Ubuntu Users Beware: “Command-not-found” Flaw May Compromise Systems
Researchers at Aqua Security have uncovered a critical flaw that enables malefactors to compromise systems running Linux. This vulnerability pertains to the exploitation of the “command-not-found” utility integrated within the Ubuntu distribution, which assists users in installing missing software.
The “command-not-found” utility suggests packages for installation when users attempt to execute commands that are absent in the system. It can recommend both standard APT packages and snap packages from the Snappy repository. The utility employs an internal database to scan for existing software and initiates the “advise-snap” command to search for snap package equivalents.
Upon scrutinizing the utility’s operational mechanism, Aqua Security’s researchers discovered that it could be deceived through the system’s alias feature. In searching for snap packages, the utility relies on the correspondence between the command and the package name. Malevolent actors can register any name for a malicious snap package by specifying the required alias.
Consequently, when users attempt to execute a command associated with this alias, “command-not-found” will recommend installing the counterfeit package.
Another attack vector is associated with the possibility of registering snap packages under names that coincide with existing APT packages. For instance, hackers could release a malicious snap package named “jupyter-notebook,” and by default, the “command-not-found” utility would recommend it over the original APT package.
Experts estimate that approximately 26% of commands for APT packages in Ubuntu are susceptible to such substitution. Malefactors can easily register the corresponding snap under their name without any difficulty.
Furthermore, hackers can exploit typos frequently made by inexperienced users when entering commands. For example, instead of “ifconfig,” a person might type “ifconfigg.” By creating a counterfeit snap package “ifconfigg,” hackers ensure that “command-not-found” recommends it instead of the net-tools package, which contains the original command.
The researchers describe this issue as systemic for Ubuntu and highlight the need for significant updates to the utility. They also urge users to meticulously verify the reputation and source of the recommended packages before installation.
Developers of APT packages are advised to register snap names associated with their products to prevent fraudulent substitution by malefactors.
It remains unclear whether the “command-not-found” vulnerability has been exploited in real attacks. Nonetheless, the issue has already garnered widespread attention. Canonical, the developer company behind Ubuntu, has promised to implement measures to rectify the vulnerability promptly.