Package management—the process of determining which update packages should be installed on a host and then downloading and installing those package—invites a dilemma : OSes need to updated, but the process of updating them can invite security breaches.
A recent study at the University of Arizona explored nine feasible attacks on the popular package managers APT and YUM. As part of their research, the study’s conductors posed as a group of administrators from a nonexistent company and leased a server from a hosting provider. Thousands of clients, including government agencies, downloaded upgrades, which prompted their operating systems to endlessly replicate data, misidentify dependencies, and install unnecessary software. It also left these clients vulnerable to other attacks on their systems, including hackers gaining root access to OSes, system crashes and erased files . Researchers concluded that many public storage spaces for upgrade downloads are in fact maliciously established “mirrors,” or software repositories , that have become infected with sources of attack. You can prevent most of these issues by downloading from only signed metadata repositories, the study counseled. A signature verifies that the repository was created benevolently.
Protecting against mirror threats
In response, readers suggested a number of additional ways to protect a package manager from such threats.
- An OpenSUSE page suggested its internally developed tool, download redirector.
- One blogger wrote that the risks posed by infected repositories are not great enough to merit changes to package manager security.
- Another acknowledged the risk and argued that simply allowing the number of open source package manager products available to increase will maintain or improve current open source package manager security.
- A Gentoo administrator promoted rotating mirrors to ensure security.
Package manager security, as pointed out by this report, is crucial to the success of your operating system. With the present drive for continuous upgrades for your data center, you may feel pressure to download from the most accessible source available. Don’t: the risk of downloading insecure software is greater than the time it will take to check out the above links.
For more on package managers, check out these links: How to manage software on Ubuntu Server with “aptitude” and “apt-get”
Managing Software on Ubuntu Server Edition