Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
(Score: 5, Insightful) by sjames on Friday February 05 2021, @06:06AM (3 children)
Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly.
(Score: 4, Insightful) by Arik on Friday February 05 2021, @06:51AM (2 children)
And this is also why you should never accept automatic updates, period.
Once you do, then all someone has to do is either takeover, or impersonate, your upstream and you are pwned.
It's far too insecure a design to be used for anything but a plush toy, and a good argument can be made against even that exception.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday February 05 2021, @09:05AM (1 child)
All packages are signed to protect against impersonation attacks. This of course does not protect you when your actual upstream has been subverted, as happened here.
(Score: 2) by Arik on Saturday February 06 2021, @08:41AM
Translation: it's not easy to impersonate.
Yep, didn't say it was.
I said:
If the attacker can either (a) compromise upstream or (b) impersonate the upstream, AND you've got automatic updates, THEN you are completely pwned.
That's it, you're not even disagreeing.
Given time, upstream will eventually be compromised.
Given time, upstream will eventually be impersonated.
Automatic updates are therefore utter insanity. QED.
If they aren't signed by Thorvalds or Volkerding, I ain't taking them. Even if they are, I'm asking questions first. Nothing installs automagically. If anything does, then you've failed as an admin, you need to fdisk and reïnstall and learn from your mistakes.
If laughter is the best medicine, who are the best doctors?