Security
Attacks on package managers
It is common for users to use package managers to update their system without considering the security implications. Unfortunately, the security of the package manager matters a great deal because it runs as root and a poor implementation might lead to installation of insecure or malicious packages. Last year, Justin Samuel of the University of Arizona and Justin Cappos of the University of Washington did an extensive research on vulnerabilities of the most common package managers for Linux. In the February 2009 issue of the USENIX magazine ;login:, they published an overview of their findings [PDF]. Although none of the attack methods and vulnerabilities they talk about are particularly new or surprising, the issues are serious enough to merit some attention.
Essentially, there is just one underlying method to all vulnerabilities in package managers: an attacker, rather than a legitimate repository of the distribution, responds to a client when the package manager downloads files. The simplest way to do this is of course becoming a public mirror for a distribution's repositories. When an attacker runs a mirror, he can reply to client requests with malicious content. Thus one question every user has to ask himself is: do you trust the mirrors you use? There was a lot of discussion about the security of mirrors last year and some responses by Linux distributions that were mentioned in the study.
The researchers looked at APT (used by Debian and Ubuntu), APT-RPM (used by PCLinuxOS), Pacman (used by Arch Linux), Portage (used by Gentoo), Slaktool(used by Slackware), Stork (a research project of the University of Arizona), URPMI (used by Mandriva), YaST (used by openSUSE and SUSE Linux Enterprise) and YUM (used by Fedora, Red Hat Enterprise Linux and CentOS). They didn't look at BSD systems for this research, although they are currently investigating the Portsnap tool for securely distributing the FreeBSD ports tree.
Cryptographic signatures
A vulnerability in a package manager can mean two things: either it installs a package the user doesn't want to install, such as an older, vulnerable version of the package or a dependency that isn't needed but hosts a Trojan horse; or it doesn't install a package the user wants to install, such as a security update. To make these events impossible, package managers can use cryptographic signatures. The differences in package managers largely come down to what is actually signed: the root metadata, the metadata that describes the packages, or the packages themselves.
The root metadata is the first file that a package manager downloads, which describes the contents and the layout of the repository, usually with the names and hashes of the files that have detailed information. If the root metadata is signed, the package manager can check if someone is tricking it into downloading a fake root metadata file. By verifying the integrity of the root metadata and then verifying the secure hashes of each downloaded file, the package manager is able to check the integrity of the information. This model is used by APT, APT-RPM and YaST.
Another approach is placing signatures on the files that directly contain the metadata of the packages, as Portage does. A third way is to not have signatures on the metadata, but on each individual package. Package managers like YUM and URPMI download a package and then check the signature before installing it. But even if the package manager uses one of these three types of cryptographic signatures, this doesn't mean it is safe.
The vulnerabilities
The possible vulnerabilities of package managers fall into three main categories: replay and freeze attacks, metadata manipulation attacks and denial-of-service attacks. A replay attack comes down to the following: when a package manager requests signed metadata, a malicious party responds with an old signed file. This is possible without the need to compromise the signing key, because once a file is signed, it is always trusted by clients. This works even after vulnerabilities are discovered in a package that was once considered safe: the attacker just has to respond with old metadata that lists package versions the attacker knows how to exploit. A freeze attack works in a similar way: an attacker keeps giving the client the same version of the metadata, essentially "freezing" the metadata at one point in time to prevent updates to vulnerable packages.
With a replay attack, the attacker is still rather limited in what he can do: he can only respond with packages from a single point in time. This means that if two packages were vulnerable at different times, the attacker cannot make both vulnerable versions available to the client with a replay attack. If the package manager does not use signed metadata, an attacker doesn't have to bother with a replay attack: the system is at risk because the attacker can just make up his own metadata. In one attack, he can make as many vulnerable packages available to the client as he wants, and thus he can increase significantly the chances of a client installing and using a vulnerable package.
If an attacker has the chance to manipulate metadata, he can also lie to the clients about what a package requires. If a package has a vulnerability the attacker knows how to exploit, he can provide metadata that says every package depends on this package. This ensures that the client installs it when installing any other package. Only a user with intimate knowledge of the packages and their dependencies will spot this.
The last category of vulnerabilities are the endless data attacks, which essentially are a form of denial-of-service. This attack is dead simple: the malicious party responds to a client request (metadata or a package) with an endless stream of data. Possible results are filling up the partition or exhausting memory.
What are the distributions doing about it?
Samuel and Cappos give a good overview of the security of the different package managers and distributions. Their paper outlines the situation from last year, so it's good to look at what has been done in the meantime. At one end of the spectrum, Slaktool on Slackware, Pacman on Arch Linux and Ports in the BSD world don't make any pretense of being secure. Justin Samuel said that he has the impression that the Slackware community is not currently focused on securing their package manager, but Arch Linux has an open bug related to adding support for signed packages and there has been community discussion following the publication of their research from last year.
Then there are the package managers that don't use signatures on root metadata, such as YUM, URPMI and Portage. These are all vulnerable to metadata manipulation attacks and hence not very secure. Since the study YUM developers have added the ability to use signed root metadata, but Fedora 10 is not using it yet and the mirrors don't contain root metadata signatures. The YUM developers are working on some of the other security issues, but it's not yet clear whether the changes will be part of Fedora 11.
Gentoo's Portage developers have also begun to address these vulnerabilities and are in the planning stage for adding a signed root metadata file to Portage. Gentoo Linux Enhancement Proposal 58 discusses the addition of what Gentoo calls a MetaManifest. The proposal is listed as having Draft status.
During the research of Samuel and Cappos, all package managers were vulnerable to replay and freeze attacks, but package managers that signed either the root metadata or package metadata don't require many changes to address this issue. This includes YaST and APT. Debian's APT developers have begun planning the necessary changes. A first attempt at a solution to replay attacks was added to experimental, and will probably be implemented in an upcoming point release of Lenny.
The endless data attacks also affected all package managers, and none has solved this at the moment. Samuel and Cappos have implemented protections against all of the attacks mentioned for Stork, their own package management system.
The authors warn that using a secure package manager doesn't mean that the distribution is using these security measures. One notable example is PCLinuxOS, which uses APT-RPM but doesn't make use of its support for root metadata signatures. And although the YUM developers have responded quickly by adding support for signed root metadata, distributions using YUM do not yet sign this metadata.
The verdict: use an enterprise Linux distribution
The best way to stay secure is to choose a distribution that takes these vulnerabilities seriously. The findings of the study show, unsurprisingly, that using an enterprise Linux distribution is a serious security advantage: SUSE Linux Enterprise and Red Hat Enterprise Linux are not vulnerable for these attacks, not because they have specifically protected against these attacks, but because of their use of SSL (which blocks man-in-the-middle attacks if correctly implemented) and by not using public mirrors.
The authors also praise openSUSE for offering almost the same level of protection as the enterprise distributions. According to Justin Samuel, openSUSE is the most secure community distribution due to only being vulnerable to man-in-the-middle attacks, and not from malicious mirrors. YaST supports expiry of metadata in openSUSE 11.1, but the metadata in the official update repository has no expiry time set at this time. According to Ludwig Nussel from the openSUSE security team, this will be fixed soon.
The authors have an accompanying web site with more background about package manager security and access to more papers.
New vulnerabilities
bugzilla: cross-site request forgery
| Package(s): | bugzilla | CVE #(s): | CVE-2009-1213 | ||||||||||||
| Created: | April 7, 2009 | Updated: | June 4, 2010 | ||||||||||||
| Description: | From the CVE entry: Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 3.2 before 3.2.3, 3.3 before 3.3.4, and earlier versions allows remote attackers to hijack the authentication of arbitrary users for requests that use attachment editing. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | |||||
| Created: | April 8, 2009 | Updated: | April 8, 2009 | ||||
| Description: | From the Ubuntu advisory: It was discovered that ClamAV did not properly verify its input when processing TAR archives. A remote attacker could send a specially crafted TAR file and cause a denial of service via infinite loop. | ||||||
| Alerts: |
| ||||||
device-mapper-multipath: incorrect permissions
| Package(s): | device-mapper-multipath | CVE #(s): | CVE-2009-0115 | ||||||||||||||||||||||||
| Created: | April 8, 2009 | Updated: | June 2, 2010 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: It was discovered that the multipathd daemon set incorrect permissions on the socket used to communicate with command line clients. An unprivileged, local user could use this flaw to send commands to multipathd, resulting in access disruptions to storage devices accessible via multiple paths and, possibly, file system corruption on these devices. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
horde3: multiple vulnerabilities
| Package(s): | horde3 | CVE #(s): | CVE-2009-0932 CVE-2008-3330 CVE-2008-5917 | ||||||||||||||||
| Created: | April 8, 2009 | Updated: | April 1, 2010 | ||||||||||||||||
| Description: | From the Debian advisory:
Gunnar Wrobel discovered a directory traversal vulnerability, which allows attackers to include and execute arbitrary local files via the driver parameter in Horde_Image. CVE-2009-0932 It was discovered that an attacker could perform a cross-site scripting attack via the contact name, which allows attackers to inject arbitrary html code. This requires that the attacker has access to create contacts. CVE-2008-3330 It was discovered that the horde XSS filter is prone to a cross-site scripting attack, which allows attackers to inject arbitrary html code. This is only exploitable when Internet Explorer is used. CVE-2008-5917 | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-1046 | ||||||||||||||||||||||||
| Created: | April 3, 2009 | Updated: | August 20, 2009 | ||||||||||||||||||||||||
| Description: | The console selection feature in the Linux kernel when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an an off-by-two memory error. It is is not clear if this can be exploited at all. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel, linux, linux-source-2.6.22 | CVE #(s): | CVE-2008-4307 CVE-2008-6107 CVE-2009-0605 CVE-2009-0834 CVE-2009-0835 CVE-2009-0859 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 7, 2009 | Updated: | February 3, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
NFS did not correctly handle races between fcntl and interrupts. A local attacker on an NFS mount could consume unlimited kernel memory, leading to a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-4307) Sparc syscalls did not correctly check mmap regions. A local attacker could cause a system panic, leading to a denial of service. Ubuntu 8.10 was not affected. (CVE-2008-6107) The page fault handler could consume stack memory. A local attacker could exploit this to crash the system or gain root privileges with a Kprobe registered. Only Ubuntu 8.10 was affected. (CVE-2009-0605) The syscall interface did not correctly validate parameters when crossing the 64-bit/32-bit boundary. A local attacker could bypass certain syscall restricts via crafted syscalls. (CVE-2009-0834, CVE-2009-0835) The shared memory subsystem did not correctly handle certain shmctl calls when CONFIG_SHMEM was disabled. Ubuntu kernels were not vulnerable, since CONFIG_SHMEM is enabled by default. (CVE-2009-0859) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lcms, java: denial of service
| Package(s): | lcms java | CVE #(s): | CVE-2009-0793 CVE-2009-0794 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 8, 2009 | Updated: | January 12, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A null pointer dereference flaw was found in LittleCMS. An application using color profiles could crash while converting a specially-crafted image file. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
mapserver: multiple vulnerabilities
| Package(s): | mapserver | CVE #(s): | CVE-2009-0839 CVE-2009-0840 CVE-2009-0841 CVE-2009-0842 CVE-2009-0843 CVE-2009-1176 CVE-2009-1177 | ||||||||||||||||||||
| Created: | April 7, 2009 | Updated: | October 23, 2009 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when the server has a map with a long IMAGEPATH or NAME attribute, allows remote attackers to execute arbitrary code via a crafted id parameter in a query action. CVE-2009-0839 Heap-based buffer underflow in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to have an unknown impact via a negative value in the Content-Length HTTP header. CVE-2009-0840 Directory traversal vulnerability in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with Cygwin, allows remote attackers to create arbitrary files via a .. (dot dot) in the id parameter. CVE-2009-0841 mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink. CVE-2009-0842 The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists. CVE-2009-0843 mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 does not ensure that the string holding the id parameter ends in a '\0' character, which allows remote attackers to conduct buffer-overflow attacks or have unspecified other impact via a long id parameter in a query action. CVE-2009-1176 Multiple stack-based buffer overflows in maptemplate.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact and remote attack vectors. CVE-2009-1177 | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
moodle: arbitrary file access
| Package(s): | moodle | CVE #(s): | CVE-2009-1171 | ||||||||||||||||||||||||
| Created: | April 2, 2009 | Updated: | June 25, 2009 | ||||||||||||||||||||||||
| Description: | moodle can allow access to arbitrary files. From the National vulnerability database: The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
openfire: multiple vulnerabilities
| Package(s): | openfire | CVE #(s): | CVE-2009-0496 CVE-2009-0497 CVE-2008-6508 CVE-2008-6509 CVE-2008-6510 CVE-2008-6511 | ||||
| Created: | April 3, 2009 | Updated: | April 8, 2009 | ||||
| Description: | From the Gentoo advisory:
Two vulnerabilities have been reported by Federico Muttis, from CORE IMPACT's Exploit Writing Team: * Multiple missing or incomplete input validations in several .jsps (CVE-2009-0496). * Incorrect input validation of the "log" parameter in log.jsp (CVE-2009-0497). Multiple vulnerabilities have been reported by Andreas Kurtz: * Erroneous built-in exceptions to input validation in login.jsp (CVE-2008-6508). * Unsanitized user input to the "type" parameter in sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509) * A Cross-Site-Scripting vulnerability due to unsanitized input to the "url" parameter. (CVE-2008-6510, CVE-2008-6511) | ||||||
| Alerts: |
| ||||||
openssl: several vulnerabilities
| Package(s): | openssl | CVE #(s): | CVE-2009-0789 CVE-2009-0591 | ||||||||||||||||
| Created: | April 8, 2009 | Updated: | July 27, 2011 | ||||||||||||||||
| Description: | From the CVE entries:
OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. CVE-2009-0789 The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. CVE-2009-0591 | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
php: cross site scripting vulnerability
| Package(s): | php | CVE #(s): | CVE-2008-5814 | ||||||||||||||||||||||||||||||||||||||||
| Created: | April 6, 2009 | Updated: | February 23, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | php has a cross site scripting vulnerability, here is the National Vulnerability Database entry description: Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
tunapie: several vulnerabilities
| Package(s): | tunapie | CVE #(s): | CVE-2009-1253 CVE-2009-1254 | ||||
| Created: | April 8, 2009 | Updated: | April 8, 2009 | ||||
| Description: | From the Debian advisory:
Kees Cook discovered that insecure handling of temporary files may lead to local denial of service through symlink attacks. CVE-2009-1253 Mike Coleman discovered that insufficient escaping of stream URLs may lead to the execution of arbitrary commands if a user is tricked into opening a malformed stream URL. CVE-2009-1254 | ||||||
| Alerts: |
| ||||||
xpdf: arbitrary code execution
| Package(s): | xpdf | CVE #(s): | CVE-2009-1144 | ||||
| Created: | April 7, 2009 | Updated: | April 8, 2009 | ||||
| Description: | From the Gentoo advisory: Erik Wallin reported that Gentoo's Xpdf attempts to read the "xpdfrc" file from the current working directory if it cannot find a ".xpdfrc" file in the user's home directory. This is caused by a missing definition of the SYSTEM_XPDFRC macro when compiling a repackaged version of Xpdf. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>