Attacks on package managers
It is common for users to use package managers to update their system without considering the security implications. Unfortunately, the security of the package manager matters a great deal because it runs as root and a poor implementation might lead to installation of insecure or malicious packages. Last year, Justin Samuel of the University of Arizona and Justin Cappos of the University of Washington did an extensive research on vulnerabilities of the most common package managers for Linux. In the February 2009 issue of the USENIX magazine ;login:, they published an overview of their findings [PDF]. Although none of the attack methods and vulnerabilities they talk about are particularly new or surprising, the issues are serious enough to merit some attention.
Essentially, there is just one underlying method to all vulnerabilities in package managers: an attacker, rather than a legitimate repository of the distribution, responds to a client when the package manager downloads files. The simplest way to do this is of course becoming a public mirror for a distribution's repositories. When an attacker runs a mirror, he can reply to client requests with malicious content. Thus one question every user has to ask himself is: do you trust the mirrors you use? There was a lot of discussion about the security of mirrors last year and some responses by Linux distributions that were mentioned in the study.
The researchers looked at APT (used by Debian and Ubuntu), APT-RPM (used by PCLinuxOS), Pacman (used by Arch Linux), Portage (used by Gentoo), Slaktool(used by Slackware), Stork (a research project of the University of Arizona), URPMI (used by Mandriva), YaST (used by openSUSE and SUSE Linux Enterprise) and YUM (used by Fedora, Red Hat Enterprise Linux and CentOS). They didn't look at BSD systems for this research, although they are currently investigating the Portsnap tool for securely distributing the FreeBSD ports tree.
Cryptographic signatures
A vulnerability in a package manager can mean two things: either it installs a package the user doesn't want to install, such as an older, vulnerable version of the package or a dependency that isn't needed but hosts a Trojan horse; or it doesn't install a package the user wants to install, such as a security update. To make these events impossible, package managers can use cryptographic signatures. The differences in package managers largely come down to what is actually signed: the root metadata, the metadata that describes the packages, or the packages themselves.
The root metadata is the first file that a package manager downloads, which describes the contents and the layout of the repository, usually with the names and hashes of the files that have detailed information. If the root metadata is signed, the package manager can check if someone is tricking it into downloading a fake root metadata file. By verifying the integrity of the root metadata and then verifying the secure hashes of each downloaded file, the package manager is able to check the integrity of the information. This model is used by APT, APT-RPM and YaST.
Another approach is placing signatures on the files that directly contain the metadata of the packages, as Portage does. A third way is to not have signatures on the metadata, but on each individual package. Package managers like YUM and URPMI download a package and then check the signature before installing it. But even if the package manager uses one of these three types of cryptographic signatures, this doesn't mean it is safe.
The vulnerabilities
The possible vulnerabilities of package managers fall into three main categories: replay and freeze attacks, metadata manipulation attacks and denial-of-service attacks. A replay attack comes down to the following: when a package manager requests signed metadata, a malicious party responds with an old signed file. This is possible without the need to compromise the signing key, because once a file is signed, it is always trusted by clients. This works even after vulnerabilities are discovered in a package that was once considered safe: the attacker just has to respond with old metadata that lists package versions the attacker knows how to exploit. A freeze attack works in a similar way: an attacker keeps giving the client the same version of the metadata, essentially "freezing" the metadata at one point in time to prevent updates to vulnerable packages.
With a replay attack, the attacker is still rather limited in what he can do: he can only respond with packages from a single point in time. This means that if two packages were vulnerable at different times, the attacker cannot make both vulnerable versions available to the client with a replay attack. If the package manager does not use signed metadata, an attacker doesn't have to bother with a replay attack: the system is at risk because the attacker can just make up his own metadata. In one attack, he can make as many vulnerable packages available to the client as he wants, and thus he can increase significantly the chances of a client installing and using a vulnerable package.
If an attacker has the chance to manipulate metadata, he can also lie to the clients about what a package requires. If a package has a vulnerability the attacker knows how to exploit, he can provide metadata that says every package depends on this package. This ensures that the client installs it when installing any other package. Only a user with intimate knowledge of the packages and their dependencies will spot this.
