Researchers at Aqua Security have identified a security flaw in Ubuntu’s “command not found” feature. This gap could potentially be exploited by attackers to mislead users into installing harmful snaps.
In a detailed blog post, researcher Ilay Goldman warns about the possible dangers of attackers exploiting the “command-not-found” utility to suggest their own harmful snap packages.
He expresses serious concern about the scale of the issue. Attackers could potentially replicate thousands of commands from widely-used packages. Goldman mentions previous cases of harmful packages appearing in the Snap Store as an illustration of the issue.
So, what exactly is the problem, how risky is it, and should Ubuntu users be concerned about it?
Package Suggestions can be Gamed
Can this helpful feature be exploited? Security bods say yes
When you try to run a command for a package you don’t have installed Ubuntu will show a “command not found” error.
But, in an effort to help, it also suggests the package(s) needed to run the missing command.
Suggestions are shown for relevant DEB packages available to install from the Ubuntu repos (queried against a local database) and snap packages (queried from a database on the Snap Store that gets updated often so new apps appear as recommendations).
And it’s this helpful feature security researchers say is open for manipulation by bad actors (and I don’t mean the Tommy Wiseau kind) using snap apps.
To prove the viability of this attack vector Aqua Nautilus performed a few experiments.
In one example, they ran jupyter-notebook on a fresh Ubuntu install and, as it’s not preinstalled, the command-not-found feature did its job: said ‘not found’, recommend the relevant package needed, and how to install it using apt.
So far so good.
But as this particular package didn’t return a snap suggestion — the feature will show both DEB and Snaps if they exist — they figured that the namespace hadn’t been registered on the Snap Store.
So the researchers registered it, filled in the details, and uploaded a (dummy) app ‘impersonating’ the real one. Sure enough, the command-not-found began started recommend their pretend package — even before the legit one:
One of these isn’t what it seems, but could you tell?
In the stated example, the fraudulent snap was assigned a higher version number and displayed prior to the authentic APT package, potentially leading users to perceive the initial snap as the recommended choice.
That indeed forms the heart of the problem.
Unscrupulous individuals can conveniently exploit the recommendation system, turning this innocent, user-oriented feature into a vehicle for recommending questionable snap packages to users. The only thing they need to do is to upload a snap feigning to be something that is highly sought-after, and command-not-found will take care of the rest.
Even worse, Aqua Nautilus report that approximately 26% of commands related to APT packages are susceptible to malicious impersonation. And they have also experimented with other strategies (such as leveraging alias’, typo squatting, and the like) that dishonest people can use to manipulate the system in order to have their counterfeit packages suggested to users, sometimes even ahead of legitimate ones.
Which is all kinds of worrying.
Is this actually an issue?
The good news is that, for now, this exploit is theoretical (albeit tested). No-one has yet reported being duped through the CNF mechanism, and there are no signs any snap malware is out there actively exploiting this loophole — so that’s good.
Plus, it will be easy for Canonical to remedy the issue with mitigations on their end – perhaps restricting snap suggestions surfaced through this feature to those uploaded by verified developers only?
On a desktop version of Ubuntu, it’s safe to assume that the CNF feature may not be as commonly utilised as in server and headless setups like WSL, where CLI reigns. While this may serve as a blessing for desktop users who are less likely to be duped, it can pose a threat to crucial infrastructure systems like servers and IoT.
As users, the onus is on us to exercise caution. It’s imperative to keep an eye out for typos, verify the authenticity of what we are installing, and ensure that it is packaged by a reliable source whenever we install anything, regardless of the source.
Keen on delving deeper? Do visit the Aqua blog post to explore the entire report.
The blog not only elucidates how ‘command-not-found’ operates and assigns relevancy to its suggestions, but also reveals how ill-intentioned actors can misuse snap packages to perform unsettling activities even with strict confinement enabled and without triggering a manual review.
Food for thought!