User: Password:
|
|
Subscribe / Log in / New account

Attacks on package managers

Attacks on package managers

Posted Apr 15, 2009 19:34 UTC (Wed) by aigarius (subscriber, #7329)
Parent article: Attacks on package managers

So, Debian and Ubuntu are basically safe. The only attack vector is that if a malicious person controls the mirror you are updating from, he can stop updating his mirror so that you would not get patches with a hope that an exploitable bug would be found and patched.

Which will fail anyway because security patches are provided via a separate, centralized repository, such as security.debian.org and the attacker would have to repeatedly intercept http requests to that mirror and replay you the old package status to prevent you from updating.

Very weak attack vector.

If the attacker has such control over your infrastructure he could just as well block you from connecting to update sites completely (if you can forge DNS, you can return 0 entries as well) preventing any possible update system from working.


(Log in to post comments)

Attacks on package managers

Posted Apr 20, 2009 14:02 UTC (Mon) by robbe (subscriber, #16131) [Link]

> If the attacker has such control over your infrastructure he could just
> as well block you from connecting to update sites completely [...]

A DOS like that is much easier to detect than freezing of the Release
file. You'd get an error message if the download site is not reachable --
but that it has no new updates is not a cause for an error.

FWIW, slowing the victim's clock to keep valid-for-one-week metadata
current for much longer (as discussed in the Debian bug) is also quite
noticable, normally.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds