Researchers at Aqua Nautilus say they’ve identified a security issue in the way Ubuntu’s “command not found” feature works, which attackers can exploit to trick users into installing malicious snaps.
In a lengthy blog post detailing their investigation, the security outfit concludes that “the risk of attackers exploiting the ‘command-not-found’ utility to recommend their own malicious snap packages is a pressing concern”.
“The true peril lies in the potential scope of this issue, with attackers capable of mimicking thousands of commands from widely-used packages,” adding “past instances of malicious packages appearing in the Snap Store highlight this issue.”
What’s the actual issue, and is this something we should be worried about?
Package Suggestions can be Gamed
When you try to run a command for a package you don’t have installed Ubuntu will show a “command not found” error.
But in an effort to help us run the command it suggests the package (it thinks) we need to install to run it — as you demoed in the screenshot above.
Suggestions are shown for relevant APT packages available to install from the Ubuntu repos (queried against a local database) and snaps (queried from a database on the Snap Store that is updated often to ensure new apps appear as recommendations).
It’s this (rather helpful) feature that these security researchers say is ripe for manipulation by bad actors (and not the Tommy Wiseau kind).
And to prove the viability of this attack vector they performed some experiments.
In one example they ran jupyter-notebook on a fresh Ubuntu install and (since it’s not preinstalled ) the command-not-found feature did its job: said the ‘not found’ and recommend the package needed to run the command, along with how to install it using apt.
So far, so what, right?
But as this particular package did not return a snap suggestion as well – the command will show both where able – they wondered if the namespace hadn’t been registered or reserved on the Snap Store.
It had not. The package name was up for grabs.
So researchers registered it, uploaded a (dummy) package, and, confirming their suspicions, a little while later the command-not-found began recommending it when the original command was run:
This would suggest shady folks can game this user-friendly feature to get their scummy snap package recommended to unassuming users upload a snap that matches the name of a legitimate app, and Ubuntu’s command-not-found system will do the rest.
Worse, Aqua Nautilus say their research shows as many as 26% of commands associated with APT packages are vulnerable to this ill-intentioned impersonation (and that overlooks other approaches for appearing alongside/instead of legit packages, like exploiting alias’ and typo-squatting).
Which is all kinds of worrying.
Is this actually an issue?
The good news is that, for now, this exploit is theoretical (if tested). No-one has (yet) reported being duped through the CNF mechanism, and there are no signs it’s being actively exploited out it the wild.
Plus, it ought to be relatively easy for Canonical to remedy the issue through some mitigations on their end.
Perhaps limit snap suggestions shown through this mechanism to verified ones only?
As always, we user bear some of the burden. When installing anything (from any source) always pay attention to typos and check that what you’re installing is what it claims it is.
Interested in learning more? Head over to the Aqua Nautilus’ blog to read the exhaustive report in full.
They provide details on how the ‘command-not-found’ feature works, how it determines relevancy for suggestions, and how attackers can distribute malicious snap packages (even with strict confinement) that exploit this feature, and other vulnerabilities.
