Announcement

Collapse
No announcement yet.

Unexpected Ubuntu 16.04.6 LTS Coming Due To APT Security Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unexpected Ubuntu 16.04.6 LTS Coming Due To APT Security Issue

    Phoronix: Unexpected Ubuntu 16.04.6 LTS Coming Due To APT Security Issue

    No further point releases to Ubuntu 16.04 LTS had been planned, but in light of the recent APT vulnerability, Canonical has decided to issue an Ubuntu 16.04.6 update that will be hitting the mirrors soon...

    http://www.phoronix.com/scan.php?pag...4.6-LTS-Coming

  • #2
    ... right in time i guess?

    Comment


    • #3
      This is a very sensible thing for Canonical to do. Without this point release, you'd have a lot more people installing 16.04 and then running the vulnerable apt to update it; in the process of that update, their system could get compromised.

      If any of you reading this have old 16.04 ISOs / disks lying around, consider deleting/destroying them, so that if you do need to install 16.04 again, you will naturally download the latest (16.04.6) ISOs.

      I expect lots of systems have already been compromised by exploiting this vulnerability. It would be incredibly easy and reliable to exploit and gives you root access.

      I'm surprised this vulnerability didn't get more media attention.

      Comment


      • #4
        Originally posted by cybertraveler View Post
        I'm surprised this vulnerability didn't get more media attention.
        Yeah, even Softpedia didn't write anything about it and they are usually on top of all Linux and distro vulnerabilities...

        Comment


        • #5
          Ah, the wonders of the centralized repository or "app store" cancer. Delightful.

          Comment


          • #6
            I would be more concerned with why and how many packages are being tampered with in repos.

            Separate notes, I have had more than one issue with iso gpg key's and signature verification's. I am a lot less worried about apt or a given package manager. I use Linux for it's ability to be customized, however, that is about as far as I trust it.
            Last edited by creative; 02-24-2019, 06:08 PM.

            Comment


            • #7
              Originally posted by cybertraveler View Post
              I expect lots of systems have already been compromised by exploiting this vulnerability. It would be incredibly easy and reliable to exploit and gives you root access.
              I'm surprised this vulnerability didn't get more media attention.
              That's a strong armchair statement of opinion.

              Now how about you describe how you personally would go about exploiting this vulnerability in order to get root on any one other system on this entire planet. It's doable, but let's see if you have even a basic understanding of how "easy" it is.
              Last edited by linuxgeex; 02-24-2019, 02:46 PM.

              Comment


              • #8
                Originally posted by linuxgeex View Post
                That's a strong armchair statement of opinion.

                Now how about you describe how you personally would go about exploiting this vulnerability in order to get root on any one other system on this entire planet. It's doable, but let's see if you have even a basic understanding of how "easy" it is.
                Not sure why you're so salty.

                Regardless: you can learn about the exploit here if you like: https://justi.cz/security/2019/01/22/apt-rce.html

                If you don't agree that would be incredibly easy for an attacker to exploit... fair enough.

                I think any MITM with modest scripting skills and a day to spare could exploit this reliably & easily.

                P.S. my chair has no arms

                Comment


                • #9
                  Originally posted by cybertraveler View Post

                  Not sure why you're so salty.
                  Because people who cry wolf make management ignore issues that actually need to be addressed promptly.

                  Originally posted by cybertraveler View Post
                  I think any MITM with modest scripting skills and a day to spare could exploit this reliably & easily.
                  Yes. And how exactly would you go about making yourself a man in the middle so you could exercise this exploit "easily" and therefore justify your statement that this exploit is easy and has already compromised a large amount of apt-based systems?

                  I did enjoy your humour, but please, take security more seriously.

                  15-20 years ago this might have been easier to exploit - before NOCs started blocking NICs in promiscuous mode that aren't on segmented networks, and before VPS vendors were using point-2-point VETH to allocate IPs. But these days ARP poisoning, DHCP hijacking, sniffing, are impossible in a responsibly operated NOC. So good luck executing MITM without being an infrastructure provider, and good luck not getting caught if you are.

                  That being said, anyone running a PCI or ISO27000-compliant service needs to apply this patch immediately to stay in compliance, and it will be nice to know that it's been adopted by a majority of systems, to reduce the reward side of the risk-reward equation driving bad actors to make the effort required to actually exploit it.
                  Last edited by linuxgeex; 03-04-2019, 06:46 PM.

                  Comment


                  • #10
                    Originally posted by linuxgeex View Post

                    Because people who cry wolf make management ignore issues that actually need to be addressed promptly.
                    Cry wolf? This is a huge issue. The Canonical security team agree with me. They issued a new point release for 16.04 LTS purely because of this issue. They weren't even planning on making another point release for that OS.

                    Originally posted by linuxgeex View Post
                    I did enjoy your humour, but please, take security more seriously.
                    I take security seriously. I carefully updated all the apt-based systems under my control to ensure they couldn't be exploited during the update process.

                    Of note: many apt-based systems (including Ubuntu) will automatically run "apt-get update" without prompting the user. This means those systems could have been rooted with zero user interaction.

                    If my language seems light/humorous, it's because I try my best to stay that way. It's always best to be calm and high spirited IMO.

                    P.S. I have no interest in discussing the odds of their being a MITM in any given situation. That's a huge discussion and I don't know who you are. My rule of thumb: all communications received over a public network should be considered not trustworthy and potentially compromised.

                    Comment

                    Working...
                    X