DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th July 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default Flaws found in BSD, Linux software updaters

Interesting read here:

http://news.zdnet.co.uk/security/0,1...9446765,00.htm
Reply With Quote
  #2   (View Single Post)  
Old 15th July 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
The researchers found that it was not a problem to set up a malicious mirror. They created a fake administrator and company name and leased a server from a hosting provider, and were able to get the fake mirror listed officially by the distributions Ubuntu, Fedora, OpenSuse, CentOS and Debian.
Technically, I dont get it.
Reply With Quote
  #3   (View Single Post)  
Old 15th July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,062
Thanked 198 Times in 156 Posts
Default

I don't get it either, as far as I know, the outlined problems in this article do not affect FreeBSD ports ... Maybe there are other issues in FreeBSD?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 15th July 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Thanked 6 Times in 5 Posts
Default

http://www.cs.arizona.edu/people/jus...-managers.html

It doesn't actually say FreeBsd, just "We examined ten popular package managers (APT, YUM, YaST, etc.) for Linux and BSD systems and found vulnerabilities in all of them."
Reply With Quote
  #5   (View Single Post)  
Old 15th July 2008
ninjatux's Avatar
ninjatux ninjatux is offline
Real Name: Baqir Majlisi
Spam Deminer
 
Join Date: May 2008
Location: Antarctica
Posts: 293
Thanked 15 Times in 15 Posts
Default

I think it's referring to dated packages in mirrors being insecure.
__________________
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity."
MacBook Pro (Darwin 9), iMac (Darwin 9), iPod Touch (Darwin 9), Dell Optiplex GX620 (FreeBSD 7.1-STABLE)
Reply With Quote
  #6   (View Single Post)  
Old 16th July 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Thanked 6 Times in 5 Posts
Default

No, it's saying a malicious mirror can deliver old packages with known security flaws when you update and them use the known flaws to attack your machine or, network.
Reply With Quote
  #7   (View Single Post)  
Old 16th July 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

The 2nd url clears everything up. Its more social engineering threat to me
Reply With Quote
  #8   (View Single Post)  
Old 16th July 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Thanked 112 Times in 104 Posts
Default

my personal opinion


It's all a crock full of buffalo pucky, the link posted by hunteronline is the same one I saw on slashdot when following my RSS feeds.


The reply problem is a valid concern because if you do get an attacker with enough access to your system, they can tamper with your system files -- never mind mucking with package management enough to send you outdated files.


If any software used to decide what is up to date and what is not is up to date can't tell the difference. There best be a carefully made 'tainted' package that appears to be new, a bug in the code, or some really stupid people IMHO.


Mirror control? Well if the people can't be bothered to make sure that the mirrors they are promoting are as valid as the checksums and other security methods YOU should be publishing to ensure validity of packages and metadata. Then you deserve to have all of your users file your distribution under /dev/null and find one that doesn't do it half assed.


FreeBSD ports uses md5 and sha256 checksums and if memory serves it also does size check on the distfile as part of validating it. To side step that an attacker needs to compromise the local system and adjust the distinfo or compromise the data being received during a portsnap/csup/cvs of the ports tree, the source of the distinfo, go main in the middle, or trick a moron with proper access into doing or allowing it to be done manually.


This is one reason I like portsnap, updates are signed -- I don't know if csup/cvsup supports that.


The first rule of security, use your freaking brain cells. Like the lump of gray matter roughly three feet above your buttocks. A brain is _such_ a terrible thing to waste!


Code:
Things You Can Do Today:
Code:
    * Use repositories you trust. Use only mirrors that belong to reputable organizations. Don't randomly choose mirrors, even from official lists. The official lists of public repositories often contain many superficially verified mirrors.
If you can't trust the mirror you shouldn't be using it, if the mirror can not authenticate itself to you, there is a problem in the design of your package management system or your system configuration.


Code:
    * Manually update your systems (and local mirror caches). Know when package updates become available and what the versions should be. Manually verify and install the updated packages (or add them to your local mirror cache that your systems update from) rather than relying on automated updates. We have observed mirrors many months out of date for some distributions, so you should check periodically that your mirror is being updated.
If your paid to take care of the box, you should know when software updates are available to any core services (such as mysql or sendmail) before they hit your distribution's repository.

If the mirror is out of date, someoneshould bloody well notice it huh?

Code:
    * Use signed repository metadata. If your package manager or distribution does not yet support signed metadata but only signed packages, at least require signed packages until signed metadata is supported.
If the 'metadata' has no way of being validated don't use it, if security is paramount.


Code:
    * Use HTTPS for mirror communication. Unfortunately, this is generally only available with paid support services (and only protects you against man-in-the-middle attacks, not malicious mirrors). However, by running a distribution with HTTPS support on their mirrors, a man-in-the-middle attacker cannot easily launch an attack as though it were a mirror.
nice idea, I wonder how much stuff is just done via ftp?


Code:
In the future:
[/code]
* Use package managers that sign repository metadata. Unsigned repository metadata gives malicious parties more leverage in their attacks.
[/code]

the package management *system* is responsible for this, not the package manager program necessarily but it must be done within the system somewhere !


Code:
    * Use package managers that implement metadata expiration. If there is no way in a package manager for metadata to ever expire, replay attacks will be able to go unnoticed.
This is a good idea, one up would be allowing the system administrator to set an expiration date IMHO. Even if the whole dang thing is done by a combination of dates and public key cryptography.


Code:
    * Use distributions that properly make use of the package manager's security features. If a distribution doesn't sign repository metadata or expire these signed files even though the package manager supports doing so, it doesn't help you stay secure.

If the distribution doesn't do jack crap, find another that does and shout loudly.



*disclaimer*

I can be a very picky son of a biscuit eater when it comes to *trying* for a correct implementation instead of living with a forever half assed approach.




I appologize if I have offended anyone.
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mk.conf not found mtm0 NetBSD Package System (pkgsrc) 2 4th September 2009 04:42 PM
linux compat and linux-only drivers fbsduser FreeBSD General 9 22nd January 2009 05:42 PM
kernel not found isamu FreeBSD Installation and Upgrading 13 24th October 2008 12:24 AM
I finally found it!!! crayoxide FreeBSD General 8 23rd July 2008 05:41 AM
pkg-get command not found whispersGhost Solaris 2 11th June 2008 01:06 PM


All times are GMT. The time now is 11:57 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick