The software update mechanisms used by most BSD and Linux operating systems can be tricked into installing buggy or known-to-be-compromised software on users' systems, creating serious security risks, according to new research.
The study Package Management Security, to be published in a forthcoming issue of the University of Arizona Tech Report, analysed 10 package managers and found that all were vulnerable to exploits, allowing attackers to install unsafe software on target systems.
Package managers are designed to automatically keep software up-to-date and thus safe from known vulnerabilities. The packages analysed in the study were APT, APT-RPM, Pacman, Portage, Ports, Slaktool, Stork, Urpmi, Yast and YUM.
"Given their critical role, the expectation would be for package managers to be extremely secure," said the researchers in the report. "We examined 10 popular package managers for Linux and BSD systems and found vulnerabilities in all of them."
The attacks outlined in the study could give an attacker the ability to read or erase files on the system, capture passwords, set up a backdoor into the system or carry out other malicious activity, the researchers said.
The technique outlined by the University of Arizona researchers is not to feed malicious code directly to a target system via a package manager, but rather to cause the package manager to install an older piece of legitimate software with known bugs, or to prevent the system from updating to a newer software package that fixes known bugs.
The attacks work because of flaws in the system of secure signatures for packages and for the metadata describing the packages in a repository, the researchers said.
In the case of many distributions, the signatures either never expire or the package manager used by the distribution isn't set up to support signature expiry.
"This means that, even after a package has a vulnerability discovered in it, clients will continue to be willing to install that insecure package," the researchers wrote. "An attacker can replay the correctly signed packages or metadata from a previous release and your computer will install software with flaws that the attacker can exploit."
For example, even though known flaws exist in an older version of OpenSSL for Debian, the list of flawed files is still correctly signed. This means an illicit mirror - a deliberately tainted archive of the files, set up to communicate with package managers can be created and used for distribution.
"Using this old, signed file list, a malicious mirror can keep a client on the insecure version of OpenSSL by responding to the client's package manager with the old list of files," the report stated.
The researchers found that it was not a problem to set up a malicious mirror. They created a fake administrator and company name and leased a server from a hosting provider, and were able to get the fake mirror listed officially by the distributions Ubuntu, Fedora, OpenSuse, CentOS and Debian.
The fake mirror was contacted by thousands of clients, including military and government computers, the study reported.
Administrators can protect their systems in the short term by using trusted repositories, manually updating systems, using signed repository metadata and using the secure HTTPS protocol for communications with mirrors, the study said.
For the longer term, the researchers urged the wider use of signed repository metadata and metadata expiration.
Seems to me that the "real" solution is for the distributions to actually verify that mirrors really *are* exact mirrors of their own repository, rather than just trusting anybody who feels like providing bandwidth.