[lug] Package manager vulnerabilities [was Re: Pencast of Trent Hein - Practical Security]
David L. Anselmi
anselmi at anselmi.us
Wed Oct 21 14:00:30 MDT 2009
Walter Pienciak wrote:
> http://www.usenix.org/publications/login/2009-02/openpdfs/samuel.pdf
>
> One interesting point was that not all distros have been tight in
> vetting public repositories. Basically, a self-sign-up allowed
> anyone to "helpfully" become a mirror, with the attendant control
> over what was actually being sent.
Seems to me that they overstated the risk from man-in-the-middle
attacks. RHEL shouldn't need all the protections mentioned in the
article because they use a "secure" channel. Others shouldn't need a
secure channel because they use other mechanisms (which also allows
volunteer mirrors). If you don't need a secure channel the MITM is
limited to DoS attacks.
I was also disappointed that they didn't address how package managers
would deal with replay attacks. Seems likely that if you send old
metadata no packages will get upgraded, since downgrades don't happen
automatically. So it's really the same as a freeze attack.
But it's nice to see the discussion, and that people are doing what they
can to remove the problems.
Dave
More information about the LUG
mailing list