Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches.
But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk? That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities.
On Jan. 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on Jan. 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries.
Debian is a popular Linux distribution and also serves as the base for multiple other Linux distributions, including Ubuntu. The Debian APT vulnerability, identified as CVE-2019-3462, was first reported by researcher Max Justicz, who described the vulnerability as a remote code execution risk.
"The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire," Debian developers wrote in an advisory. "This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection."
Debian warned that the injected content would be recognized as valid content by end users and could enable code execution with root privileges.
The potential for harm from such a flaw cannot be understated. Debian Linux users update systems regularly via APT, and the flaw could have enabled the update process to be compromised. The good news, however, in this case is that no known compromises have been publicly reported. Additionally, a patch for the issue is already available.
In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website.
"A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered," the PEAR site stated. "The PEAR website itself has been disabled until a known clean site can be rebuilt."
It is not clear how the file was tainted or by whom. In a Twitter thread, the PEAR project noted that no other PEAR site was breached and the project's repositories on GitHub appeared to be OK as well.
"What we know, the taint was an embedded line designed to spawn a reverse shell via Perl to IP 18.104.22.168," the PEAR project stated.
A reverse shell is an approach where an attacker can get more access to a victim's machine, enabling an attacker to have limited control.
"We can say with confidence that if you downloaded the go-pear.phar file since 12/20, **and used it to install the PEAR package installer program on your system**, then you should be *very* concerned," the project warned.
What Should Organization Do?
Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.
The benefit of being open-source is that researchers and end users alike can look at code make a determination if something isn't right. That's how the security researchers were able to find out that something was wrong. With proprietary closed-source software, the discovery of similar types of errors would have been significantly more difficult to determine.
Malware and configuration errors with updating and other tools is a risk that organizations need to consider. Simply remaining fully patched isn't always enough to keep any system safe. Rather, what's needed is a multilayered approach that keeps software updated, while still monitoring systems, users and processes for unexpected behavior to help mitigate risks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.