The Ubuntu ‘command-not-found’ tool can trick users into installing rogue packages

Linux Rogue Packages

Cybersecurity researchers have discovered that it is possible for threat actors to abuse a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running the Ubuntu operating system.

“While ‘command-not-found’ serves as a useful tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers via the snap repository, leading to misleading recommendations of malicious packages,” said cloud security firm Aqua in one report shared with The Hacker News.

Installed by default on Ubuntu systems, command-not-found suggests packages to be installed in bash interactive sessions when attempting to run commands that are unavailable. The suggestions include both the Advanced Packaging Tool (APT) And snap packages.

When the utility uses an internal database (“/var/lib/command-not-found/commands.db”) to suggest APT packages, it relies on the “advice-snap” command to suggest snaps that provide the given command.

So if an attacker is able to game this system and his/her malicious package recommended by the ‘command-not-found’ package, this could pave the way for attacks on the software supply chain.

Aqua said it has found a potential loophole in which the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.

Additionally, an attacker can claim the snap name associated with an APT package and upload a malicious snap, which is then suggested when a user types the command on their terminal.

Linux Rogue Packages
Linux Rogue Packages

“The maintainers of the ‘jupyter-notebook’ APT package had not claimed the associated snap name,” Aqua said. “This surveillance gave an attacker the opportunity to claim it and upload a malicious module called ‘jupyter-notebook’.”

To make matters worse, the command-not-found utility suggests the snap package over the legitimate APT package for jupyter-notebook, tricking users into installing the fake snap package.

As many as 26% of APT package commands are vulnerable to impersonation by malicious actors, Aqua noted, which poses a significant security risk because they can be registered under an attacker’s account.

A third category includes typosquatting attacks where typographical errors made by users (e.g. ifconfigg instead of ifconfig) are used to propose fake snap packages by registering a rogue package called “ifconfigg”.

In such a case, command-not-found would “wrongly match this incorrect command and recommend the malicious snap, bypassing the ‘net-tools’ suggestion altogether,” Aqua researchers explained.

The company describes the abuse of the command-not-found utility to recommend counterfeit packages as an urgent problem and urges users to verify the source of a package before installation and check the credibility of its maintainers.

Developers of APT and snap packages have also been advised to register the associated snap name for their commands to prevent misuse.

“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for increased vigilance and proactive defense strategies,” Aqua said.

#Ubuntu #commandnotfound #tool #trick #users #installing #rogue #packages

Notify of
Inline Feedbacks
View all comments
Previous Post
Hackers Weaponizing AI for Cyberattacks

Microsoft and OpenAI warn about nation-state hackers weaponizing AI for cyberattacks

Next Post
Bumblebee Malware

Bumblebee Malware returns with new tricks aimed at US companies

Related Posts