4, 2010
Description: From the CVE entry: Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing.
Alerts:
Gentoo 201006-19:02 2010-06-04
Fedora FEDORA-2009-3405 2009-04-07
Fedora FEDORA-2009-3410 2009-04-07

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):
Created:April 8, 2009 Updated:April 8, 2009
Description: From the Ubuntu advisory: It was discovered that ClamAV did not properly verify its input when processing TAR archives. A remote attacker could send a specially crafted TAR file and cause a denial of service via infinite loop.
Alerts:
Ubuntu USN-754-1 2009-04-07

Comments (none posted)

device-mapper-multipath: incorrect permissions

Package(s):device-mapper-multipath CVE #(s):CVE-2009-0115
Created:April 8, 2009 Updated:June 2, 2010
Description: From the Red Hat advisory: It was discovered that the multipathd daemon set incorrect permissions on the socket used to communicate with command line clients. An unprivileged, local user could use this flaw to send commands to multipathd, resulting in access disruptions to storage devices accessible via multiple paths and, possibly, file system corruption on these devices.
Alerts:
Gentoo 201006-10 2010-06-01
Fedora FEDORA-2009-3449 2009-04-09
Fedora FEDORA-2009-3453 2009-04-09
Debian DSA-1767-1 2009-04-09
CentOS CESA-2009:0411 2009-04-07
Red Hat RHSA-2009:0411-01 2009-04-07

Comments (none posted)

horde3: multiple vulnerabilities

Package(s):horde3 CVE #(s):CVE-2009-0932 CVE-2008-3330 CVE-2008-5917
Created:April 8, 2009 Updated:April 1, 2010
Description: From the Debian advisory:

Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. CVE-2009-0932

It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. CVE-2008-3330

It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. CVE-2008-5917

Alerts:
Fedora FEDORA-2010-5520 2010-04-01
Fedora FEDORA-2010-5483 2010-04-01
Gentoo 200909-14 2009-09-12
Debian DSA-1765-1 2009-04-08

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-1046
Created:April 3, 2009 Updated:August 20, 2009
Description: The console selection feature in the Linux kernel when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an an off-by-two memory error. It is is not clear if this can be exploited at all.
Alerts:
SuSE SUSE-SA:2009:045 2009-08-20
Debian DSA-1800-1 2009-05-15
Debian DSA-1787-1 2009-05-02
Red Hat RHSA-2009:0451-02 2009-04-29
Ubuntu USN-751-1 2009-04-07
SuSE SUSE-SA:2009:017 2009-04-03

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel, linux, linux-source-2.6.22 CVE #(s):CVE-2008-4307 CVE-2008-6107 CVE-2009-0605 CVE-2009-0834 CVE-2009-0835 CVE-2009-0859
Created:April 7, 2009 Updated:February 3, 2010
Description: From the Ubuntu advisory:

NFS did not correctly handle races between fcntl and interrupts. A local attacker on an NFS mount could consume unlimited kernel memory, leading to a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-4307)

Sparc syscalls did not correctly check mmap regions. A local attacker could cause a system panic, leading to a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-6107)

The page fault handler could consume stack memory. A local attacker could exploit this to crash the system or gain root privileges with a Kprobe registered. Only Ubuntu 8.10 was affected. (CVE-2009-0605)

The syscall interface did not correctly validate parameters when crossing the 64-bit/32-bit boundary. A local attacker could bypass certain syscall restricts via crafted syscalls. (CVE-2009-0834, CVE-2009-0835)

The shared memory subsystem did not correctly handle certain shmctl calls when CONFIG_SHMEM was disabled. Ubuntu kernels were not vulnerable, since CONFIG_SHMEM is enabled by default. (CVE-2009-0859)

Alerts:
Red Hat RHSA-2010:0079-01 2010-02-02
SuSE SUSE-SA:2009:033 2009-06-16
SuSE SUSE-SA:2009:031 2009-06-09
SuSE SUSE-SA:2009:030 2009-06-08
SuSE SUSE-SA:2009:028 2009-05-20
Mandriva MDVSA-2009:118 2009-05-19
Debian DSA-1800-1 2009-05-15
rPath rPSA-2009-0084-1 2009-05-15
CentOS CESA-2009:0473 2009-05-07
Red Hat RHSA-2009:0473-01 2009-05-07
Debian DSA-1794-1 2009-05-06
Debian DSA-1787-1 2009-05-02
CentOS CESA-2009:0459 2009-05-01
Red Hat RHSA-2009:0459-01 2009-04-30
Red Hat RHSA-2009:0451-02 2009-04-29
SuSE SUSE-SA:2009:021 2009-04-16
Ubuntu USN-752-1 2009-04-07
Ubuntu USN-751-1 2009-04-07

Comments (none posted)

lcms, java: denial of service

Package(s):lcms java CVE #(s):CVE-2009-0793 CVE-2009-0794
Created:April 8, 2009 Updated:January 12, 2011
Description: From the Red Hat advisory: A null pointer dereference flaw was found in LittleCMS. An application using color profiles could crash while converting a specially-crafted image file.
Alerts:
Ubuntu USN-1043-1 2011-01-12
Mandriva MDVSA-2009:121-1 2009-12-02
Mandriva MDVSA-2009:162 2009-07-28
Mandriva MDVSA-2009:137 2009-06-20
Mandriva MDVSA-2009:121 2009-05-21
Fedora FEDORA-2009-3967 2009-04-27
Fedora FEDORA-2009-3914 2009-04-27
Debian DSA-1769-1 2009-04-11
CentOS CESA-2009:0377 2009-04-08
Fedora FEDORA-2009-3426 2009-04-07
Fedora FEDORA-2009-3425 2009-04-07
Red Hat RHSA-2009:0377-01 2009-04-07
Gentoo 200904-19 2009-04-19

Comments (none posted)

mapserver: multiple vulnerabilities

Package(s):mapserver CVE #(s):CVE-2009-0839 CVE-2009-0840 CVE-2009-0841 CVE-2009-0842 CVE-2009-0843 CVE-2009-1176 CVE-2009-1177
Created:April 7, 2009 Updated:October 23, 2009
Description: From the Red Hat bugzilla:

Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when the server has a map with a long IMAGEPATH or NAME attribute, allows remote attackers to execute arbitrary code via a crafted id parameter in a query action. CVE-2009-0839

Heap-based buffer underflow in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to have an unknown impact via a negative value in the Content-Length HTTP header. CVE-2009-0840

Directory traversal vulnerability in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with Cygwin, allows remote attackers to create arbitrary files via a .. (dot dot) in the id parameter. CVE-2009-0841

mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink. CVE-2009-0842

The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists. CVE-2009-0843

mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 does not ensure that the string holding the id parameter ends in a '\0' character, which allows remote attackers to conduct buffer-overflow attacks or have unspecified other impact via a long id parameter in a query action. CVE-2009-1176

Multiple stack-based buffer overflows in maptemplate.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact and remote attack vectors. CVE-2009-1177

Alerts:
Debian DSA-1914-1 2009-10-22
Fedora FEDORA-2009-9230 2009-09-03
Fedora FEDORA-2009-9243 2009-09-03
Fedora FEDORA-2009-3383 2009-04-06
Fedora FEDORA-2009-3357 2009-04-06

Comments (none posted)

moodle: arbitrary file access

Package(s):moodle CVE #(s):CVE-2009-1171
Created:April 2, 2009 Updated:June 25, 2009
Description: moodle can allow access to arbitrary files. From the National vulnerability database: The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file.
Alerts:
Ubuntu USN-791-2 2009-06-24
Ubuntu USN-791-1 2009-06-24
SuSE SUSE-SR:2009:009 2009-04-21
Debian DSA-1761-1 2009-04-03
Fedora FEDORA-2009-3280 2009-04-02
Fedora FEDORA-2009-3283 2009-04-02

Comments (none posted)

openfire: multiple vulnerabilities

Package(s):openfire CVE #(s):CVE-2009-0496 CVE-2009-0497 CVE-2008-6508 CVE-2008-6509 CVE-2008-6510 CVE-2008-6511
Created:April 3, 2009 Updated:April 8, 2009
Description: From the Gentoo advisory:

Two vulnerabilities have been reported by Federico Muttis, from CORE IMPACT's Exploit Writing Team:

* Multiple missing or incomplete input validations in several .jsps (CVE-2009-0496).

* Incorrect input validation of the "log" parameter in log.jsp (CVE-2009-0497).

Multiple vulnerabilities have been reported by Andreas Kurtz:

* Erroneous built-in exceptions to input validation in login.jsp (CVE-2008-6508).

* Unsanitized user input to the "type" parameter in sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)

* A Cross-Site-Scripting vulnerability due to unsanitized input to the "url" parameter. (CVE-2008-6510, CVE-2008-6511)

Alerts:
Gentoo 200904-01 2009-04-02

Comments (none posted)

openssl: several vulnerabilities

Package(s):openssl CVE #(s):CVE-2009-0789 CVE-2009-0591
Created:April 8, 2009 Updated:July 27, 2011
Description: From the CVE entries:

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. CVE-2009-0789

The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. CVE-2009-0591

Alerts:
SUSE SUSE-SU-2011:0847-1 2011-07-27
openSUSE openSUSE-SU-2011:0845-1 2011-07-27
SuSE SUSE-SR:2009:010 2009-05-12
Slackware SSA:2009-098-01 2009-04-08

Comments (none posted)

php: cross site scripting vulnerability

Package(s):php CVE #(s):CVE-2008-5814
Created:April 6, 2009 Updated:February 23, 2010
Description: php has a cross site scripting vulnerability, here is the National Vulnerability Database entry description: Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.
Alerts:
Gentoo 201001-03 2010-01-05
SuSE SUSE-SR:2010:005 2010-02-23
Fedora FEDORA-2009-3768 2009-04-21
Fedora FEDORA-2009-3848 2009-04-21
Debian DSA-1789-1 2009-05-04
Ubuntu USN-761-2 2009-04-27
Ubuntu USN-761-1 2009-04-20
Red Hat RHSA-2009:0350-01 2009-04-14
CentOS CESA-2009:0338 2009-04-07
Red Hat RHSA-2009:0338-01 2009-04-06

Comments (none posted)

tunapie: several vulnerabilities

Package(s):tunapie CVE #(s):CVE-2009-1253 CVE-2009-1254
Created:April 8, 2009 Updated:April 8, 2009
Description: From the Debian advisory:

Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. CVE-2009-1253

Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. CVE-2009-1254

Alerts:
Debian DSA-1764-1 2009-04-07

Comments (none posted)

xpdf: arbitrary code execution

Package(s):xpdf CVE #(s):CVE-2009-1144
Created:April 7, 2009 Updated:April 8, 2009
Description: From the Gentoo advisory: Erik Wallin reported that Gentoo's Xpdf attempts to read the "xpdfrc" file from the current working directory if it cannot find a ".xpdfrc" file in the user's home directory. This is caused by a missing definition of the SYSTEM_XPDFRC macro when compiling a repackaged version of Xpdf.
Alerts:
Gentoo 200904-07 2009-04-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds