The user @dobymick made us aware that there is an issue with the verification of signatures in the way we provide ISO files on our servers.
It is a best practice to ensure end to end verification to our users, which means, the users should be able to verify that the ISO files they get from the mirrors are equal to the files we originally provided to the mirrors.
The current process is prone to a manipulation that many users are likely to not identify:
ISOs and CHECKSUM files are currently provided both by the mirrors. This means, the mirrors could change both. I do not fear about the trustworthiness of the organizations that currently provide Fedora or the https/x509v3 architecture, but the possibility to change files makes every mirror to a single point of failure → this leads to a big attack surface, and the more widespread Fedora gets, the more attractive our mirrors become for attacks.
The issue: we offer users on the website the possibility to verify the CHECKSUM file with our gpg file, but the integrated signature only verifies the HEADER.
If the attacker would manipulate an ISO, and then just add the manipulated ISO checksum above the header, the verification will be successful as the malicious checksum is outside the header (thus ignored by the current type of gpg verification), whereas many (if not most users) would in the subsequent step consider the malicious’ ISOs hash in the verification process. As some of our CHECKSUM files have many files contained, a user might not see at first glance that an additional one is contained and that their ISO actually does not fit an hash that is inside the header but outside (the warning signs are easily overlooked in all that text, and at the top: it says manipulated ISO = OK). I guess many users don’t know about headers and such at all.
Therefore, the suggestion is to provide only CHECKSUM files without a contained signature in future, and provide detached signatures for them on the mirrors.
This social engineering attack also illustrates that we suggest a very complex process for verification on our website, which in this context cannot be considered a best practice. This might be improved as well.
A slight addition: it might be added that the average user might not be attracted by the little “verify” button and likely doesn’t know much what this is about anyway (people avoid to click on things that do not make sense to them at first glance).
This is NOT an immediate attack vector, but it creates a large attack surface and makes mirrors more attractive for attackers as long as average users (hyperbolic speaking) ain’t cryptographers and as long as Fedora is in widespread use: maybe there could be some improvement discussed, to avoid making mirrors attractive for attacks, to protect users if they get Fedora without being experts, and to lead the community with good practices: people tend to adopt what they see.
Off the cuff, I do not know what team is currently responsible for that. Maybe someone from commops/mindshare/marketing can help and let me know? May you can let me know what tag to add, or where I shall open a ticket
I just reproduced and documented …
… a full example of Doby Mick’s social engineering attack: assuming I have captured one or more mirrors that users use to get Fedora ISOs:
I focus on KDE because it is widespread, and because the CHECKSUM file contains many ISO files and thus causes a lot of text that distracts users.
- I captured a mirror, let’s assume I found any administrator access in any mirror (let’s assume the admin’s password was t00r - my favorite!)
- I created a malicious ISO of Fedora KDE: In reality, I took our ISO and did
echo "thisIsBackdoored" >> Fedora-hackedKDE-Live-x86_64-40-1.14.iso
- I created the sha256sum of this backdoored Fedora KDE, and I have added this to the CHECKSUM file that Fedora provides through the mirrors, but I added it to the top ABOVE the header. Here is the malicious CHECKSUM file that is now on our corrupted mirror:
# Fedora-KDE-Live-x86_64-40-1.14.iso: 2645645312 bytes
SHA256 (Fedora-hackedKDE-Live-x86_64-40-1.14.iso) = f0c25a9da8f3ee430aa233c664f6e5e2abe13d245e3975d30513ff2503b19017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
# Fedora-Budgie-Live-x86_64-40-1.14.iso: 2146633728 bytes
SHA256 (Fedora-Budgie-Live-x86_64-40-1.14.iso) = 18a2876d031fd58d00d9a37d3a823caa03cf7059309bed1de79eb3a46dc4bc21
# Fedora-Cinnamon-Live-x86_64-40-1.14.iso: 2558238720 bytes
SHA256 (Fedora-Cinnamon-Live-x86_64-40-1.14.iso) = 081ac2402d3e2e704d36ee6aacd67ba631d1939e0c35cf517e996dbb70117735
# Fedora-KDE-Live-x86_64-40-1.14.iso: 2645645312 bytes
SHA256 (Fedora-KDE-Live-x86_64-40-1.14.iso) = 8b9da20cfa947b16c8f0c5187e9b4389e13821e31b062688a48cf1b3028c335c
# Fedora-LXDE-Live-x86_64-40-1.14.iso: 1741191168 bytes
SHA256 (Fedora-LXDE-Live-x86_64-40-1.14.iso) = 3be326068be6bd7e98d7e7e89f4427648fe83484ecd36e1e77304af1369d1920
# Fedora-LXQt-Live-x86_64-40-1.14.iso: 1845794816 bytes
SHA256 (Fedora-LXQt-Live-x86_64-40-1.14.iso) = ef0fbed423acc7484b6fea14a062c41a3026ca93d71edf28debe2d883f9ce61c
