Study: Attacks on package managers
Study: Attacks on package managers
Posted Jul 15, 2008 10:18 UTC (Tue) by nhippi (subscriber, #34640)In reply to: Study: Attacks on package managers by DeletedUser32991
Parent article: Study: Attacks on package managers
To put it more plainly: The attacker cannot use a malicious mirror inject old content against security.debian.org, since security.debian.org isn't mirrored by third parties. Testing users could become vulnerable. Mitigating against this would be relatively easy to implement, as the Signed "Release" file already has A "Date" field. - Just check that it isn't older than X days. As a added bonus, users will start noticing if their mirror has problems getting updates. One option the attacker has is transparent proxies, but then again you are in big trouble anyway (mmm.. cookies..) if a cracker manages to root your ISP's transparent proxy.
Posted Jul 15, 2008 18:49 UTC (Tue)
by nix (subscriber, #2304)
[Link]
Study: Attacks on package managers
`X' days doesn't work for any fixed value of X. A better check is to check
that the package date is not much older than the last time you downloaded
a set of updates which should have included that package (`much'
introduced to allow time for the package to be uploaded, inter-mirror
propagation delays, et al).
Downside: this means that after Debian's ftpmasters sit on a package for
five hundred years they have to get it re-signed before putting it into
the repo ;) and I'm not sure what implications it has for
automatically-promoted repositories such as Debian testing: perhaps the
Date header should be updated, and the signing repeated, by the (trusted)
software with a silly name which does the promotion (I can't remember that
name right now, it always drops out of my head). If attackers take *that*
over, we're all dead anyway.
(sorry for the jab at ftpmasters gone, I couldn't resist ;} )