Source: security-advisories@github.com
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
A critical vulnerability exists in the Solus package manager (eopkg) that allows for arbitrary file creation and persistence on a compromised system. This flaw, present in versions prior to 4.4.0, enables attackers to install malicious packages from untrusted sources, potentially leading to system compromise and data exfiltration.
Step 1: Malicious Package Creation: An attacker crafts a malicious package containing arbitrary files, including executables, configuration files, or backdoors. These files are designed to be placed outside of the standard package installation directory, or to overwrite existing system files.
Step 2: Package Hosting/Delivery: The attacker hosts the malicious package on a compromised server, a public repository, or through social engineering to trick a user into downloading it.
Step 3: Package Installation: A user, unaware of the package's malicious nature, installs the package using eopkg from the attacker's source. This could involve adding a malicious repository to the user's configuration.
Step 4: File Placement: During installation, the malicious package's files are placed on the system, potentially in sensitive locations such as /etc, /usr/local/bin, or the user's home directory. Because eopkg doesn't track these files, they are not visible through standard package management tools.
Step 5: Persistence and Execution: The attacker's files, such as a backdoor or rootkit, are now present on the system. These files can be configured to execute at boot, or when certain events occur, giving the attacker persistent access to the compromised system.
The vulnerability stems from a flaw in how eopkg tracks files installed by packages. Specifically, the package manager fails to properly account for all files included within a malicious package. This allows an attacker to include files that are not registered with eopkg's internal database. The root cause is likely a missing or inadequate check during the package installation process, failing to validate all files against a trusted manifest or checksum. This allows an attacker to bypass the normal package management controls and place arbitrary files in arbitrary locations on the filesystem. The lack of tracking also means these files are not easily detected or removed through standard package management tools.
While no specific APT groups are directly linked to this vulnerability, the nature of the exploit makes it attractive to various threat actors. Groups targeting Linux systems, or those seeking to establish persistent access, would find this vulnerability useful. CISA KEV status: Not Applicable (as of the provided date).
Monitor file system activity for unexpected file creations, especially in critical system directories like /etc, /usr/local/bin, and /home. Look for files with unusual names or timestamps.
Use file integrity monitoring (FIM) tools to detect changes to critical system files. Configure these tools to alert on unexpected modifications.
Analyze network traffic for unusual outbound connections from the compromised system. Look for connections to suspicious IP addresses or domains.
Regularly scan the system for hidden or untracked files using tools like find or ls -la in conjunction with filters to exclude known package directories.
Compare the output of eopkg list-installed with the actual files present on the system to identify discrepancies.
Upgrade eopkg to version 4.4.0 or later. This is the primary and most effective remediation.
Only install packages from trusted Solus repositories. Avoid adding or using third-party repositories unless absolutely necessary and verified.
Implement a robust file integrity monitoring (FIM) solution to detect unauthorized file modifications.
Regularly review system logs for suspicious activity, including package installation attempts from untrusted sources.
Educate users about the risks of installing packages from untrusted sources and the importance of verifying package authenticity.