[ubuntu-hardened] What are the dangers of installing packages on open Wi-Fi?
Seth Arnold
seth.arnold at canonical.com
Tue Feb 25 02:38:08 UTC 2020
On Mon, Feb 24, 2020 at 04:08:45PM -0500, Jason Franklin wrote:
> My company uses both Debian and Ubuntu for employee workstations.
>
> Since we travel with these workstations, we often find ourselves on an
> open Wi-Fi connection when we need to install packages (hotels, coffee
> shops, etc.).
>
> What are the risks of installing packages from the official Debian or
> Ubuntu repositories when connected to an open/public Wi-Fi access point?
Hello Jason, there's a few risks to using insecure networks for installing
packages:
- First, if you're using plain http to access the update sites, a
man-in-the-middle attacker could replace the package lists files with
a previous version, thus preventing you from retrieving updates.
This would look just like no updates have been published. You would
notice if you couldn't retrieve the packages at all but may not notice
if you were receiving old package lists.
- Second, if any apt sources use trusted=yes then you've disabled security
validations on those specific repositories. This is not common.
- Third, we fixed a flaw in apt about a year ago that could be abused to
install manipulated packages:
https://usn.ubuntu.com/3863-1/
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353
https://justi.cz/security/2019/01/22/apt-rce.html
Installer images that we published before February, 2019 contain
this flaw. This could be used to gain control of a computer remotely.
The 14.04.6 LTS, 16.04.6 LTS, and 18.04.2 LTS installers (and newer)
have this issue fixed.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20200225/6b750aea/attachment.sig>
More information about the ubuntu-hardened
mailing list