# Fedora-MATE_Compiz-Live-x86_64-40-1.14.iso: 2454198272 bytes
SHA256 (Fedora-MATE_Compiz-Live-x86_64-40-1.14.iso) = 3242eb53dd2d0bad66dff04f7e54848aa750910171a110e2f8677aa23b8e84e0
# Fedora-SoaS-Live-x86_64-40-1.14.iso: 1440874496 bytes
SHA256 (Fedora-SoaS-Live-x86_64-40-1.14.iso) = 4287b380b4be2f2c421178b9dfdcaf8c64ed58e343baa7d1d482c4f3481975fb
# Fedora-Sway-Live-x86_64-40-1.14.iso: 1637679104 bytes
SHA256 (Fedora-Sway-Live-x86_64-40-1.14.iso) = 6974428b65153156e133fe0165cdf5cb4420b987fe27c53218480414b685e602
# Fedora-Xfce-Live-x86_64-40-1.14.iso: 1889988608 bytes
SHA256 (Fedora-Xfce-Live-x86_64-40-1.14.iso) = 519db49a21587c007b8135cfc8fba470951937d2f7edc01a8f4b96abc772370c
# Fedora-i3-Live-x86_64-40-1.14.iso: 1617053696 bytes
SHA256 (Fedora-i3-Live-x86_64-40-1.14.iso) = 1f55028b79c6633178a0106fdb3d34ccb489f1dc039c5e96a829cea28624d7a8
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEEV35rvhXhT7oRF0KBydwfqFbecwFAmYisCQACgkQBydwfqFb
ecwIsQ//R7hHyRG1csTnL5WtYMM4Rq3fequ7CFDIvL5iywNXEPed7vL7Z9DG9qU1
eiNIaWbElYy58tBG6JQVf2ucqehbYqgVI/rXqQHbs+XpHTu6TtRB+BHdKEbWmQNf
QCzdqyzSVhIz24A3XM7Ya4bDGA3LdR5VUCACGqx8VI5+wYJFySSQixCENEusbCtG
a7G0eqhkMzwVfOsCTvX1EmZ6akQHcWZV9bvOKLqq+i5uXwzEzHlY7Jskt86QtSdR
6i/h30BKDmKw8UTrtftQ0Ayt/YNQw1EezeC6wHx8bRH0Zi1S2M33KQou5VXAfa2N
H7ePUWs89Rpq4mjrjavGsIiZf5e7QuNiIPJOr4k6yzxXCDTejKIBWtNHiFdaEYMy
eW+/CknTgoVmU1ry5SZ7nuaECY6kUYnqFXrPWfwGTEcvnaC2JUVqMH9Mgpd/kZIF
JamLBiF66GuanyFThxuD1MMJX6hUwcNzANMzMTXanVqeTz/gs+40r3adUqbpZz4f
kMUUuOW07IhLGp190Skyeg/AkYEJFdJo5eutCD7Lb0OKRmpjGtPddxpxjxDVhfVc
a6qcFM+FhZ7sRe+l0GnX0S8hNm1QijcpqmgX2zMbYMsulwcVIUjquOM3NJipqx8o
xcXip44A7xpt6NlJTcD5ku/Qp7MrTHfpKMknwUoQDtr9oi0Ajb0=
=O9rW
-----END PGP SIGNATURE-----
- As a average user, I now follow the elaboration of Fedora on their website (go to the KDE download page and click the verify button: then you get the current HowTo.
- Given the HowTo, I already downloaded the CHECKSUM file and the ISO from the mirror (when I tested, I always got the same mirror for both - this can be expected to apply if people download both at the roughly same time from the same place).
- I do
curl -O https://fedoraproject.org/fedora.gpg
- I do
gpgv --keyring ./fedora.gpg Fedora-Spins-40-1.14-x86_64-CHECKSUM
with the manipulated CHECKSUM file, but the result is TRUE / SUCCESSFUL because only the header is considered and everything above ignored:
gpgv: Signature made Fri Apr 19 19:55:48 2024 CEST
gpgv: using RSA key 115DF9AEF857853EE8445D0A0727707EA15B79CC
gpgv: Good signature from "Fedora (40) <fedora-40-primary@fedoraproject.org>"
- I now think the file is fine, so I proceed with
sha256sum -c Fedora-Spins-40-1.14-x86_64-CHECKSUM
, and I get the following output:
Fedora-hackedKDE-Live-x86_64-40-1.14.iso: OK
sha256sum: Fedora-Budgie-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-Budgie-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-Cinnamon-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-Cinnamon-Live-x86_64-40-1.14.iso: FAILED open or read
Fedora-KDE-Live-x86_64-40-1.14.iso: OK
sha256sum: Fedora-LXDE-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-LXDE-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-LXQt-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-LXQt-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-MATE_Compiz-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-MATE_Compiz-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-SoaS-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-SoaS-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-Sway-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-Sway-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-Xfce-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-Xfce-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: Fedora-i3-Live-x86_64-40-1.14.iso: No such file or directory
Fedora-i3-Live-x86_64-40-1.14.iso: FAILED open or read
sha256sum: WARNING: 17 lines are improperly formatted
sha256sum: WARNING: 9 listed files could not be read
→ consider the first line: Fedora-hackedKDE-Live-x86_64-40-1.14.iso: OK
→ I would like to say that the WARNINGS about formatting and such are caused by the social engineering attack, but unfortunately, our original CHECKSUM file causes the same issue
→ Therefore, if a user does not know about the implications of the different commands we suggest and their impact on each other (and what they actually do and not do), and trusts these outputs, they might get a malicious ISO and even think it was successfully verified
→ Additional note: The normal KDE is “ok” as well because I have it in the same directory as well.
The suggestion would be to replace this method already by F41, or at least by F42 release: We might discuss a best practice that is less error prone and easier to be conducted for average users - one example is the one suggested above. @dobymick maybe wants to add further points.
In any case, thanks to @dobymick for making us aware, and for providing the idea of using detached signatures!