A new extreme vulnerability has been discovered in Linux namely the
apt
package that is used to update the system has been compromised.
The vulnerability is: CVE-2016-1252 discovered by Jann Horn
This is a huge vulnerability that affects most Linux operating systems, that are based on Debian, because the apt
package is used by most of them. The danger is extreme, since this package is used to update the system itself, therefore the whole updating procedure is compromised.
This means that you can't trust any single update that you download, not even the patch that would supposedly fix this. You need to reinstall the OS from the scratch and change all passwords that have been exposed.
It's a big pain in the ass, that I why I have emphasized for people to not hold their money Online, because things like these could compromise your entire OS, and every single password or private key on it.
So treat your entire PC now as being compromised, and now you have to secure it from the scratch, it will be a long hassle work, but it has to be done to secure your PC. Next time you might want to keep your private keys Offline, because things like these do happen.
You know I have been criticizing Windows for being weak and vulnerable, like how Windows XP supposedly gets Malware infected after 5 minutes of Internet surfing. Of course I would not give up on Linux, I am just saying that every PC connected to the Internet is not safe, regardless of OS.
Re-Secure your PC
Now let's secure our PC again, and remember we can't trust any single update, since the updater itself is vulnerable, so we need to do this the hard way.
1) Buy some DVD's
2) Check the latest STABLE version of the Linux Distro that you are using, and check whether this bug has been updated there, by looking at what APT version it is using: https://security-tracker.debian.org/tracker/CVE-2016-1252
3) Download the ISO to a secure Offline PC, and verify the GPG signature
4) Burn the ISO to the DVD (make sure the ISO fits on the DVD otherwise you might need a Bluray)
5) Verify the burned image's SHA256 hash to the original ISO's SHA256 hash (preferably on other computers, multiple, if possible, that have been not exposed)
- Note that since the DVD stores the data in 32768 byte block sizes, the hash might not match, because there are empty bytes being burned to the last block to make the DVD full. Unless the number of bytes of the ISO image is divisible by 32768, the hash will not match!
- So you need to subtract the 2 size numbers and take the absolute value for example:
2,549,317,421 byte (DVD) - 2,549,301,390 byte (ISO) = 16031 bytes outstanding
- Now create an empty file of the size of the difference, in this case 16031 bytes:
dd if=/dev/zero of=adding_empty_bytes bs=1 count=16031
- And concatenate it to the original ISO:
cat yourlinuxoperatingsystem.iso adding_empty_bytes > fixed
- Now the
fixed
file should be equal to the DVD's image, and now you can compare the SHA256 sums of the two, it must be equal. If it is, then the operating system ISO, matches byte-by-byte the one burned to the DVD. So now you have an trusted DVD with the new fixed version of your OS.
6) Backup all your data, except the softwares, because they need to be downloaded again to be sure. So things like documents, password files, etc things that can't be downloaded from the Internet should be backed up. Everything else has to be deleted because theoretically your PC can be now full of Malware, and we cannot trust any software.
7) Format the Harddrive (this will delete everything that you haven't backed up!)
8) Reinstall the OS from the trusted DVD you created earlier
9) Download now all the softwares, now the APT
command should be safe, and restore the backup files
10) Change all your passwords, including Steemit just to be safe. If you held Bitcoins on your Online PC (not recommended), then you might want to create a new wallet and sweep the Bitcoins from the previous one there.
11) You should be safe now, but as I said, things like this could happen again, so you might want to create an Offline cold storage for larger funds, because they are constantly at risk.
It is a very boring and miserable thing to do this all every single time when your PC gets insecure, so that is why most of your wealth and especially private keys should be kept in a cold storage, so that you can sleep good at night.
A lot of these steps might look to be unnecessary, but they actually are very necessary. Malwares and hacking is not a joke, and it does happen, it can happen to you, it can happen to anyone, just read my last article:
So you don't want your money to be stolen by things like these, better stay 5 steps ahead of the hackers, than to lose money. Good luck!
Disclaimer: The information provided on this page might be incorrect. I am not responsible if you lose money using the information on this page! This is not an investment advice, just my opinion and analysis for educational purposes.
I'm half tempted to downvote this post, but I'll hold off because I'm going to assume you're just acting out of concern and not trying to clickbait.
I've reviewed the CVE you linked. There is absolutely no evidence apt was compromised. The only thing the bug report is saying is that apt was failing to check signatures properly on packages installed by it.
That is a WORLD away from what you're saying which was that apt itself had somehow been compromised.
Here's how to deal with this problem if you're on an APT based distro.
Open a command line and type
It'll update apt to one that's checking signatures properly and reboot your computer.
