-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Jan 22, 2019 at 08:03:01AM -0800, Brendan Hoar wrote: > https://justi.cz/security/2019/01/22/apt-rce.html > > A patch is out to cover this vulnerability, but I'm of the opinion that it > may be best to move the qubes-update-proxy worker VMs to a disposable VM > model after reading up on this one. > > Granted, at first glance it appears that the use of the qubes-update-proxy > certainly helps, but using disposable VMs might provide an extra layer of > protection.
Updates proxy unfortunately does not help with this issue, but also is not affected by it (at least not directly). It is only a http proxy, which does not interpret content it receive, only pass it down to the VM that requested it. Specifically, if remote server would send malicious Location: header, it will be forwarded back to apt. While in theory that proxy could perform some extra filtering on the response, it isn't used for that right now. I don't think tinyproxy supports anything like this (but we could change it to a different http proxy implementation). When using https, updates proxy does even have a chance to do anything about it, as it sees only encrypted traffic. Using DisposableVM as updates proxy does not help here, because even if someone would perform the attack, updates proxy itself would remain unaffected (unless it's based on the attacked template, but then being disposable also doesn't help). The only thing that would change is if someone would successfully take over updates proxy using different method, then could attack apt from there - and when updates proxy is in DisposableVM, then it's easier to return such proxy to a clean state. > Also a good reason to ensure all of the URLs used for repositories are HTTPS, > of course. Yes, that's right, at least when connecting outside. As mentioned in the linked post, it's far easier to attack any intermediate network machine or mirror server, than being limited only to mirror server. On the other hand, handling HTTPS also bring its own complexity (all the OpenSSL stuff and more). Something that could _in theory_ be a good idea, is plain http connection to updates proxy, then https connection to download actual updates. This still allows compromised updates proxy to attack the template, but on the other hand, we could perform more filtering/caching on the updates proxy level. BTW it's worth checking if apt-cacher-ng a) is vulnerable itself to the attack b) prevents it spreading further (i.e. resolve redirects locally). But keeping more complex updates proxy have also its own downsides. First, it enlarges its attack surface (you trade some apt/dnf bugs for updates proxy bugs). But also it's harder to maintain, as you need to track various repository layout changes for multiple distributions. Related: https://github.com/QubesOS/qubes-issues/issues/4415 "Egypt and UAE HTTP Repository Manipulation/Poison" https://github.com/QubesOS/qubes-core-agent-linux/pull/150 "Switch to HTTPS" https://github.com/QubesOS/qubes-issues/issues/1957 "Cache updates" https://github.com/rustybird/qubes-updates-cache - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxHTNAACgkQ24/THMrX 1yzVxAf/Q/wwsoJaqy92zY3oc6u78toh+JPHFc+ouMumhNLrymsJI3MyMVozRMPF ac5Hc/PPU35y/P7TuZSQ27Uy/+GVcha6H4xZW0KZRJzxjsjHJNjlIgbDfaV1JLhL 8Ta83bTUtfJOgJ1AsD+3y6J3SLLXTEHBYhuZNmMqfzWq9SZcvsHahfhfySysskLr N4ozVbI5wkOaFkSsC505pzcsxsGvuRH2in1CGN8zBgH08K50UrePxA1Aackn1/5p jbApw7JJ8qn9RJYePZLyMLKNwNjL+JF9IN9ZC6yHc9Uk468He8ydpMTbSf3g3INV fp61FHnsgdv15pG7fO3JIJLl6gFC3A== =t6eI -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20190122170314.GD1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.