Nastier attack
Nastier attack
Posted Jul 14, 2008 20:30 UTC (Mon) by dskoll (subscriber, #1630)In reply to: Nastier attack by rgmoore
Parent article: Study: Attacks on package managers
That is a very nasty attack. To defend against this, an organization should have a dedicated "mirroring" computer that runs almost nothing. This computer does all the downloads and then serves the updated packages to other machines. By decoupling the machine doing the downloading from the machine being updated, you can mitigate against evil mirrors. (You can't completely block the attack because the downloader machine itself might happen to require a package that is found to have a vulnerability. That's really hard to protect against other than by upgrading the downloader machine manually.)
Posted Jul 14, 2008 21:03 UTC (Mon)
by jmorris42 (guest, #2203)
[Link] (1 responses)
Posted Jul 15, 2008 12:22 UTC (Tue)
by jmm (subscriber, #34596)
[Link]
One solution to this problem
> You can't completely block the attack because the downloader
> machine itself might happen to require a package that is found
> to have a vulnerability. That's really hard to protect against
> other than by upgrading the downloader machine manually.
Use an OS where security updates come from a trusted source for the key machine running your
local mirror. Since you control the local mirror it should be trusted, thus solving the real
problem here. This is a basic information disclosure attack, where an evil mirror can
convince machines/users to disclose their vulnerability to an untrusted entity.
So run the one mirror machine on Debian (their low installed base allows all security updates
to originate from security.debian.org) or use a paid support distro (SuSE, RHEL) where all
updates come from the OS vendor itself.
This closes the flaw for larger sites that can setup a dedicated local mirror, but the lone
Fedora user at home is still pretty much boned. And until all communication to the
mirrors/master repo is via https with server keys precached during the OS install (or via
package updates which are signed) there is still some non-zero potential for DNS poisioning,
man in the middle attacks, etc.
One solution to this problem
security.debian.org isn't a single machine, but a round-robin setup of several hosts
administrated by Debian. Last time someone published the stats they were serving ~ 30 MB/s
(which was two days after the last DSA being published, I suppose the peaks are higher)