16 July 2008, 11:16

Linux package management systems not completely secure

A report from the University of Arizona claims that the package managers used in most Linux distrubutions contain security flaws that allow malicious distribution mirror servers to inject clients with old packages containing flaws. The researchers were able to demonstrate that setting up a mirror for a distribution is relatively easy.

Given their critical role in a system, everyone expects package managers to be extremely secure. Not so, say this report's authors Justin Cappos, Justin Samuel, Scott Baker and John H. Hartman: the vulnerabilities in the managers APT, YUM, YaST for Linux and BSD give attackers the ability to access parts of the system at will, to modify, erase and add files, and to install backdoors.

Although a package manager is unlikely to access a server that exploits these vulnerabilities, it seems that the distributors are not particularly careful when they check out public mirror servers. The research team found it relatively easy to get their own server listed as an official mirror for Ubuntu, Fedora, OpenSuSE, CentOS and Debian, which was subsequently contacted by thousands of clients, including military and government computers. The team discovered that some distributions do in fact check the mirror server content against the original, although it is quite possible for a server to deliver different content, and to target specific packages at specific clients.

The attackers cannot manipulate the digital signature of the packages without triggering an error message during installation. Nevertheless, it is quite possible, claim the authors, for an attacker to send clients properly signed packages that are outdated and contain known vulnerabilities. What is more, by continuously sending the client the same repository metadata, a malicious mirror can even prevent security updates from being installed. Over time, the client system will then collect an increasing number of vulnerabilities that the attacker will be able to exploit at his convenience.

The researchers provide some suggestions on how to protect yourself against these attacks. For example, you should only use repositories belonging to reputable organizations - although they do not explain exactly how you are supposed to check the reputation of the organization. Indeed, most of companies on the list of Ubuntu mirrors are not well known.

The report also advises that you update your system manually – and that you always update as soon as package updates are announced. The researchers have developed the Stork package manager based on a secure architecture they claim solves many of these problems. We do not yet know when it will be made available to Linux distributions. lwn.net contains a discussion of the report's findings and suggestions for alternative solutions to the problem.