Cyber security news for all

More

    Ubuntu’s ‘command-not-found’ Tool Could Deceive Users into Installing Bad Packages

    Security experts have discovered that attackers can misuse the ‘command-not-found’ tool in Ubuntu to suggest their own harmful packages and take control of Ubuntu systems.

    While ‘command-not-found’ is helpful for suggesting software installations when a command is not installed, attackers can manipulate it through the snap repository to deceptively recommend malicious packages, according to a report from Aqua.

    By default, on Ubuntu, the tool suggests packages to install in interactive bash sessions when users try to run unavailable commands, including both APT and snap packages.

    When suggesting APT packages, the tool uses an internal database (“/var/lib/command-not-found/commands.db”) and relies on the “advise-snap” command to suggest snaps providing the command.

    If attackers can exploit this system and have their malicious package suggested by ‘command-not-found,’ it could lead to software supply chain attacks.

    Aqua identified a potential loophole where attackers could exploit an alias mechanism to register a snap name associated with an alias and trick users into installing the malicious package.

    Moreover, attackers could claim a snap name related to an APT package and upload a malicious snap, which would then be suggested when a user types the command on their terminal.

    Aqua highlighted that the maintainers of the ‘jupyter-notebook’ APT package had not claimed the corresponding snap name, allowing an attacker to claim it and upload a malicious snap named ‘jupyter-notebook.’

    To compound the issue, the ‘command-not-found’ utility suggests the malicious snap package above the legitimate APT package for jupyter-notebook, misleading users.

    Aqua noted that as many as 26% of APT package commands are vulnerable to impersonation by malicious actors, posing a significant security risk, as they could be registered under an attacker’s account.

    Aqua also warned about typosquatting attacks, where typographical errors made by users are exploited to suggest bogus snap packages, such as registering a fraudulent package with the name “ifconfigg” instead of “ifconfig.”

    In such cases, ‘command-not-found’ would mistakenly match the incorrect command and recommend the malicious snap, bypassing the suggestion for ‘net-tools’ altogether.

    The abuse of the ‘command-not-found’ utility to recommend counterfeit packages is a serious concern, according to Aqua, which urges users to verify the source of a package before installation and check the credibility of the maintainers.

    Developers of APT and snap packages are advised to register the associated snap name for their commands to prevent misuse.

    Aqua emphasized the need for increased vigilance and proactive defense strategies, as the extent of exploitation of these capabilities remains uncertain.

    Recent Articles

    Related Stories