[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

apt-get upgrading security issue CVE-2016-1252


#16

Since users who download Whonix images now are vulnerable and easily fall for regular upgardes, a warning for all supported Whonix platforms on their respective download pages has been added. Implemented just now in a form of a wiki template.

https://www.whonix.org/wiki/Template:Whonix_Current_Version_Maybe_Warning

The plan is that once Whonix images with fixed apt are released as stable, that template will be emptied (should then have the same effect as not being added). Should a similar situation arise, that template can be refilled.


#17

Good day,

I feel like this has already been discussed during the transitional phase from Whonix 12 to 13, though in the wake of this security issue, it might be a good idea to bring it up again. It would perhaps be a good idea to have an aditional field in Whonixcheck which informs users of imminent issues or events, like upgrading to a new version or a bigger security flaw which requires manual changes, like this, since a lot of users likely don’t read the blog or subscribe to a newsletter. Those things of course are still important though for emergencies like this, a seperate way of communcating might be a good idea.

Have a nice day,

Ego


#18

It would perhaps be a good idea to have an aditional field in Whonixcheck which informs users of imminent issues or events,

There is an insufficient one. Called Whonix News as part of whonixcheck. (old screenshot) Insufficient, because it gets hardly noticed by anyone ever. [At least the news files gpg verification stuff is done and hopefully solid, see source code.]

This is related to Whonix Upgrade Notification. The mockup by @entr0py in thread Whonix Upgrade Notification looks good.

[ ] Do not show again [ OK ]

Very true. Very much needed.

related:

Similarly a ticket for Emergency News Notification is does not yet exist. Ideally also a generic package that can enter packages.debian.org, where Debian and its derivatives such as Qubes and Whonix can drop .d style configuration snippets.

A generic package is better. Then Debian would have informed us about this CVE-2016-1252 earlier.

Ideally the Emergency News Notification tool would also have a Permanent Takedown Attack Defender feature. The initial version wouldn’t require that, but I would be good to plan ahead so it can be added in a later iteration.

Since this is a rather involved project, I suggest to start with a great description of the problems we are seeing, as well as with the solution we are proposing. And then post this on the debian-devel mailing list in the hope that people agree and $someone will implement it. [And even if there is no $someone, there will be hopefully a ton of feedback on how to get this right.] Anyone wanting to take the lead on that? :slight_smile:


#19

For an alternative way to check for being safe from CVE-2016-1252, critically review the following comment by me:
https://github.com/QubesOS/qubes-issues/issues/2520#issuecomment-267669095


#20

emergency news proposal (features, mockup, test cases, security, communications, etc.) can be added here:


#21

i couldnt add the result in the forum because it exceeds 40000 character

but there non-free package updating ? hmm thats weird

ok found the non-free packages , it came from debian.list which is found in ;-

/etc/apt/sources.list.d/debian.list


#22

TNT BOM BOM:

i couldnt add the result in the forum because it exceeds 400000 character

No need.

but there non-free package updating ?

https://forums.whonix.org/t/adding-non-free-packages-by-default-is-it-safe


#23

This bug is getting more and more obscure. debootstraping is no longer safe as Marek pointed out.

Asked on the debian-security mailing list about that. (My message has not yet appeared on debian-security mailing list archive but you can read my message here. Will keep you posted on replies.)

Translated into less obscure terms: no downloadable upgraded Qubes or Non-Qubes-Whonix templates can be created before a solution to this issue was found.


#24

Very intersting response by an apt developer that I am going to study closer:
https://lists.debian.org/debian-security/2016/12/msg00012.html


#25

Please review this alternative sanity check:
https://www.whonix.org/wiki/CVE-2016-1252#Alternative_Check


#26

Good day,

Just checked it. Works as well.

Have a nice day,

Ego


#27

Thanks. Old workaround deprecated.

https://www.whonix.org/wiki/CVE-2016-1252


#28
  1. Is there anyway to verify non compromise yet for users who had already upgraded to version 1.0.9.8.4 other than looking for “suspiciously extra long lines”? If not, how sure can one be of non compromise?

  2. If running Qubes OS, could other VMs possibly be compromised?

  3. What is best recommendation for user already upgraded to version 1.0.9.8.4?


#29

There is none. And there will very much likely none in the foreseeable future. This is due to the the nature of malware. Detailed explanation:
https://www.whonix.org/wiki/Computer_Security_Education#Malware

Practically, you cannot.

If the attacker used this exploit and then also was smart enough to have another exploit against xen and used that, then yes, also other VMs could possibly be comprised

Nothing. That is being discussed here:
https://forums.whonix.org/t/document-recovery-procedure-after-compromise


#30

That’s what I was afraid of.

Would you consider looking for “suspiciously extra long lines” and finding none, a reasonable confirmation of not having been compromised?
Following the directions, I didn’t see anything obviously suspicious.

Don’t believe I’m a target, just privacy conscious.
Going to put you on the spot. Sorry…
If it were you, what would you do in this situation?


#31

No, because that is the first thing sophisticated malware would cover up after getting active on the system. And any attacker who exploited this vulnerability would certainly fit the definition of sophisticated.


#32

Need to correct myself. As per https://lists.debian.org/debian-security/2016/12/msg00012.html actually might be.

If you remember running apt-get update and you remember it not taking unusually long, that is if it did take as long as to download a ~ 1.3 GB file, then chances are very good you have not been compromised.


#33

@ Patrick Thanks for the replies. Guess I was looking for professional confirmation of what I already knew.

Does anyone have thoughts as to the probability of malware being introduced because of this particular issue, especially considering many whonix users upgrade via exit nodes?


#34

I am not aware of any reports of active attempts of exploitation of this bug in the wild. So for now targeted attacks only if anything. I can’t calculate a probability from that.

During manual apt-get update it would look sketchy to fetch a > 1 GB file. So not that unlikely to be spotted, I would speculate.

Most at risk seem systems using unattended upgrades. (No, Whonix does not use that.) (Specifically if these are distinguishable from manual apt-get updates - they could be - if they are running at expectable times. I don’t remember / haven’t checked this.)


#35

Thank you Patrick for handling this well. Please let us know when debootstrap is safe for those of us who build our images.