Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Jan 2018 16:46:43 +0000
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Georgi Guninski <guninski@...inski.com>
Subject: Re: Own on install. How grave it is?

On Tue, 09 Jan 2018 at 08:37:08 -0700, Kurt Seifried wrote:
> Many OS installs/etc take a password during install

I think Georgi was more concerned about the installation having a secure
design, but an insecure (vulnerable) implementation appearing on the
installation media due to either unfixed vulnerabilities, or
vulnerabilities that were fixed elsewhere but not on the installation
media?

For instance, the Debian installer installs packages from the install
media (CD, USB stick, whatever), then immediately updates them
from the Internet if possible; but there's a chicken-and-egg
problem here, because that update has to be done with whatever
version of apt was on the media. If that version happens to suffer
from a vulnerability that can be exploited at that time (such as
https://security-tracker.debian.org/tracker/CVE-2016-1252 in apt itself,
or a vulnerability in the http or signature verification code that it
uses) then there's an opportunity for attack.

The same is true for the kernel and network-device firmware used to boot
the installer. Debian mitigates this by releasing updated installation
media at every point release (about 1 per 2 months for stable, somewhat
slower for oldstable).

I don't see any way to prevent that class of attack completely. Releasing
updated installation media sooner would mitigate it, but preparing
installation media is far from being a rapid process.

> On Tue, Jan 9, 2018 at 6:42 AM, Georgi Guninski <guninski@...inski.com> wrote:
> > Debian jessie (old stable) is vulnerable to malicious mirror attack.

Assuming you're referring to CVE-2016-1252, whether this is true depends
what you mean by jessie. Installs from older media (up to and including
8.6) will be vulnerable to CVE-2016-1252 during the first upgrade run,
whereas installs from newer media (8.7 or newer, with the current version
being 8.10) are not vulnerable.

It's true that there was a window (in this case it happens to be 1 month)
during which Debian offered an update for CVE-2016-1252, but the newest
available installation media still suffered from it.

    smcv

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.