[ubuntu-hardened] Ubuntu security repository and replay attacks on package managers
Kees Cook
kees at ubuntu.com
Wed Sep 10 23:12:50 BST 2008
Hi,
I just realized that while I replied to this on my blog, I didn't answer
it here.
On Sat, Aug 23, 2008 at 08:41:20AM +0600, Alexander Konovalenko wrote:
> At <http://www.outflux.net/blog/archives/2008/08/20/ubuntu-security-repository-structure/>
> Kees Cook wrote:
> [...]
> > In this way, mirrors cannot (accidentally or intentionally)
> > "go rogue" — the latest security updates are always visible
> > on the security archive server.
>
> Provided that the DNS and routing are working as expected.
>
> But what if they're not? What if the IP address of security.ubuntu.com
> or the routing table have been altered via DNS, ARP or DHCP spoofing,
> and the false mirror and security.ubuntu.com are serving outdated
> package lists? Will the package manager notice that and complain to
> the user?
The Releases file is GPG signed and verified by the package manager.
This means interruptions/misdirections in DNS or IP connectivity just
result in a denial of service to getting updates (rather than seeing
trojaned updates or anything like that) since the resulting Releases
file would not be signed by the trusted source.
As you're likely aware, these sort of package manager attacks have been
well studied, and you can see more here:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
For Ubuntu it seems that only "freezing" is possible (since the package
manager won't install _old_ software if it already has a new update).
(The "endless data" attack is possible too, but is just another denial
of service.) Frankly, if someone has gained that much control over your
network, there are a lot of other things to worry about. :)
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-hardened
mailing list