wounded in the line of duty
Hello, I'm one of the authors of the study. I wanted to first of all thank you for commenting on our research. One of the major benefits we hoped would come from making this public is that the Linux community would become more aware and interested in fixing the problems we point out.
I also wanted to respond to several of the issues you brought up in your blog post. First, I appreciate you pointing out that many distributions check to see if their mirrors are current and try to remove mirrors that are not. We under-emphasized this in the webpage and other documents because we did not view this as a mechanism used to detect a malicious party (we thought the intent was to detect negligent administrators and broken scripts). As I'm sure you and the savvy reader are aware, it is possible for a web server to serve different content to different users. We examined our web request logs from our CentOS mirror and I believe we can identify the "checking bot" IP addresses. If we were malicious, we could serve "good" content to your checking bot and "malicious" content to other users. I would be happy to provide what I believe to be the IPs used to check if a mirror is current to you offline for verification / rebuttal. However, since you view this information as important to the security of your users, I will not list the information here.
Additionally, I wanted to mention that we found significant security problems with Fedora's MirrorManager (our FAQ talks about how it can be used to target attacks). However, other redirectors we looked at (like Download Redirector for OpenSUSE) do improve security in a similar manner to what you describe. I was wondering if we could talk more offline about how your mirror list redirection works so we can discuss the potential for abuse?
I also wondered if you might want to look in detail at the other attacks page of the web site and the technical report which mentions detailed information about flaws in YUM. We would be happy to discuss the feasibility of attacks that target these issues with you. However, I will point out one attack that is extremely simple that I hope illustrates there is a real danger to your users. If I control a mirror and you attempt to retrieve a file from my mirror, I can return an endless stream of data which (on YUM) will fill the disk and crash the client system (stopping logging, corrupt databases, etc.). This is obviously a real threat to all of your users regardless of any mirror redirection strategies you perform.
Anyways, we thank you for taking a look at our research and hope to hear more rebuttal / confirmation in the future.
More information about formatting options
© 2007-2014 Dag Wieërs | Powered by Drupal and RHEL. | No legal statement, haha.