Debian Ubuntu Fix Man-in-the-Middle Attack In APT Package Manager, Update Now
It is common for users to use package managers to update their systemwithout considering the security implications. Unfortunately, the securityof the package manager matters a great deal because it runs as root and apoor implementation might lead to installation of insecure or maliciouspackages. Last year, Justin Samuel of the University of Arizona and JustinCappos of the University of Washington did an extensive research onvulnerabilities of the most common package managers for Linux. In theFebruary 2009 issue of the USENIX magazine ;login:, theypublished anoverview of their findings [PDF]. Although none of the attack methods andvulnerabilities they talk about are particularly new or surprising, theissues are serious enough to merit some attention.
Debian Ubuntu Fix Man-in-the-Middle Attack in APT Package Manager, Update Now
The possible vulnerabilities of package managers fall into three maincategories: replay and freeze attacks, metadata manipulation attacks anddenial-of-service attacks. A replay attack comes down to the following:when a package manager requests signed metadata, a malicious party respondswith an old signed file. This is possible without the need to compromisethe signing key, because once a file is signed, it is always trusted byclients. This works even after vulnerabilities are discovered in a packagethat was once considered safe: the attacker just has to respond with oldmetadata that lists package versions the attacker knows how to exploit. Afreeze attack works in a similar way: an attacker keeps giving the clientthe same version of the metadata, essentially "freezing" the metadata atone point in time to prevent updates to vulnerable packages.
The authors also praise openSUSE for offering almost the same level ofprotection as the enterprise distributions. According to Justin Samuel,openSUSE is the most secure community distribution due to only beingvulnerable to man-in-the-middle attacks, and not from maliciousmirrors. YaST supports expiry of metadata in openSUSE 11.1, but themetadata in the official update repository has no expiry time set at thistime. According to Ludwig Nussel from the openSUSE security team, thiswill be fixed soon.
Which will fail anyway because security patches are provided via a separate, centralized repository, such as security.debian.org and the attacker would have to repeatedly intercept http requests to that mirror and replay you the old package status to prevent you from updating.Very weak attack vector.If the attacker has such control over your infrastructure he could just as well block you from connecting to update sites completely (if you can forge DNS, you can return 0 entries as well) preventing any possible update system from working. Attacks on package managers Posted Apr 20, 2009 14:02 UTC (Mon) by robbe (guest, #16131) [Link]
Debian developer Yves-Alexis Perez noted: "This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine."
2. On the attacker machine, update the DNS poisoner tool to make it respond to the target device when querying for the FQDN associated to the repository of packages with the IP address of the attacker machine and then run it:
Up to this point, I hope you have seen the importance of using the latest available security features of the tools we use on a daily basis. Even though it may not be considered to be a security bug of APT, the latest version of the tool provides default options to prevent the user from installing packages from unsigned repositories. In addition, they also support the use of secure repositories accessible via HTTPs, providing another layer of security to prevent man-in-the-middle attacks.
Fixing the machine could break a few proxies. This would happen, especially where it is used against security.debian.org. In this case, the only available remedy is to switch the APT source. It means that updating the system promptly was one of the methods to use to deal with the bug. Advanced Tool apt has so far worked well. But the researcher Max Justicz discovered that it was easier to dig a hole in the program. It would give a remote attacker a chance to introduce and execute arbitrary root in the package. It would result in attacks.
The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Since Debian Buster, the package manager, APT has supported optional seccomp-bpf filtering. This restricts the syscalls that APT is allowed to execute, which can severely limit an attacker's ability to do harm to the system if they attempt to exploit a vulnerability in APT. To enable this, create /etc/apt/apt.conf.d/40sandbox and add: 076b4e4f54