[manjaro-security] [MSA-202106-1] images were built with a per-initialised (and thus common) pacman local signing key

Mon Jun 14 12:13:43 CEST 2021

Manjaro Security Advisory MSA-202106-1
=========================================

Severity: High
Date    : 2021-06-14
Level   : CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (7.1 High)
Package : manjaro-system; x64 ISOs before 21.0.6; Images before 21.06
Type    : multiple issues
Remote  : Yes
Link    :
https://gitlab.manjaro.org/tools/development-tools/manjaro-tools/-/issues/330

Summary
=======

Installations of the pre-built Manjaro ARM images previous to 21.06 or
Manjaro x86_64 ISOs previous to 21.0.6 can be tricked into installing
maliciously signed packages by a network attacker, leading to code
execution as root.

Resolution
==========

Upgrade manjaro-system to 20210612-1

# pacman -Syu "manjaro-system>=20210612-1"

The problems have been fixed upstream in version 20210612-1 for x64 and
20210612-3 for ARM.

Workaround
==========

sudo rm -rf /etc/pacman.d/gnupg
sudo pacman-key --init
for x64: sudo pacman-key --populate archlinux manjaro
for ARM: sudo pacman-key --populate archlinux manjaro archlinuxarm
manjaro-arm

Description
===========

Manjaro ISO/ARM images, used for installation of Manjaro on x86_64/ARM
systems, contain pre-initialised pacman keyrings - i.e., the
/etc/pacman.d/gnupg directory. When a Manjaro system is installed, its
/etc/pacman.d/gnupg directory is inherited from the installation medium.

This is problematic because everyone who installs from these common
installation mediums will inherit the same and non-secret local signing
key (both private and public components). This is dangerous because the
local signing key can be used to directly sign packages for installation
via pacman - even those obtained from supposedly official mirrors.

Ashley Newson was able to confirm that a man-in-the-middle attacker (or
a rogue mirror) can use the signing key extracted from a corresponding
ISO/ARM image to serve modified databases and packages which would then
appear authentic to pacman's signature checks and would thus be
installed without any objection.

As such, malware could be installed to a user's device by a
man-in-the-middle attacker during an update or package installation.
(Note that, technically, databases don't need to be signed, but packages
must be signed by a trusted key. The database typically contains package
signatures, and so it probably needs to be modified by an attacker also.)

Exploit-ability
===============

Use of plaintext HTTP mirrors (i.e. not HTTPS) are still commonplace and
enabled by default, allowing database and package downloads to be
subverted by a network-adjacent attacker. Note, however, that a freshly
installed Manjaro installation may not always be configured with an HTTP
mirror.

Manjaro can be configured to download updates automatically, however
won't install them. Only you as the user needs to approve every update
of your system with your administration rights per installed system.

Different installation mediums are initialized with different keys. An
attacker would need to use the local signing key from the specific
installation medium used to install a system in order to attack it.
Though, we suspect that an attacker could try multiple signatures at
once if multiple packages are to be installed/upgraded.

Impact
======

Installations of the pre-built Manjaro ARM images or Manjaro x86_64 ISOs
can be tricked into installing maliciously signed packages by a network
attacker, leading to code execution as root.

References
==========

https://gitlab.manjaro.org/tools/development-tools/manjaro-tools/-/issues/330
https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-tools/-/issues/33

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20210614/3a4fb17c/attachment.sig>