Comments on: Ubuntu security repository structure http://www.outflux.net/blog/archives/2008/08/20/ubuntu-security-repository-structure/ code is freedom -- patching my itch Tue, 06 Jan 2009 08:45:53 +0000 http://wordpress.org/?v=2.5.1 By: kees http://www.outflux.net/blog/archives/2008/08/20/ubuntu-security-repository-structure/#comment-636 kees Thu, 28 Aug 2008 18:08:17 +0000 http://www.outflux.net/blog/?p=160#comment-636 The Releases file is GPG signed and verified by the package manager. This means interruptions/misdirections in DNS or IP connectivity just result in a denial of service to getting updates (rather than seeing trojaned updates or anything like that) since the resulting Releases file would not be signed by the trusted source. These sort of package manager attacks have been well studied, and you can see more here: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html For Ubuntu it seems that only "freezing" is possible (since the package manager won't install _old_ software if it already has a new update). (The "endless data" attack is possible too, but is just another denial of service.) Frankly, if someone has gained that much control over your network, there are a lot of other things to worry about. :) The Releases file is GPG signed and verified by the package manager. This means interruptions/misdirections in DNS or IP connectivity just result in a denial of service to getting updates (rather than seeing trojaned updates or anything like that) since the resulting Releases file would not be signed by the trusted source.

These sort of package manager attacks have been well studied, and you can see more here:
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

For Ubuntu it seems that only “freezing” is possible (since the package manager won’t install _old_ software if it already has a new update). (The “endless data” attack is possible too, but is just another denial of service.) Frankly, if someone has gained that much control over your network, there are a lot of other things to worry about. :)

]]> By: Alexander Konovalenko http://www.outflux.net/blog/archives/2008/08/20/ubuntu-security-repository-structure/#comment-635 Alexander Konovalenko Fri, 22 Aug 2008 04:16:06 +0000 http://www.outflux.net/blog/?p=160#comment-635 “In this way, mirrors cannot (accidentally or intentionally) “go rogue” — the latest security updates are always visible on the security archive server.” Provided that the DNS and routing are working as expected. But what if they're not? What if the IP address of security.ubuntu.com or the routing table are altered via DNS, ARP or DHCP spoofing, and the false security.ubuntu.com is serving outdated package lists? Will the package manager notice that and complain to the user? “In this way, mirrors cannot (accidentally or intentionally) “go rogue” — the latest security updates are always visible on the security archive server.”

Provided that the DNS and routing are working as expected.

But what if they’re not? What if the IP address of security.ubuntu.com or the routing table are altered via DNS, ARP or DHCP spoofing, and the false security.ubuntu.com is serving outdated package lists? Will the package manager notice that and complain to the user?

]]> By: Miguel Ruiz http://www.outflux.net/blog/archives/2008/08/20/ubuntu-security-repository-structure/#comment-634 Miguel Ruiz Thu, 21 Aug 2008 06:43:47 +0000 http://www.outflux.net/blog/?p=160#comment-634 Kees, Your reply was outstanding and it clarified my doubts. Thanks ! Kees,

Your reply was outstanding and it clarified my doubts.

Thanks !

]]>