Security holes found in Free BSD and other Linux updaters
July 15, 2008
Some Internet security experts have just discovered that the software update mechanisms used by most Free BSD and also other Linux operating systems can be fooled into installing malware or known-to-be-compromised software on users' systems, creating some very critical security risks.
In some Linux distributions (distros as they are often called), some signatures either never expire or the software package manager used by the distribution isn't set up to support the signature's expiration mechanism.
The study Package Management Security, to be published in a forthcoming issue of the University of Arizona Tech Report, analyzed ten package managers and found that all were vulnerable to exploits, allowing potential attackers to install bugged or compromised software on target systems.
Overall, software package managers are designed to automatically keep software up-to-date and thus safe from known vulnerabilities. The packages analyzed in the study were APT, APT-RPM, Portage, Ports, Slaktool, Stork, Urpmi, Yast and the most popular, YUM.
"Given their critical role, the expectation would be for package managers to be extremely secure," said the researchers in the report. "We examined ten popular package managers for Linux and BSD systems and found vulnerabilities in all of them."
The attacks outlined in the study could give a hacker the ability to read or erase files on the system, capture passwords, set up a backdoor into the system or carry out other malicious activity, the researchers said.
The technique outlined by the University of Arizona is not to feed malicious code directly to a target system via a package manager, but rather to cause the package manager to install an older piece of legitimate software with known bugs, or to prevent the system from updating to a newer software package that fixes known bugs.
The attacks work because of flaws in the system of secure signatures for packages and for the metadata describing the packages in a repository, the researchers said.
For example, even though known flaws exist in an older version of OpenSSL for Debian, the list of flawed files is still correctly signed. This means an illicit mirror (a deliberately tainted archive of the files, set up to communicate with package managers) can be simply created and used for subsequent and malicious distribution.
The researchers also found that it wasn't a problem to set up a malicious mirror in the first place. They created a fake administrator and company name and leased a server from a hosting provider, and were able to get the fake mirror listed officially by the distributions Ubuntu, Fedora, OpenSuse, CentOS and Debian.
"This means that, even after a package has a vulnerability discovered in it, clients will continue to be willing to install that insecure package," the researchers wrote. "An attacker can replay the correctly signed packages or metadata from a previous release and your computer will install software with flaws that the attacker can then exploit at his own will."
"Using an old signed file list, a malicious mirror can keep a client on the insecure version of OpenSSL by responding to the client's package manager with the old list of files," the report stated.
Furthermore, and this is a very worrisome discovery, the fake mirror was contacted by thousands of clients, including military and government computers, the study warned.
Administrators can protect their Linux systems in the short term by using trusted repositories, manually updating systems, using signed repository metadata and using the secure HTTPS protocol for communications with mirrors, the study advised.
Source: Tech Blog.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing