CyberManipal.

Tech news from MIST

Hidden Linux RPM bug discovered after decades

Vulnerabilities
@GarimaKejriwal

Garima Kejriwal

July 1, 2021

Red Hat has used RPM for software package distribution for decades with no prior known bugs or vulnerability. Now, they have learned the existence of a hidden security bug that has been active since its creation. However, a repair patch has been submitted as soon as it was discovered. RPM was created by Marc Ewing and Erik Troan, the founding programmers of Red Hat, in 1995. This became the primary way to distribute software for Red Hat Linux based distributions such as Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux OS, and Rocky Linux. Sadly, no one knew about the security bug created in the process. In March 2021, Dmitry Antipov (fellow Linux Developer at CloudLinux) spotted the bug and how it went unnoticed till now. The RPM could falsely work with unauthorized RPM packages, i.e. unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher. After submitting the patch, Antipov explained, “The problem is that both RPM and DNF do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough never to have been hit by this.” While the vulnerability wasn’t exploited for a significant cyber-attack, it could have undoubtedly been easy to sneak into the Linux server and manipulate it. Fortunately, cybersecurity is the topmost priority for every cyber firm, and such bugs can be dealt with in apt time.

Abridged fromZDNet

Click here to see the original post

Share this article