Rapid7 Vulnerability & Exploit Database

RHSA-2003:255: up2date improperly checks GPG signature of packages

Back to Search

RHSA-2003:255: up2date improperly checks GPG signature of packages

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
08/27/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated up2date packages for Red Hat Linux 8.0 and 9 fix RPM GPG signature verification.

The Red Hat Update Agent, up2date, automatically queries the Red Hat Network servers and determines which packages need to be updated on your machine. up2date versions 3.0.7 and 3.1.23 incorrectly check RPM GPG signatures. These are the versions found in Red Hat Linux 8.0 and 9. This bug allows packages which have no GPG signature to be installed by up2date if they are provided by the Red Hat Network servers. The intended behaviour is that only packages signed with the Red Hat package signing key will be installed. For an attacker to make use of this flaw, they would have to make unsigned packages appear on the Red Hat Network. Connections to the Red Hat Network servers are authenticated and verified by the use of SSL, so it is not possible to intercept the connection to Red Hat Network servers and give unsigned packages. To make use of this flaw, an attacker would have to compromise the Red Hat Network servers at Red Hat. Because of these factors, the risk of exploiting this bug is low. However, we advise that all users of up2date update to these erratum packages. Note that all other variations of package signature checks work correctly. The fix was to change the code so that packages with no GPG signature are rejected in the same way as those with bad GPG signatures (the up2date client refuses to install them). Red Hat would like to thank Barry Nathan for finding and reporting this error.

Solution(s)

  • redhat-upgrade-up2date
  • redhat-upgrade-up2date-gnome

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;