https://bugzilla.novell.com/show_bug.cgi?id=408352 Summary: potential time shift vulnerability in Online Update Product: openSUSE 11.0 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: sbrabec@novell.com QAContact: qa@suse.de CC: zypp-maintainers@forge.provo.novell.com Found By: --- I found following theoretical problem in the Online Update work-flow. I did not verify, that the problem is real and whether it can be exploited. Suppose that malicious person takes control over one of online update mirrors and wants to provide vulnerable software. It is not possible to do it directly, as all online updates are signed. But following scenario may be possible: 1. Instead of mirroring from the official servers, it will only back-up the original unline update contents. 2. Provide data from the back-up to the mirror and increase time shift over the time. Server is up, provides correctly signed packages, time new security update appears. User has no doubt. 3. Log IP addresses of machines checking for online update. This scenario could provide vulnerability window created by the time shift and list of IP addresses of still vulnerable machines. Malicious person has enough time to create an exploit and install it to vulnerable machines. Proposed fix: Verify time stamp of update server. If unusual time shift is detected, display a warning. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.