I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script.
It’s nothing new or groundbreaking, but I figure it never hurts to have another reminder.
I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script.
It’s nothing new or groundbreaking, but I figure it never hurts to have another reminder.
Yes this has risks. At the same time anytime you run any piece of software you are facing the same risks, especially if that software is updated from the internet. Take a look at the NIST docs in software supply chain risks.
Apt is great
Not completely correct. A lot of updaters work with signatures to verify that what was downloaded is signed by the correct key.
With bash curl there is no such check in place.
So strictly speeking it is not the same.
Signatures do not help if your distribution infra gets compromised. See Solarwinds and the more recent node.js incidents.
This is incorrect. If the update you download is compromised then the signature is invalid and the update fails.
To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
If I can control your infra I can alter what is a valid signature. It has happened. It will happen again. Digital signatures are not sufficient by themselves to prevent supply chain risks. Depending on your threat model, you need to assume advanced adversaries will seek to gain a foothold in your environment by attacking your software supplier. in these types of attacks threat actors can and will take control over the distribution mechanisms deploying trojaned backdoors as part of legitimately signed updates. It is a complex problem and I highly encourage you to read the NIST guidance to understand just how deep the rabbit hole goes.
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations