Security
Trust and mirrors
A recent look at attacks on package managers has much of interest. None of the attack methods are particularly new at some level, but applying them to the update process is. When the mechanism that is used to keep one's system updated with respect to security vulnerabilities is itself susceptible, it is definitely worth a look.
Much of the problem stems from the fact that many community distributions rely on volunteer mirrors to distribute updates. These mirrors could be malicious which would allow them to distribute bad code to systems that are checking for updates. In addition, mirrors are perfectly placed to notice which machines are updating for particular vulnerabilities—information that could be used in attacks.
The study looked at ten of the most popular Linux and BSD package management systems and found all of them to be vulnerable to one or more of the flaws they identified. Package managers track metadata—information about what package versions and dependencies there are—as well as the packages themselves in formats like .rpm or .deb. Typically, the packages are cryptographically signed (using GPG for example) so that they can be verified as genuine by client systems. Some package managers also sign the metadata, but some do not, which allows for additional attacks.
The biggest issue with mirrors is the information that they gain. When a client requests a certain package, it is pretty easy to guess that it is probably vulnerable to whatever security flaw is being fixed in that new package. A malicious mirror—or one that has been subverted—could try to attack the client machine via the flaw being fixed. A suitable vulnerability could be used to completely compromise the client machine.
Once a particular chunk of data, either package or metadata, has been signed, it is valid more or less forever. This can be used by malicious mirrors in two ways: serving up old metadata that points clients at known vulnerable package versions or serving up old packages that are known to have flaws. In both cases, it is a kind of "replay" attack, using old, valid data for malicious purposes.
In most cases, package managers will not downgrade to previous package versions unless explicitly instructed to, so machines that have already upgraded are not generally vulnerable to a package replay. However, if a client reliably contacts a particular mirror for metadata, that mirror can continue serving an older version until an exploit of interest comes along. By knowing that the client has not upgraded—because it has been held back by the mirror-served metadata—an attacker can exploit the newly-discovered vulnerability at their convenience.
Mirrors can also perform "endless data" attacks where the data transfer for the package or metadata is never terminated. The mirror keeps sending more and more data until it fills the client disk. This is likely to "only" cause a denial of service on the machine that is being updated, but that can still be a serious result, especially when the update process is automated.
Unsigned metadata can allow for several other kinds of attacks. Manipulating the dependencies that are provided or needed by a package can lead to various kinds of problems. A dependency on a non-existent package will stop the update from happening, while a dependency on a package of the attacker's choosing can lead to complete compromise.
There is not a lot that can be done to solve the information gathering problem. Subscription-based distributions generally provide their own servers and do not rely upon mirrors to avoid this problem. For community distributions, there really is no central authority that has the resources to do that. Also, controlling all the mirrors only goes so far; if any are compromised, the same kinds of attacks are possible. Downloading the packages to a non-vulnerable host is probably the best avoidance technique, but is difficult to do in practice.
The lessons from this study are clear. Metadata should be signed and only downloaded from "trusted" servers. If there is a concern about man-in-the-middle attacks, an encrypted connection should be used between the clients and servers with certificates being checked to ensure the connection is going where expected.
In the end, it comes down to trusting the mirrors that one uses. It is not terribly surprising that mirrors can cause these kinds of problems, but the study authors did an excellent job pulling together the different kinds of attacks. The picture that they paint is not particularly pretty, but it is one we needed to see.
Security reports
Study: Attacks on package managers
The University of Arizona is publishing a study on security problems with package management systems. The core problem would appear to be that tools like yum and apt will happily install versions of packages with known vulnerabilities if they think that's the most recent version available. And feeding such packages to the package managers is not a big challenge: "To give an example of how easy it is for a malicious party to obtain a mirror, we ran an experiment where we created a fake administrator and company name and leased a server from a hosting provider. We were able to get our mirror listed on every distribution we tried (Ubuntu, Fedora, OpenSuSE, CentOS, and Debian) and our mirrors were contacted by thousands of clients, even including military and government computers!"
New vulnerabilities
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2008-1678 CVE-2008-2364 CVE-2007-6420 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 10, 2008 | Updated: | March 2, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache has three vulnerabilities.
From the Gentoo alert:
Dustin Kirkland reported that the mod_ssl module can leak memory when the client reports support for a compression algorithm (CVE-2008-1678). Ryujiro Shibuya reported that the ap_proxy_http_process_response() function in the mod_proxy module does not limit the number of forwarded interim responses (CVE-2008-2364). sp3x of SecurityReason reported a Cross-Site Request Forgery vulnerability in the balancer-manager in the mod_proxy_balancer module (CVE-2007-6420). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
bluez: input validation flaw
| Package(s): | bluez-libs bluez-utils | CVE #(s): | CVE-2008-2374 | ||||||||||||||||||||||||||||||||
| Created: | July 15, 2008 | Updated: | March 17, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used by the Bluez Bluetooth utilities. A Bluetooth device with an already-established trust relationship, or a local user registering a service record via a UNIX® socket or D-Bus interface, could cause a crash, or possibly execute arbitrary code with privileges of the hcid daemon. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal | CVE #(s): | |||||||||
| Created: | July 16, 2008 | Updated: | July 16, 2008 | ||||||||
| Description: | Cross-site scripting, cross-site request forgery, session fixation and SQL injection as described in this Drupal advisory. | ||||||||||
| Alerts: |
| ||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-2785 CVE-2008-2933 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 16, 2008 | Updated: | January 8, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An integer overflow flaw was found in the way Firefox displayed certain web content. A malicious web site could cause Firefox to crash, or execute arbitrary code with the permissions of the user running Firefox. (CVE-2008-2785) A flaw was found in the way Firefox handled certain command line URLs. If another application passed Firefox a malformed URL, it could result in Firefox executing local malicious content with chrome privileges. (CVE-2008-2933) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1.5.0-sun: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2008-3103 CVE-2008-3104 CVE-2008-3107 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 16, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A vulnerability was found in the Java Management Extensions (JMX) management agent, when local monitoring is enabled. This allowed remote attackers to perform illegal operations. (CVE-2008-3103) Multiple vulnerabilities with unsigned applets were reported. A remote attacker could misuse an unsigned applet to connect to localhost services running on the host running the applet. (CVE-2008-3104) A Java Runtime Environment (JRE) vulnerability could be triggered by an untrusted application or applet. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, or executing local programs. (CVE-2008-3107) Several buffer overflow vulnerabilities in Java Web Start were reported. These vulnerabilities may allow an untrusted Java Web Start application to elevate its privileges and thereby grant itself permission to read and/or write local files, as well as to execute local applications accessible to the user running the untrusted application. (CVE-2008-3111) Two file processing vulnerabilities in Java Web Start were found. A remote attacker, by means of an untrusted Java Web Start application, was able to create or delete arbitrary files with the permissions of the user running the untrusted application. (CVE-2008-3112, CVE-2008-3113) A vulnerability in Java Web Start when processing untrusted applications was reported. An attacker was able to acquire sensitive information, such as the cache location. (CVE-2008-3114) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1.6.0-sun: multiple vulnerabilities
| Package(s): | java-1.6.0-sun | CVE #(s): | CVE-2008-3105 CVE-2008-3106 CVE-2008-3109 CVE-2008-3110 | ||||||||||||||||||||||||||||||||||||||||
| Created: | July 16, 2008 | Updated: | November 18, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Several vulnerabilities in the Java API for XML Web Services (JAX-WS) client and service implementation were found. A remote attacker who caused malicious XML to be processed by a trusted or untrusted application was able access URLs or cause a denial of service. (CVE-2008-3105, CVE-2008-3106) Several vulnerabilities within the JRE scripting support were reported. A remote attacker could grant an untrusted applet extended privileges such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110) | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
java: multiple vulnerabilities
| Package(s): | java | CVE #(s): | |||||
| Created: | July 10, 2008 | Updated: | July 17, 2008 | ||||
| Description: | Java 1.7.0 has multiple vulnerabilities. The Fedora 8 alert descriptions include: OpenJDK JMX allows illegal operations with local monitoring. OpenJDK untrusted applet/application privilege escalation. OpenJDK JAX-WS unauthorized URL access. OpenJDK unauthorized access to certain URL resources. | ||||||
| Alerts: |
| ||||||
newsx: stack overflow
| Package(s): | newsx | CVE #(s): | CVE-2008-3252 | ||||||||||||
| Created: | July 16, 2008 | Updated: | July 31, 2008 | ||||||||||||
| Description: | Stack overflow caused by lines starting with '.' as described in the Red Hat bugzilla. | ||||||||||||||
| Alerts: |
| ||||||||||||||
php: denial of service
| Package(s): | php | CVE #(s): | CVE-2007-4782 | ||||||||||||||||||||||||||||||||
| Created: | July 16, 2008 | Updated: | January 22, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: It was discovered that PHP fnmatch() function did not restrict the length of the string argument. An attacker could use this flaw to crash the PHP interpreter where a script used fnmatch() on untrusted input data. (CVE-2007-4782) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2008-3140 CVE-2008-3137 CVE-2008-3145 CVE-2008-3138 CVE-2008-3141 CVE-2008-3139 | ||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2008 | Updated: | December 1, 2008 | ||||||||||||||||||||||||||||||||||||
| Description: | There are multiple problems in Wireshark versions 0.9.5 to 1.0.0 and in versions 0.8.19 to 1.0.1. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>