Yeah but if you get attacked when you are doing the update, it is over. So everyone has to hope no attacker is lurking waiting for them to do an
apt-get update
.I agree with the original post, if your security matters, in terms of $$ you would loose, you need to rebuild
apt
from a trusted source.There is no evidence apt itself has been compromised and a simple check of the file hash would tell you if it had.
You can't get MITM (which is the only way this attack vector actually works) if you're downloading via https from official repos, which is what 99.99% of users are doing. Even the PPA repos are served over https. The repos are doing their own signature checking prior to allowing the package maintainer to upload a package.
This is literally a question of "does the file hash match the published hash?".
If yes, then there is nothing to worry about. If no, then where did you obtain your copy of apt from? Either way, an apt update (as per the CVE) will fix this.
This isn't gentoo or Arch. You don't rebuild apt from a trusted source, you download it from your distro maintainer. Apt isn't what's compromised here, it's just that some of the packages apt can install could be handled incorrectly if their signature validation check failed.
Your advice is very, very bad. It's ignorant and borders on dangerous. I just thank god no PHB's are reading steemit for IT advice.
This is a bug in apt, which is just a program. An important program, but still it's just part of user space. You're asking people to revert the entire OS including the kernel to a state where the apt bug would still be present, but they would have rolled back any and all updates since the last distro release was cut.
Following this advice would leave their system vulnerable until such time as the system had finished updating. When the system updated it would be doing the exact same thing I just recommended.
There is no example of this being exploited in the wild. No packages are missing signatures, nor do any known packages have bad signatures.
Just apt update and be done with it.
When I say rebuilt I mean install/update or whatever to the fix version. You join my point when you said you need to check the
hash
, i.e a trusted source is required. I am not saying https is not enough, I said that that if you had doubt , you should forget everything you have update recently. This CVE is hard to exploit, normally. But you can't just brush the scenarii where it is relevant.also yeah it should be so dramatic
But if APT is compromized, then the game is over, any malware can reside on your PC. And you cannot trust any hash from that PC, since there exist malwares that could modify it. This is the biggest type of risk there is, when the updater itself could be compromized.
Hurt the messenger....? I just try to help people, because many people here have hundreds of thousands of dollars worth of assets on their computer. Steem private keys, bitcoin private keys, most people are heavily exposed to risk.
Yeah 99% of the time things will be fine, but if that 1% of the time somebody loses like 500,000$ because nobody warned him. Who's fault will that be?
Better stay prepared for all threats.
It'll be yours if they follow your advice and end up in a worse situation, that's why I'm being so adamant about this.
You're not "overblowing" the problems, you're completely mis-stating the threat, the attack surface and the proper solution.
You don't comprehend the threat, it's nature, or it's applicability. You don't seem to understand that this is not an exploitable vulnerability in the general sense. You would have to have downloaded apt from an untrusted source, and then you would have needed to download a compromised package and that package would need to drop malware and get it to run. This isn't likely at all. In fact I'm going to go out on a limb here and say there is a 0% chance this has happened to any one at all, ever since https and app signing were introduced.
Again this isn't windows, we don't just install random crap from random sources via apt. There are other checks in place and you can trust these checks, because lots and lots of people are watching for exactly this sort of shenanigans.
It and your proposed solution leaves the system in an unpatched state where there are known exploits. It doesn't fix it, it makes it worse.
Here is a list of 72 known exploits your "fix" re-introduces.
https://www.ubuntu.com/usn/
You'll notice that the exploit you're concerned about is still on that list. So your solution doesn't fix the problem it just adds 71 more in addition to the heavy work of re-establishing the system configuration after an FFR. Which in the case of some computers requires manually editing config files just to get the internet functional, raid drivers running and don't get me started on 3D graphics.
This isn't windows. APT is pulling from https URLs. The URLs are all well known as is their complete contents including the hashes of the files hosted there. There isn't a "broken APT" circulating in the wild. There is no package in any repo that had this bad sig issue. There isn't malware in any of the official repositories. They all pass independent signature verification. Independent, as in a lot of people and systems are checking these things every single time we update our systems. With more than just apt and more than just one hash algo.
So yes I'm going to be a bit dramatic here. You're giving bad advice. I mean it, this is genuine bad advice. You either didn't read the CVE, or you completely misunderstood it. But your advice weakens systems that BTW have very likely already patched against this with no ill effects.
I am not sure I follow you. What are you talking about here?
I have said in my article that if the solution is fixed, only then download he latest release. I was also implying but forgot to say that the latest "stable" release should be downloaded, if that is a more accurate explanation, i will edit it in the article.
Other than that how is it actually more risky to update than to leave the current flawed version on the PC?
Just for the record , I am not using Ubuntu. I was referring to Debian mostly.
