Cybersecurity researchers have discovered that it is attainable for menace actors to use a widely known utility known as command-not-found to suggest their very own rogue packages and compromise techniques operating Ubuntu working system.
“Whereas ‘command-not-found’ serves as a handy device for suggesting installations for uninstalled instructions, it may be inadvertently manipulated by attackers by way of the snap repository, resulting in misleading suggestions of malicious packages,” cloud safety agency Aqua stated in a report shared with The Hacker Information.
Put in by default on Ubuntu techniques, command-not-found suggests packages to put in in interactive bash periods when making an attempt to run instructions that aren’t accessible. The strategies embrace each the Superior Packaging Instrument (APT) and snap packages.
When the device makes use of an inside database (“/var/lib/command-not-found/instructions.db”) to recommend APT packages, it depends on the “advise-snap” command to recommend snaps that present the given command.
Thus, ought to an attacker have the ability to recreation this technique and have their malicious package deal advisable by the command-not-found package deal, it might pave the best way for software program provide chain assaults.
Aqua stated it discovered a possible loophole whereby the alias mechanism might be exploited by the menace actor to probably register the corresponding snap title related to an alias and trick customers into putting in the malicious package deal.
What’s extra, an attacker might declare the snap title associated to an APT package deal and add a malicious snap, which then finally ends up being instructed when a consumer varieties within the command on their terminal.
“The maintainers of the ‘jupyter-notebook’ APT package deal had not claimed the corresponding snap title,” Aqua stated. “This oversight left a window of alternative for an attacker to assert it and add a malicious snap named ‘jupyter-notebook.'”
To make issues worse, the command-not-found utility suggests the snap package deal above the reliable APT package deal for jupyter-notebook, deceptive customers into putting in the pretend snap package deal.
As many as 26% of the APT package deal instructions are susceptible to impersonation by malicious actors, Aqua famous, presenting a considerable safety danger, as they could possibly be registered beneath an attacker’s account.
A 3rd class entails typosquatting assaults during which typographical errors made by customers (e.g., ifconfigg as a substitute of ifconfig) are leveraged to recommend bogus snap packages by registering a fraudulent package deal with the title “ifconfigg.”
In such a case, command-not-found “would mistakenly match it to this incorrect command and suggest the malicious snap, bypassing the suggestion for ‘net-tools’ altogether,” Aqua researchers defined.
Describing the abuse of the command-not-found utility to suggest counterfeit packages as a urgent concern, the corporate is urging customers to confirm the supply of a package deal earlier than set up and test the maintainers’ credibility.
Builders of APT and snap packages have additionally been suggested to register the related snap title for his or her instructions to forestall them from being misused.
“It stays unsure how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive protection methods,” Aqua stated.
