public
/
toolchain
5
0
Fork 0
Code Issues 5 Pull Requests 1 Packages Projects Releases Wiki Activity

Security vulnerability: installation of package from insecure source #6

New Issue
Open
opened 2024-09-25 11:18:50 +00:00 by invd · 0 comments
invd commented 2024-09-25 11:18:50 +00:00
Copy Link

While working for Turnkey, I've discovered a suspected vulnerability in the current toolchain logic (as of a2315fdbc8).

In the packages-fetch script, the system-wide apt sources configuration is set to install apt sources from archive origins:

a2315fdbc8/scripts/packages-update (L41-L47)
a2315fdbc8/scripts/packages-fetch (L11)

The packages-fetch script then downloads, without installation, a desired list of packages to collect their .deb files. For technical reasons, this happens with [trusted=yes] flag on the package sources, disabling the signature checks on the apt packages. Additionally, these archive servers are configured with http:// due to limited availability of https:// archive mirrors, which has no transport layer security such as TLS certificate checks or encryption. Normally, this is acceptable since the fetched file artifacts are checked against cryptographic hashes by the toolchain logic before any usage.

The security problem arises when installing the dpkg-dev package while the system is still configured with the insecure meant-for-archive-fetch apt configuration:
a2315fdbc8/scripts/packages-fetch (L40)

I have not tested this experimentally, but expect that a Machine-in-the-Middle (MitM) attacker on the network path, or attacker with similar capabilities to impersonate one of the archive servers, could serve the toolchain container a malicious unsigned dpkg-dev package over http://. This package would then get installed due to the disabled apt signature checks, and could run malicious code with root permissions, compromising the system and undermining the security goals of toolchain.

@lrvick approved public documentation of this issue.

While working for [Turnkey](https://www.turnkey.com/), I've discovered a suspected vulnerability in the current `toolchain` logic (as of a2315fdbc8cd0e4a654d1aa4623a53d5292b3574). In the `packages-fetch` script, the system-wide apt sources configuration is set to install apt sources from archive origins: https://git.distrust.co/public/toolchain/src/commit/a2315fdbc8cd0e4a654d1aa4623a53d5292b3574/scripts/packages-update#L41-L47 https://git.distrust.co/public/toolchain/src/commit/a2315fdbc8cd0e4a654d1aa4623a53d5292b3574/scripts/packages-fetch#L11 The `packages-fetch` script then downloads, without installation, a desired list of packages to collect their `.deb` files. For technical reasons, this happens with `[trusted=yes]` flag on the package sources, disabling the signature checks on the apt packages. Additionally, these archive servers are configured with `http://` due to limited availability of `https://` archive mirrors, which has no transport layer security such as TLS certificate checks or encryption. Normally, this is acceptable since the fetched file artifacts are checked against cryptographic hashes by the `toolchain` logic before any usage. The security problem arises when installing the `dpkg-dev` package while the system is still configured with the insecure meant-for-archive-fetch apt configuration: https://git.distrust.co/public/toolchain/src/commit/a2315fdbc8cd0e4a654d1aa4623a53d5292b3574/scripts/packages-fetch#L40 I have not tested this experimentally, but expect that a Machine-in-the-Middle (MitM) attacker on the network path, or attacker with similar capabilities to impersonate one of the archive servers, could serve the `toolchain` container a malicious unsigned `dpkg-dev` package over `http://`. This package would then get installed due to the disabled apt signature checks, and could run malicious code with root permissions, compromising the system and undermining the security goals of `toolchain`. @lrvick approved public documentation of this issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
ryan/fix-true-file-created
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/toolchain#6
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?