The "latest release" is an iso file that was cut months ago. For 16.04 LTS that would mean rolling all the way back to April. For 16.10 it's only since October, but that's still a ton of vulnerabilities to reintroduce into your system.
It's not like there's a daily snapshot you can grab, unless you're living dangerously and going onto one of the dev branches.
And you know, this guy's "fix" would also re-introduce the flawed apt package, which likely would already have been fixed. I don't understand why this guy has such a hard time understanding why he's wrong.
Well then just update the system manually. Get the latest apt package updated first, and then download the rest of the updates.
It's bad if the new releases come out monthly, people need rely heavily on the updater then.
You can always just use a RPM based distro until a new ISO image comes out for debian OS's for example.
This only affects Debian based systems like Debian, Slackware, and Ubuntu. To affect the computer you have to have a Man-in-the-middle attack meaning that somebody should set up a false repository for this to work. I would just update my Debian based system fast as possible.
People, like me, using rpm-based systems (fedora, Suse, Mageia) should not be affected by this.
Yep, the
...is overblown.
I would have said:
...is wrong :)
I thought Slackware has its own packaging system that's entirely different from .deb, or at least it used to be. I was a Slackware user in the mid-nineties.
No, I looked it up and you are right. Seems to be called pkgtool. My mistake.
http://www.slackbook.org/html/package-management.html
Most people do use Debian and Ubuntu.
Why keep this up? Why not say: "I overreacted."
You say overreaction, I say precaution.
Well, suit yourself.
This article is sensationalism and poor advice. I would urge you to be more circumspect in your handling of security announcements. The Debian community is a responsible community and has demonstrated integrity in the way they handle security concerns. I don't see them suggesting such drastic actions to remedy this occurence.
Yes but people over here have millions of dollars to lose if they don't act "drastically".
People around here should be the most cautious. Steemit accounts are worth a lot.
Is it really necessary to be so defensive about this? Mistakes are opportunities to learn. Don't waste the opportunity or you could end up making the same mistake again. Take it on chin. You messed up. You waded out into the deep water and got into trouble. When your drowning, do you refuse to believe you are drowning or do you call for help?
You are drowning in a sea of criticism. Ask for help on how you can do better in the future.
This whole article is wrong on so many levels. It makes me believe that the author either doesn't know anything about Linux, or is just throwing out some clickbait in order to earn some more steem.
Yes sure blame the messenger, but then when somebody does get hacked or phished, who's fault will that be?
Will you let that sit on your conscience of not warning people, will your let people get their steemit accounts hacked, knowing that you could have done something to prevent that?
I'm not blaming the messenger. I'm just saying that your reporting of this issue is just plain inaccurate.
Can you put forward an argument where you think my article is inaccurate?
A lot of other people have already pointed out your gross inaccuracies and have tried to explain where you're wrong. If they haven't convinced you, then there's no point in me wasting my time.
Thanks for the alert.
I see tons of people in the comments blaming me for warning people. Sure guys just blame the messenger for warning people of an existing threat.
So you guys think that cyber hacking is just a conspiracy theory? Yeah billions of dollars get hacked year over year: bank accounts, email accounts, you name it. And there have been cases where bitcoin were hacked out of a wallet, phished out through fake websites.
But when I warn people about an actual threat that could very well lead to loss of money, people think I am the bad guy for warning?
GTFO guys!
No.. Not a huge vulnerability and apt is only on debian based distros
Allright, corrected. I forgot that people use Fedora and FreeBSD and things like that.
Wow, sounds really bad! :(
I wonder if there's a new distro for Raspberry PI?
Probably not, smaller distros like that get updates monthly, but you can check their website.
I know that some debian based distros are already fixed, otherwise you can re-download the current ISO version and the new APT package (with dependencies) and burn that to a separate CD, and update/patch it manually without the internet. That could be a harder thing to do, but if you need your PC updated immediately it's the only way.
T.Y.
Thank you for bringing this to my attention.
No problem.
This post has been ranked within the top 80 most undervalued posts in the first half of Dec 15. We estimate that this post is undervalued by $5.97 as compared to a scenario in which every voter had an equal say.
See the full rankings and details in The Daily Tribune: Dec 15 - Part I. You can also read about some of our methodology, data analysis and technical details in our initial post.
If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.
Considering that pretty much everything that this guy says in this article is wrong, I would say that it's highly OVERvalued.
I am havingg trouble updaing my linux in #bash ...Can you help @profitgenerator ?
mint@mint ~ $ apt-get update Reading package lists... Done W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted) E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied) E: Unable to lock directory /var/lib/apt/lists/ W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied) W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)
https://unix.stackexchange.com/q/464867/304589