The last category of vulnerabilities are the endless data attacks, which essentially are a form of denial-of-service. This attack is dead simple: the malicious party responds to a client request (metadata or a package) with an endless stream of data. Possible results are filling up the partition or exhausting memory.
What are the distributions doing about it?
Samuel and Cappos give a good overview of the security of the different package managers and distributions. Their paper outlines the situation from last year, so it's good to look at what has been done in the meantime. At one end of the spectrum, Slaktool on Slackware, Pacman on Arch Linux and Ports in the BSD world don't make any pretense of being secure. Justin Samuel said that he has the impression that the Slackware community is not currently focused on securing their package manager, but Arch Linux has an open bug related to adding support for signed packages and there has been community discussion following the publication of their research from last year.
Then there are the package managers that don't use signatures on root metadata, such as YUM, URPMI and Portage. These are all vulnerable to metadata manipulation attacks and hence not very secure. Since the study YUM developers have added the ability to use signed root metadata, but Fedora 10 is not using it yet and the mirrors don't contain root metadata signatures. The YUM developers are working on some of the other security issues, but it's not yet clear whether the changes will be part of Fedora 11.
Gentoo's Portage developers have also begun to address these vulnerabilities and are in the planning stage for adding a signed root metadata file to Portage. Gentoo Linux Enhancement Proposal 58 discusses the addition of what Gentoo calls a MetaManifest. The proposal is listed as having Draft status.
During the research of Samuel and Cappos, all package managers were vulnerable to replay and freeze attacks, but package managers that signed either the root metadata or package metadata don't require many changes to address this issue. This includes YaST and APT. Debian's APT developers have begun planning the necessary changes. A first attempt at a solution to replay attacks was added to experimental, and will probably be implemented in an upcoming point release of Lenny.
The endless data attacks also affected all package managers, and none has solved this at the moment. Samuel and Cappos have implemented protections against all of the attacks mentioned for Stork, their own package management system.
The authors warn that using a secure package manager doesn't mean that the distribution is using these security measures. One notable example is PCLinuxOS, which uses APT-RPM but doesn't make use of its support for root metadata signatures. And although the YUM developers have responded quickly by adding support for signed root metadata, distributions using YUM do not yet sign this metadata.
The verdict: use an enterprise Linux distribution
The best way to stay secure is to choose a distribution that takes these vulnerabilities seriously. The findings of the study show, unsurprisingly, that using an enterprise Linux distribution is a serious security advantage: SUSE Linux Enterprise and Red Hat Enterprise Linux are not vulnerable for these attacks, not because they have specifically protected against these attacks, but because of their use of SSL (which blocks man-in-the-middle attacks if correctly implemented) and by not using public mirrors.
The authors also praise openSUSE for offering almost the same level of protection as the enterprise distributions. According to Justin Samuel, openSUSE is the most secure community distribution due to only being vulnerable to man-in-the-middle attacks, and not from malicious mirrors. YaST supports expiry of metadata in openSUSE 11.1, but the metadata in the official update repository has no expiry time set at this time. According to Ludwig Nussel from the openSUSE security team, this will be fixed soon.
The authors have an accompanying web site with more background about package manager security and access to more papers.
| Index entries for this article | |
|---|---|
| Security | Distribution security/Package managers |
| GuestArticles | Vervloesem, Koen |
Posted Apr 9, 2009 3:29 UTC (Thu)
by JoeBuck (subscriber, #2330)
[Link] (3 responses)
On the other hand, using the yum-fastestmirror plugin would make you vulnerable to the security of your fastest (usually your nearest) mirror.
I suppose the paranoid could write a yum plugin that checks at least three mirrors looking for newest versions of a package.
Posted Apr 10, 2009 17:55 UTC (Fri)
by smoogen (subscriber, #97)
[Link] (2 responses)
1) Set up a mirror and register that you offer mirror services for XYZ networks or domains (This mirror will work for .gov.edu. and boxes from 10.1.0.0). The ability to say that you give preference to networks or domains helps get clients faster downloads but has its downside.
