Cybersecurity researchers have discovered that it is possible for threat actors to exploit a popular utility called command-not-found to recommend their rogue packages and compromise systems running the Ubuntu operating system.
“While ‘command-not-found’ serves as a useful tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages,” the cloud security firm said in a report Aqua. shared with The Hacker News.
Installed by default on Ubuntu systems, command-not-found suggests packages to install in interactive bash sessions when you try to run commands that are not available. Suggestions include both the Advanced Packaging Tool (APT) and snap packages.
When the tool uses an internal database (“/var/lib/command-not-found/commands.db”) to suggest APT packages, it relies on the “advise-snap” command to suggest snaps that provide the specified command.
Therefore, if an attacker were to be able to trick this system and have the malicious package recommended by the command-not-found package, this could pave the way for software supply chain attacks.
Aqua said it has found a potential loophole where the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.
Additionally, an attacker could claim the snap name for an APT package and upload a malicious snap, which then ends up being suggested when a user types the command on their terminal.
“The maintainers of the APT package ‘jupyter-notebook’ have not claimed the name of the corresponding snap,” Aqua said. “This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap called ‘jupyter-notebook.’”
To make matters worse, the command-not-found utility suggests the snap package over the legitimate APT package for jupyter-notebook, tricking users into installing the fake snap package.
As many as 26% of APT package commands are vulnerable to imitation by attackers, Aqua noted, presenting a substantial security risk, as they could be logged under an attacker’s account.
A third category includes typosquatting attacks in which typographical errors made by users (e.g., ifconfigg instead of ifconfig) are exploited to suggest bogus snap packages by registering a fraudulent package with the name “ifconfigg”.
In that case, command-not-found “would incorrectly match it to this incorrect command and recommend the malicious snap, completely ignoring the suggestion for ‘net-tools,'” the Aqua researchers explained.
Describing the abuse of the command-not-found utility to recommend counterfeit packages as a pressing concern, the company urges users to verify the source of a package before installation and to check the credibility of maintainers.
APT and snap package developers were also advised to register the snap name associated with their commands to prevent misuse.
“It remains uncertain how widely these capabilities have been exploited, underscoring the urgency for increased vigilance and proactive defense strategies,” Aqua said.