
Attacks against GPG signed APT repositories - jcapote
https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-repositories/
======
whacker
This is such a frustrating clickbait headline!

Most of the 'attack' s are:

1\. Plain old bugs in apt. 2\. Involve disabling the very security features
(GPG and checksum verification) designed to prevent that attack!

~~~
rlpb
Additionally the article appears to intentionally conflate "issues" such as
"if you turn security off" or "if the repository isn't signed" to make their
list of possible issues look bigger. None of these are "Attacks against GPG
signed APT repositories".

~~~
codedokode
What about replay attack? Providing apt with old metadata and packages?

~~~
whacker
The release files have 'Valid-Until' fields, which will cause apt to reject it
on replay.

~~~
jdamato
APT will not reject it on replay if the 'Valid-Until' date has not been met
yet.

Imagine a version of, say, libEXAMPLE has a vulnerability allowing remote code
execution. The `Valid-Until` date is some time in the future, maybe a few days
from now. The authors release a new version of libEXAMPLE to patch the
vulnerability and the APT repository metadata is updated.

However, a malicious actor performing a MitM against your machine has saved
the metadata with the vulnerable version. The malicious actor replays that
metadata to your system, preventing your system from seeing the newly patched
libEXAMPLE. This gives the attacker up until the `Valid-Until` date to attempt
to launch an attack against you.

------
parliament32
The main recommendation is "always serve your apt repo over TLS", however, apt
doesn't use TLS by design:
[https://whydoesaptnotusehttps.com/](https://whydoesaptnotusehttps.com/)

~~~
jdamato
The website you linked to has several factual errors, as explained in the
article.

------
jwilk
\--force-yes is bad, but for reasons that have nothing to do with replay
attacks.

This option effectively disables package authentication. This is because it
forces "yes" answer to _all_ questions, including the question about
installing unauthenticated packages.

------
jwilk
For a moment I thought there's a new research paper about attacks on APT.
Nope. The paper the article links to is from 2008.

~~~
jdamato
Yep, and the information is still relevant! The article explains how it
applies to recent versions of APT in the current Ubuntu LTS releases.

