Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Is there a security vulnerability in Ubuntu Updater?

  1. #1
    Join Date
    Feb 2006
    Location
    Winkler, MB., CA
    Beans
    Hidden!
    Distro
    Ubuntu

    Is there a security vulnerability in Ubuntu Updater?

    I have my Ubuntu 16.04 set to not to check for updates automatically, yet sometimes when I connect to the internet the updater will pop up and suggest updates which when i go to install are unverified. So I don't update. After canceling the updater it frequently pops up again a few seconds later.

    Is there a man in the middle attack that can launch this updater remotely by connecting to the appropriate port that the updater listens on?

    If so is this a security issue that needs resolving?
    Last edited by Floppyjoe; April 28th, 2017 at 01:18 AM.

  2. #2
    Join Date
    Jun 2016
    Beans
    1,867
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: Is there a security vulnerability in Ubuntu Updater?

    Do you have the unattended-upgrades package installed?
    Xubuntu 18.04/MacBookPro9,1 ♦ openSUSE Tumbleweed/Debian 10/Xubuntu/VirtualBox
    If your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  3. #3
    Join Date
    Apr 2011
    Location
    Mystletainn Kick!
    Beans
    10,853
    Distro
    Ubuntu

    Re: Is there a security vulnerability in Ubuntu Updater?

    Those are probably just old updates, past their prime.
    You need to run an apt-get update to refresh things.
    Reference point: https://askubuntu.com/questions/3055...rified-warning
    Splat Double Splat Triple Splat
    Earn Your Keep
    Don't mind me, I'm only passing through.
    Once in a blue moon, I'm actually helpful
    .

  4. #4
    Join Date
    Feb 2006
    Location
    Winkler, MB., CA
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Is there a security vulnerability in Ubuntu Updater?

    Quote Originally Posted by halogen2 View Post
    Do you have the unattended-upgrades package installed?
    Yes this unattended-upgrades package is installed. But that doesn't explain why those updates are not verifiable by the OS.

  5. #5
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    4,520

    Re: Is there a security vulnerability in Ubuntu Updater?

    Quote Originally Posted by Floppyjoe View Post
    If so is this a security issue that needs resolving?
    No. There is no process that listens for updates.
    There is no way to 'push' updates to your system.

    Look instead for an apt misconfiguration.

  6. #6
    Join Date
    Feb 2006
    Location
    Winkler, MB., CA
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Is there a security vulnerability in Ubuntu Updater?

    Quote Originally Posted by ian-weisser View Post
    No. There is no process that listens for updates.
    There is no way to 'push' updates to your system.

    Look instead for an apt misconfiguration.
    So could apt be "man in the middled" when it checks for updates?
    I use apt-transport-tor and apt-transport-https and it seems that someone does not like it when i try to obfuscate what I am downloading to my computer.
    I use a repository that supports https.
    Last edited by Floppyjoe; April 29th, 2017 at 12:15 AM.

  7. #7
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    4,520

    Re: Is there a security vulnerability in Ubuntu Updater?

    This is a moderately common question.

    While a non-https apt source could be MITM'd, tampered packages from that false source will promptly fail their signature check, and apt will reject those packages as corrupt.
    See the manpages for apt-key and apt-secure for much more detail.
    Very smart and sneaky Debian gurus thought long and hard about package security, and nobody has found a worthwhile hole in it yet.
    The entire system is open source, so feel free to look for holes. File a bug report if you find one.

    Of course you, the admin, can be fooled by a social attack into disabling that protection, just like you can be fooled into disabling *any* protection.

  8. #8
    Join Date
    Feb 2006
    Location
    Winkler, MB., CA
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Is there a security vulnerability in Ubuntu Updater?

    Quote Originally Posted by ian-weisser View Post
    This is a moderately common question.

    While a non-https apt source could be MITM'd, tampered packages from that false source will promptly fail their signature check, and apt will reject those packages as corrupt.
    See the manpages for apt-key and apt-secure for much more detail.
    Very smart and sneaky Debian gurus thought long and hard about package security, and nobody has found a worthwhile hole in it yet.
    The entire system is open source, so feel free to look for holes. File a bug report if you find one.

    Of course you, the admin, can be fooled by a social attack into disabling that protection, just like you can be fooled into disabling *any* protection.
    I just preformed and "sudo apt-get update" while using apt-transport-tor and apt-transport-https with https enabled repositories and there were some hash sum mismatches and also a segmentation fault core dumped.

    I did "sudo rm /var/crash/*" to get rid of the popups.

    sometimes this "sudo apt-get update" command works without errors.

  9. #9
    Join Date
    Feb 2006
    Location
    Winkler, MB., CA
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Is there a security vulnerability in Ubuntu Updater?

    This morning after clearing the lock in "/var/lib/apt/lists/", my updates downloaded without error. But this is not always the case.

  10. #10
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    4,520

    Re: Is there a security vulnerability in Ubuntu Updater?

    "Not always the case" is a big vague.
    Are you saying that updates sometimes download with error?
    Or are you saying that updates don't download every day? (hint: expected behavior)
    Or are you saying something else?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •