NetBSD Problem Report #57995

From www@netbsd.org  Sun Mar  3 19:47:35 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 88CFB1A9239
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  3 Mar 2024 19:47:35 +0000 (UTC)
Message-Id: <20240303194703.AD3BF1A923A@mollari.NetBSD.org>
Date: Sun,  3 Mar 2024 19:47:03 +0000 (UTC)
From: rwhitlock22@gmail.com
Reply-To: rwhitlock22@gmail.com
To: gnats-bugs@NetBSD.org
Subject: rsync repo transfers are insecure
X-Send-Pr-Version: www-1.0

>Number:         57995
>Category:       misc
>Synopsis:       rsync repo transfers are insecure
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 03 19:50:00 +0000 2024
>Originator:     Robert Whitlock
>Release:        
>Organization:
>Environment:
>Description:
The directions at https://netbsd.org/docs/current/#getrepos give the option of using rsync to download the whole repository, however using plain rsync is unencrypted. There is no way to get an encrypted rsync connection of the NetBSD repository (because the NetBSD servers don't offer it) and there is no way to verify the correctness of the downloaded repository with cryptographic signatures. This means that any rsync transfers performed by the general public (who do not have ssh keys for rsync+ssh) are vulnerable to man in the middle attacks, creating what is, for almost all practical purposes, a supply chain attack on the entire operating system. 
>How-To-Repeat:
Follow the directions at https://netbsd.org/docs/current/#getrepos, run netstat -nf inet and note that the port for unencrypted rsync is being used.
>Fix:
Some possible solutions:

1) enable rsync-ssl on the NetBSD servers
2) find some way to sign rsynced repositories and publish the signatures and associated public keys somehow
3) offer another way to retrieve the repository that can either be accessed over an encrypted connection or can be verified with cryptographic signatures after downloading it
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.