Security vulnerability: installation of package from insecure source #6

Open
opened 2024-09-25 11:18:50 +00:00 by invd · 0 comments

While working for Turnkey, I've discovered a suspected vulnerability in the current toolchain logic (as of a2315fdbc8).

In the packages-fetch script, the system-wide apt sources configuration is set to install apt sources from archive origins:

a2315fdbc8/scripts/packages-update (L41-L47)
a2315fdbc8/scripts/packages-fetch (L11)

The packages-fetch script then downloads, without installation, a desired list of packages to collect their .deb files. For technical reasons, this happens with [trusted=yes] flag on the package sources, disabling the signature checks on the apt packages. Additionally, these archive servers are configured with http:// due to limited availability of https:// archive mirrors, which has no transport layer security such as TLS certificate checks or encryption. Normally, this is acceptable since the fetched file artifacts are checked against cryptographic hashes by the toolchain logic before any usage.

The security problem arises when installing the dpkg-dev package while the system is still configured with the insecure meant-for-archive-fetch apt configuration:
a2315fdbc8/scripts/packages-fetch (L40)

I have not tested this experimentally, but expect that a Machine-in-the-Middle (MitM) attacker on the network path, or attacker with similar capabilities to impersonate one of the archive servers, could serve the toolchain container a malicious unsigned dpkg-dev package over http://. This package would then get installed due to the disabled apt signature checks, and could run malicious code with root permissions, compromising the system and undermining the security goals of toolchain.

@lrvick approved public documentation of this issue.

While working for [Turnkey](https://www.turnkey.com/), I've discovered a suspected vulnerability in the current `toolchain` logic (as of a2315fdbc8cd0e4a654d1aa4623a53d5292b3574). In the `packages-fetch` script, the system-wide apt sources configuration is set to install apt sources from archive origins: https://git.distrust.co/public/toolchain/src/commit/a2315fdbc8cd0e4a654d1aa4623a53d5292b3574/scripts/packages-update#L41-L47 https://git.distrust.co/public/toolchain/src/commit/a2315fdbc8cd0e4a654d1aa4623a53d5292b3574/scripts/packages-fetch#L11 The `packages-fetch` script then downloads, without installation, a desired list of packages to collect their `.deb` files. For technical reasons, this happens with `[trusted=yes]` flag on the package sources, disabling the signature checks on the apt packages. Additionally, these archive servers are configured with `http://` due to limited availability of `https://` archive mirrors, which has no transport layer security such as TLS certificate checks or encryption. Normally, this is acceptable since the fetched file artifacts are checked against cryptographic hashes by the `toolchain` logic before any usage. The security problem arises when installing the `dpkg-dev` package while the system is still configured with the insecure meant-for-archive-fetch apt configuration: https://git.distrust.co/public/toolchain/src/commit/a2315fdbc8cd0e4a654d1aa4623a53d5292b3574/scripts/packages-fetch#L40 I have not tested this experimentally, but expect that a Machine-in-the-Middle (MitM) attacker on the network path, or attacker with similar capabilities to impersonate one of the archive servers, could serve the `toolchain` container a malicious unsigned `dpkg-dev` package over `http://`. This package would then get installed due to the disabled apt signature checks, and could run malicious code with root permissions, compromising the system and undermining the security goals of `toolchain`. @lrvick approved public documentation of this issue.
This repo is archived. You cannot comment on issues.
No Label
No Milestone
No project
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/toolchain#6
No description provided.