eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
Solus package manager eopkg is vulnerable to a supply-chain attack. A malicious package, sourced from a compromised or untrusted repository, can install untracked files, potentially leading to persistent compromise and data exfiltration. This vulnerability allows attackers to bypass standard package management controls and deploy malicious payloads undetected.
Step 1: Payload Preparation: The attacker crafts a malicious .eopkg package. This package contains legitimate files (to appear normal) and hidden, untracked malicious files (e.g., a rootkit, backdoor, or malware).
Step 2: Package Delivery: The attacker hosts the malicious package on a compromised or untrusted repository, or tricks a user into downloading it from a phishing site.
Step 3: Package Installation: The victim, using eopkg, installs the malicious package.
Step 4: Untracked File Installation: During installation, eopkg installs the malicious files, but due to the vulnerability, it fails to properly track them.
Step 5: Persistence & Stealth: The malicious files are installed on the system, but are not listed by lseopkg or other package management tools, making them difficult to detect and remove. The attacker now has a foothold on the system.
The vulnerability stems from a flaw in how eopkg tracks files during package installation. Specifically, the package manager fails to properly account for all files included within a malicious package. This allows an attacker to include files that are not registered by eopkg, effectively bypassing the package manager's integrity checks and making the malicious files invisible to tools like lseopkg. The root cause is likely a missing or incomplete file listing mechanism within the package installation process, or a failure to properly validate the package manifest against the actual files present. This could be due to a missing check or a logic error in how the package metadata is parsed and compared to the files being installed. The attacker leverages this to install backdoors, rootkits, or other malicious payloads that persist even after the package is removed, as the untracked files remain on the system.