The pre-installed utility undermines the security of millions of Ubuntu users.
Researchers from Aqua Security discovered a critical vulnerability that allows attackers to break into Linux-based systems. We are talking about using the "command-not-found" utility built into the Ubuntu distribution, which helps users install missing programs.
Command-not-found prompts you to install packages when users try to run commands that are not available on the system. Moreover, the utility can recommend both standard APT packages and snap packages from the Snappy repository. An internal database is used to scan existing software, and the advise-snap command is used to search for snap analogues.
After studying how the utility works, Aqua Security researchers found out that it can be deceived through an alias system. To search for snap packages, the utility relies on matching the command and package name. Attackers can also register any name for a malicious snap package by specifying the desired alias.
As a result, when users try to run a command associated with this alias, command-not-found will recommend that they install a fake package.
Another attack vector is related to the ability to register snap packages with names that match existing APT packages. So, for example, hackers can release a malicious snap package "jupyter-notebook", and the command-not-found utility will recommend it by default instead of the original APT package.
According to experts, about 26% of commands for APT packages in Ubuntu are vulnerable to such substitution. Attackers can register the corresponding snap on their own behalf, this is not difficult.
In addition, hackers can use typos that are often made by inexperienced users when entering commands. For example, instead of "ifconfig", a person can type "ifconfigg". By creating a fake snap-package "ifconfigg", hackers will ensure that its recommendation is command-not-found instead of the net-tools package containing the original command.
Researchers call the described problem a system problem for Ubuntu and point out the need for serious updates to the utility. They also encourage users to carefully check the reputation and source of recommended packages before installing them.
Developers of APT packages, in turn, are encouraged to register snap names associated with their products. This will help prevent spoofing by malicious users.
It is not known whether the command-not-found vulnerability has already been used in real attacks. However, the problem has already been widely publicized. Canonical, the developer of Ubuntu, promises to take measures to fix the vulnerability in the near future.
Researchers from Aqua Security discovered a critical vulnerability that allows attackers to break into Linux-based systems. We are talking about using the "command-not-found" utility built into the Ubuntu distribution, which helps users install missing programs.
Command-not-found prompts you to install packages when users try to run commands that are not available on the system. Moreover, the utility can recommend both standard APT packages and snap packages from the Snappy repository. An internal database is used to scan existing software, and the advise-snap command is used to search for snap analogues.
After studying how the utility works, Aqua Security researchers found out that it can be deceived through an alias system. To search for snap packages, the utility relies on matching the command and package name. Attackers can also register any name for a malicious snap package by specifying the desired alias.
As a result, when users try to run a command associated with this alias, command-not-found will recommend that they install a fake package.
Another attack vector is related to the ability to register snap packages with names that match existing APT packages. So, for example, hackers can release a malicious snap package "jupyter-notebook", and the command-not-found utility will recommend it by default instead of the original APT package.
According to experts, about 26% of commands for APT packages in Ubuntu are vulnerable to such substitution. Attackers can register the corresponding snap on their own behalf, this is not difficult.
In addition, hackers can use typos that are often made by inexperienced users when entering commands. For example, instead of "ifconfig", a person can type "ifconfigg". By creating a fake snap-package "ifconfigg", hackers will ensure that its recommendation is command-not-found instead of the net-tools package containing the original command.
Researchers call the described problem a system problem for Ubuntu and point out the need for serious updates to the utility. They also encourage users to carefully check the reputation and source of recommended packages before installing them.
Developers of APT packages, in turn, are encouraged to register snap names associated with their products. This will help prevent spoofing by malicious users.
It is not known whether the command-not-found vulnerability has already been used in real attacks. However, the problem has already been widely publicized. Canonical, the developer of Ubuntu, promises to take measures to fix the vulnerability in the near future.
