[development] Automatic Updates/Upgades

Michael Prasuhn mike at mikeyp.net
Fri Sep 2 00:41:33 UTC 2011

António P. P. Almeida wrote:
 > Add kernel.org to that list also.

The Linux kernel repositories were not compromised, they are 
cryptographically signed by most of the committers. The servers were 
compromised, but that's something entirely different.

John Locke wrote:
 > Automatic update of core + potential for malicious code getting uploaded
 > to the source repos = very nice recipe for taking over a huge amount of
 > the web!

This whole scenario is so laughable it's quite ridiculous.

 > WordPress and Debian have both had bad stuff uploaded to their
 > repositories. It could happen to Drupal too. For that reason alone I
 > think auto-updating is a really bad idea -- it makes for a very nice
 > target for an attacker!

At least in the case of Wordpress, it's not known if the exploits were 
ever even deployed to any sites, let alone actually used.

 > 1. Attacker plants some keylogger on a core committer's machine,
 > captures their credentials.
 > 2. Attacker builds an exploit and uploads it to Core, immediately before
 > the default update check time for sites set to UTC or some large time 
 > 3. All sites configured for auto-update download the new exploit.
 > 4. Exploit changes the update source to their own malicious repository.
 > 5. Millions of exploited web sites are now at the attacker's disposal --
 > done right, huge numbers of site admins would never realize their sites
 > were compromised.

If an attacker had physical or remote access to the core committers 
machine, they could perform the exploit from there, otherwise they would 
primarily need to steal the SSH key to commit to git, and create a tag 
for a new release there.

Secondly, they would need the d.o credentials in order to create the 
release node on d.o and publish it. Even still this information takes a 
small amount of time to be available since the update status servers on 
d.o are heavily cached. If no one in the Drupal community noticed a new, 
random core release when none was planned in the amount of time it takes 
for the packaging script to run, node to be published, and caches to be 
flushed, one could safely assume that the zombie apocalypse has come, 
and taking over the internet is of no consequence to mankind.

 > This would not be difficult to do -- all you need to do is get the
 > credentials for one person with appropriate access.

I don't think anyone is really suggesting that core auto-update itself. 
The current update mechanism is manual, since it doesn't store the 
credentials used for the update, it requires them to entered each time 
updates are performed.


Michael Prasuhn
503.512.0822 office
mike at mikeyp.net

More information about the development mailing list