You are not logged in.

#1 2008-07-11 04:55:38

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

pacman vulnerabilities

Maybe most people don't think about it much, but the security/authentication mechanisms of my package manager *do* (read the link) keep me up late at night. Unfortunately, pacman doesn't use any sort of package authentication, something I've noted before.

A recent test of 10 popular package managers showed them all to be vulnerable to attack, some of them in different ways and to different extents. Pacman was included (4/5 down the page) in the tests.

Does anyone else think that taking some steps towards security in pacman would be appropriate? The project is growing in popularity, and while at one time it may not have been a high priority, now I think it should be more so. Pacman's security alone is enough to not choose Arch to run a secure server, or use in any situation with significant security stakes. It's so simple, Arch can be tricked into using a false repository just by a plain ARP poisoning attack if the attacker can get onto a local LAN. (Hard-coding ARP tables is only a a hack of a fix.) Off the LAN, its still insecure.

I know suggestions are best when submitted in .patch files, but I sadly don't have time. I have C experience, but no time to add much of anything more to my schedule. (Full school load plus research project plus girlfriend (plus a social-ish, life: friends in real life, and couple forums to mod in virtual life).)

Offline

#2 2008-07-11 05:09:12

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: pacman vulnerabilities

Well these sorts of things are being thought about.  There is a signed packages branch of pacman being worked on. It won't make the next pacman release, but maybe the one after.  I know the attack described is also applicable to signed packages but it is a start. 

As far as serving out old package versions goes, I think this would become noticeable given many packages use versioned dependancies these days and conflicts are sure to arise, although maybe not immediately.  Also any mirror that is outdated is noted quite quickly by Gerhard and his mirror status checking, which I guess may detect these kinds of attacks.

Online

#3 2008-07-11 05:12:58

remote
Member
Registered: 2007-12-28
Posts: 44

Re: pacman vulnerabilities

If looking for votes, it has mine. I'd also like to have iptables included in the base/core install so that I can add security before going on-line.

Offline

#4 2008-07-11 05:59:59

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: pacman vulnerabilities

That's good to hear, Allan. smile It won't fix all problems, but it's definitely the first place to start as its the most simple attack vector.

remote wrote:

I'd also like to have iptables included in the base/core install so that I can add security before going on-line.

It is in core:

$ pacman -Ss iptables
core/iptables 1.4.0-2
    A Linux kernel packet control tool

Last edited by B-Con (2008-07-11 06:00:18)

Offline

#5 2008-07-11 06:09:22

remote
Member
Registered: 2007-12-28
Posts: 44

Re: pacman vulnerabilities

I refer to on the install disk "ISO", not package location.

Offline

#6 2008-07-11 06:13:30

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: pacman vulnerabilities

IIRC, all of core is included in the (full) ISO. I just checked the 2008.03 ISO and it has iptables.

Offline

#7 2008-07-11 06:23:40

remote
Member
Registered: 2007-12-28
Posts: 44

Re: pacman vulnerabilities

Perhaps it's my lack of knowledge then, for after fresh install and no on-line connection pacman -S iptables fails. What method do I use?

Offline

#8 2008-07-11 06:34:30

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: pacman vulnerabilities

Does the default mirror list include the CD drive? pacman -S will try to synchronize the package, and if you have no Internet connection it won't work. Try pacman -Qs iptables on the default install, to see if its already installed.

Offline

#9 2008-07-11 12:00:08

toofishes
Developer
From: Chicago, IL
Registered: 2006-06-06
Posts: 602
Website

Re: pacman vulnerabilities

remote wrote:

If looking for votes, it has mine. I'd also like to have iptables included in the base/core install so that I can add security before going on-line.

Around here we rarely look for votes, but patches and code are more than welcome. Until we have more than 4 active developers on pacman, we just don't have the manpower to care about these issues (as important as some of this stuff may be). We have had stops and starts of work on some signed package stuff, and I haven't read the whole article yet but I'm sure we will have other work to do too. It just comes down to someone *doing* rather than talking about it and expecting the work to magically happen.

Offline

#10 2008-07-11 12:16:03

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,092

Re: pacman vulnerabilities

remote wrote:

Perhaps it's my lack of knowledge then, for after fresh install and no on-line connection pacman -S iptables fails. What method do I use?

Add the iso as a pacman repo, or use -U /path/to/pkg


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#11 2008-07-11 16:52:46

Sjoden
Member
From: WA
Registered: 2007-08-16
Posts: 380
Website

Re: pacman vulnerabilities

Mr.Elendig wrote:
remote wrote:

Perhaps it's my lack of knowledge then, for after fresh install and no on-line connection pacman -S iptables fails. What method do I use?

Add the iso as a pacman repo, or use -U /path/to/pkg

Or select it during the install process.. It's there. Has been for a while.

Offline

#12 2008-07-12 22:10:30

essence-of-foo
Member
Registered: 2008-07-12
Posts: 84

Re: pacman vulnerabilities

As far as I understand these attacks, they rely on the fact, that the client has outdated metadata.

Therefore I'd like to ask: Would it be possible to have an official dedicated server which only serves package-metainformation with SSL-authentication?

If yes, then we could have a procedure in which the client first asks the central server for the official metadata and then the client decides for itself which packages should be retrieved from a mirror.
This would make downgrades impossible and updates would only allow the current version, (If packages are signed or if there are hashes)

If implemented, the pacman-protocol needs to be extended, so that mirror-servers could respond with "package version not available yet". The error message should be shown to the user so that he/she can decide, if the mirror is current enough.

