Date: Tue, 9 Jan 2018 16:46:43 +0000 From: Simon McVittie <smcv@...ian.org> To: oss-security@...ts.openwall.com Cc: Georgi Guninski <guninski@...inski.com> Subject: Re: Own on install. How grave it is? On Tue, 09 Jan 2018 at 08:37:08 -0700, Kurt Seifried wrote: > Many OS installs/etc take a password during install I think Georgi was more concerned about the installation having a secure design, but an insecure (vulnerable) implementation appearing on the installation media due to either unfixed vulnerabilities, or vulnerabilities that were fixed elsewhere but not on the installation media? For instance, the Debian installer installs packages from the install media (CD, USB stick, whatever), then immediately updates them from the Internet if possible; but there's a chicken-and-egg problem here, because that update has to be done with whatever version of apt was on the media. If that version happens to suffer from a vulnerability that can be exploited at that time (such as https://security-tracker.debian.org/tracker/CVE-2016-1252 in apt itself, or a vulnerability in the http or signature verification code that it uses) then there's an opportunity for attack. The same is true for the kernel and network-device firmware used to boot the installer. Debian mitigates this by releasing updated installation media at every point release (about 1 per 2 months for stable, somewhat slower for oldstable). I don't see any way to prevent that class of attack completely. Releasing updated installation media sooner would mitigate it, but preparing installation media is far from being a rapid process. > On Tue, Jan 9, 2018 at 6:42 AM, Georgi Guninski <guninski@...inski.com> wrote: > > Debian jessie (old stable) is vulnerable to malicious mirror attack. Assuming you're referring to CVE-2016-1252, whether this is true depends what you mean by jessie. Installs from older media (up to and including 8.6) will be vulnerable to CVE-2016-1252 during the first upgrade run, whereas installs from newer media (8.7 or newer, with the current version being 8.10) are not vulnerable. It's true that there was a window (in this case it happens to be 1 month) during which Debian offered an update for CVE-2016-1252, but the newest available installation media still suffered from it. smcv
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.