2) For most people have a real mirror that they can get packages from. For the specific subnet/domain have it log and see what is asked for. With a profile you can see how successful a trojan set will work.
3) Wait for A client to get to you eventually. The best bet would be to eventually wait for the guy who turned off various gpgcheck etc in their yum updates because they had a problem sometime in the past and who needs it.
4) Have your trojan app replace some config files and start slowly probing the network it is on to find out what it can spread. <EG Profit>
Posted Apr 11, 2009 6:49 UTC (Sat)
by tzafrir (subscriber, #11501)
[Link] (1 responses)
Posted Apr 13, 2009 2:14 UTC (Mon)
by mdomsch (subscriber, #5920)
[Link]
Posted Apr 9, 2009 4:57 UTC (Thu)
by mdomsch (subscriber, #5920)
[Link] (2 responses)
* The mirrorlist is obtained via https.
* The mirrorlist is in the form of a metalink file, which lists the MD5, SHA1, SHA256, and SHA512 digests for the root repomd.xml file (yum uses the SHA256 digest by default now). If the digest doesn't match, yum refuses to use the file.
* In addition, to prevent a maliciously stale mirror from being used, the mirrorlist contains the timestamp of the repomd.xml file, and in fact a list of such timestamps dating back at most one week (adjustable on the mirrorlist server). Yum will then refuse to honor a repomd.xml file that is stale.
This provides against a man-in-the middle attack, a mirror having an invalid repo, and maliciously stale mirrors.
I believe that yum's HTTPS support does not yet do certificate validation, so is still vulnerable to DNS spoofing.
Posted Apr 11, 2009 4:03 UTC (Sat)
by lurk546 (guest, #17438)
[Link] (1 responses)
Unfortunately I ran across a lot of unsigned packages whie testing Fedora 11 Beta today. Apparently it's a big enough problem that the default repository is set to not check gpg signatures of packages. I tried turning it on and using the other repositories for fedora 11 , but I ran into a lot of packages that would not install because of GPG signature problems.
This seems like an important flaw to fix considering a significant fraction of rawhide users are likely to be package developers and may perhaps have access to some important servers.
I hope this was only changed due to issues regarding the switch to the new hash, and will be corrected quickly.
Posted Apr 14, 2009 19:10 UTC (Tue)
by nevyn (guest, #33129)
[Link]
Duh, rawhide isn't signed. Fedora only signs the releases (what normal people use). However in current rawhide they also have metalink to provide security (sha256 hashes of everything) of the repodata.
Posted Apr 9, 2009 11:36 UTC (Thu)
by hppnq (guest, #14462)
[Link] (2 responses)
No. The best way to stay secure is to make backups.
Posted Apr 9, 2009 13:43 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link] (1 responses)
The best way to stay secure is to ensure you're running trustworthy code, and if you have vulnerabilities in your package manager then it's very hard to make sure of that.
Posted Apr 15, 2009 9:26 UTC (Wed)
by hppnq (guest, #14462)
[Link]
But perhaps the only way of ensuring that you are running trustworthy code, is not to "choose a distribution you can trust", but to put your trustworthy code on offline storage and make sure you run that code only.
Serious shops really do not run package managers on their precious database systems.
Posted Apr 10, 2009 1:07 UTC (Fri)
by Alan_Hicks (guest, #20469)
[Link] (1 responses)
What in the world?!Slaktool is not the package management utility used by Slackware! In fact, it isn't even included in Slackware!
With Fedora, yum selects a mirror at random, and if I understand correctly, yum won't do a downgrade by default. So it would seem that taking over one mirror would not be enough: you might be able to get a system that didn't have a vulnerable package at all to install it, but how would you turn it on (if it's a service)? If the attacker is limited to shipping signed packages, the opportunities seem limited given that yum won't downgrade and the user will occasionally hit other mirrors, which would upgrade past the insecure package.
But if mirrors are randomized and yum won't downgrade?
But if mirrors are randomized and yum won't downgrade?
But if mirrors are randomized and yum won't downgrade?
But if mirrors are randomized and yum won't downgrade?
Attacks on package managers
Attacks on package managers
Re: Attacks on package managers
Attacks on package managers
The best way to stay secure is to choose a distribution that takes these vulnerabilities seriously.
Attacks on package managers
Obviously a backup is not going to help against perpetrators.
Attacks on package managers
Attacks on package managers
Justin Samuel said that he has the impression that the Slackware community is not currently focused on securing their package manager
It would help if he had actually reviewed pkgtool and its supporting utlities like installpkg and upgradepkg which are the real package manager for Slackware rather than some unsupported and (at least to me, a member of the Slackware core team) unheard of. There are lots of these third party tools, but few are included in Slackware. In fact, until very recently none were real parts of Slackware and had only ever been included in the extra/ subset, which is reserved for packages that aren't for testing/ but aren't yet dubbed worthy of being included in one of the disksets for various reasons.
Now, the -current branch includes slackpkg which is the only utility ever officially supported by Slackware or the "Slackware community" that handles automatic download and install/upgrade of packages. This seems to me to be the method by which most of these such vulnerabilities could be exploited. Traditionally, packages had to be downloaded via another utility such as wget, then the user could verify the md5sum or the integrity against a .asc file using RSA. slackpkg should support this in the future. It currently is capable only of downloading the GPG public key used to sign the packages. Future versions of slackpkg should be able to check the downloaded package against the RSA signature in the .asc files and the project's public key.
So in short, Mr. Samuel is dead wrong on a number of levels for simply reviewing the wrong thing. This causes me to question how much diligence he put forth into this review. Had he taken the time to determine what is actually included in Slackware and supported by the community, he might have taken away an entirely different impression.
P.S. Shame on the editors for not catching that Slaktool isn't a part of Slackware at all, but that's forgiveable. After all, this is still the damned best source for news in the open source community.
Posted Apr 10, 2009 23:57 UTC (Fri)
by Justin_Samuel (guest, #57967)
[Link]
We have examined slackpkg and have sent a list of important security vulnerabilities to the Slackware security team. We'll wait a little while to make the specifics public but the security flaws are impactful, easy to exploit, and in the same vein as the issues we've mentioned for other package management tools.
Posted Apr 15, 2009 19:34 UTC (Wed)
by aigarius (subscriber, #7329)
[Link] (1 responses)
Which will fail anyway because security patches are provided via a separate, centralized repository, such as security.debian.org and the attacker would have to repeatedly intercept http requests to that mirror and replay you the old package status to prevent you from updating.
Very weak attack vector.
If the attacker has such control over your infrastructure he could just as well block you from connecting to update sites completely (if you can forge DNS, you can return 0 entries as well) preventing any possible update system from working.
Posted Apr 20, 2009 14:02 UTC (Mon)
by robbe (guest, #16131)
[Link]
A DOS like that is much easier to detect than freezing of the Release
FWIW, slowing the victim's clock to keep valid-for-one-week metadata
Posted Apr 17, 2009 21:15 UTC (Fri)
by jabby (guest, #2648)
[Link]
Thanks in advance!
Posted Apr 20, 2009 8:37 UTC (Mon)
by forthy (guest, #1525)
[Link]
There's one missing piece here when signing packets, it's verifying the
signature. I'm using OpenSuSE and several community repos, and all of them
are signed (which is good). However, the keys themselves are not signed,
and there's no obvious way to verify them; sometimes, the keys of a
repository just change without explaining why. Please, SuSE guys, keys
without a web of trust are of limited use - it can't be so difficult to
get all those community repos maintainer together to a key signing party,
e.g. on Linuxtag.
slackpkg
Attacks on package managers
Attacks on package managers
> as well block you from connecting to update sites completely [...]
file. You'd get an error message if the download site is not reachable --
but that it has no new updates is not a cause for an error.
current for much longer (as discussed in the Debian bug) is also quite
noticable, normally.
CentOS?
Web of trust