Well these sorts of things are being thought about.  There is a signed packages branch of pacman being worked on. It won't make the next pacman release, but maybe the one after.  I know the attack described is also applicable to signed packages but it is a start.

It's nice to hear that signed packages are beeing worked on. But for the meantime I would propose additional sha1-checksums for each package, because md5 can no longer be considered secure enough. If two different hashes are applied, it's extremely difficult for an attacker to find a collision, which matches both hashes.

Offline

#13 2008-07-12 23:29:00

toofishes
Developer
From: Chicago, IL
Registered: 2006-06-06
Posts: 602
Website

Re: pacman vulnerabilities

essence-of-foo wrote:

It's nice to hear that signed packages are beeing worked on. But for the meantime I would propose additional sha1-checksums for each package, because md5 can no longer be considered secure enough. If two different hashes are applied, it's extremely difficult for an attacker to find a collision, which matches both hashes.

MD5 has never been there for security, it has been there for a download integrity check, not a security check. If someone wanted to maliciously alter a package, they could do it much easier than trying to find some stupid collision- they could simply make a malicious package and then insert the new MD5 in the database. I doubt SHA1 is going to make a difference there...

Offline

#14 2008-07-13 01:16:49

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: pacman vulnerabilities

essence-of-foo wrote:

It's nice to hear that signed packages are beeing worked on. But for the meantime I would propose additional sha1-checksums for each package, because md5 can no longer be considered secure enough. If two different hashes are applied, it's extremely difficult for an attacker to find a collision, which matches both hashes.

That's what package signing is for, to ensure authenticity. A hash without proof of origin is worthless, like toofishes points out.

MD5 is significantly faster in software than SHA's are. Since we only expect integrity confirmation from the hash, it wouldn't make sense to change it. If we wanted authenticity from it as well, there are a lot more (important) things to do than switch to one of the SHA's.

Offline

#15 2008-07-14 10:57:50

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: pacman vulnerabilities

Intrigued by the article I started looking now I stumbled across this, https://cesium.di.uminho.pt/pub/archlinux/ now I know being self signed means its not the best but better than not being signed at all.

But my question is it presently not possible to use this, would this require a major rewrite of packman?

Offline

#16 2008-07-14 13:40:10

tigrmesh
IRC Op
From: Florida, US
Registered: 2007-12-11
Posts: 794

Re: pacman vulnerabilities

It seems to me that pacman would need to modified but not completely rewritten.  However, all packages would probably have to be repackaged to include the signing.

Offline

#17 2008-07-14 23:33:30

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: pacman vulnerabilities

FeatherMonkey wrote:

Intrigued by the article I started looking now I stumbled across this, https://cesium.di.uminho.pt/pub/archlinux/ now I know being self signed means its not the best but better than not being signed at all.

But my question is it presently not possible to use this, would this require a major rewrite of packman?

I think that, primarily, additions would have to be made, I don't think much would have to be rewritten, and little to none rewritten from scratch.

Offline

#18 2008-07-15 03:50:36

kevmille
Member
From: Saigon, Vietnam
Registered: 2008-06-02
Posts: 44
Website

Re: pacman vulnerabilities

Hmm, nowhere in the article did it mention who funded this research.  Gotta be M$.  It brought up some good points but the study should do a compare and contract with Macs and Windows systems as well.  That has to be in the analysis, right?  I am curious to get my hands on the full report.


My Blog: SaigonNezumi.com
My Company: Orion NewTech
Location: Saigon (HCMC), Vietnam

Offline

#19 2008-07-15 06:53:47

schivmeister
Developer/TU
From: Singapore
Registered: 2007-05-17
Posts: 971
Website

Re: pacman vulnerabilities

Nope I don't think it's something fishy like that..


I need real, proper pen and paper for this.

Offline

#20 2008-07-15 08:02:59

B-Con
Member
From: USA
Registered: 2007-12-17
Posts: 554
Website

Re: pacman vulnerabilities

kevmille wrote:

Hmm, nowhere in the article did it mention who funded this research.  Gotta be M$.  It brought up some good points but the study should do a compare and contract with Macs and Windows systems as well.

Highly unlikely anyone funded it. The report came from a research-oriented university. At research-oriented universities, this *is* what professors get paid to do. They spend 8 hours a weak on their classes (if that) and the rest on whatever research projects they're working on.

Offline

#21 2008-07-15 08:20:12

shining
Pacman Developer
Registered: 2006-05-10
Posts: 2,043

Re: pacman vulnerabilities

They said they examined 10 popular package managers and found vulnerabilities in all of them, but where are the detailed results?
That would be interesting, and I can't understand how it can not be included in a review of this kind.


pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))

Offline

#22 2008-07-15 08:52:34

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: pacman vulnerabilities

They are not vulnerabilities in the package manager per se, rather the fact that anybody can become a mirror operator and then keep versions of packages with known security flaws on the mirror.

BTW, slashdot coverage: http://it.slashdot.org/article.pl?sid=08/07/10/227220

Online

#23 2008-07-15 09:39:26

shining
Pacman Developer
Registered: 2006-05-10
Posts: 2,043

Re: pacman vulnerabilities

I think this post sums up the situation a bit :
http://it.slashdot.org/comments.pl?sid= … d=24145183

But what I meant is that some kind of tables showing which security features each packages managers support would have been interesting.


pacman roulette : pacman -S $(pacman -Slq | LANG=C sort -R | head -n $((RANDOM % 10)))

Offline

Board footer

Powered by FluxBB