Cybersecurity researchers have discovered that threat actors may be using a well-known utility called command-not-found to recommend their own rogue software packages and compromise systems running the Ubuntu operating system.
Cloud security company Aqua said in a report: “While ‘command-not-found’ is a convenient tool that can suggest the installation of uninstalled commands, it can be inadvertently manipulated by attackers through snap repositories. This leads to deceptive suggestions of malware packages.” shared with Hacker News.
Installed by default on Ubuntu systems, command-not-found will suggest installing the package in an interactive bash session when trying to execute a command that is not available. These recommendations include Advanced Packaging Tools (APT) and snap packages.
While the tool uses an internal repository (“/var/lib/command-not-found/commands.db”) to suggest APT packages, it relies on the “advise-snap” command to suggest a snapshot for a given command.
Therefore, if an attacker is able to trick the system and have “command-not-found” packages recommend their malicious packages, this could pave the way for software supply chain attacks.
Aqua said it discovered a potential vulnerability that could allow threat actors to exploit the alias mechanism to register the corresponding snapshot name associated with the alias and trick users into installing a malware package.
What’s more, an attacker can claim a snapshot name associated with an APT suite and upload a malicious snapshot, which will then ultimately prompt the user when typing commands on the terminal.
“The maintainers of the ‘jupyter-notebook’ APT package did not declare the corresponding snap name,” Aqua said. “This oversight leaves a window of opportunity for an attacker to claim it and upload a malicious snapshot named ‘jupyter-notebook’.”
To make matters worse, the command-not-found utility misleads users into installing a fake snap package by suggesting that it places the snap package on top of jupyter-notebook’s legitimate APT package.
Aqua noted that up to 26% of APT package commands are vulnerable to impersonation by malicious actors, which poses a huge security risk as they may be registered under an attacker’s account.
The third type involves misprint attacks, in which typographical errors made by users (for example, ifconfigg instead of ifconfig) are exploited to recommend fake snap packages by registering a scam package named “ifconfigg”.
In this case, command-not-found “erroneously matches it with this incorrect command and recommends a malicious snapshot, completely bypassing the ‘Network Tool’ recommendation,” Aqua researchers explained.
The company described the pressing issue of misuse of the Command Not Found utility to recommend fake packages, urging users to verify the source of packages and check the maintainers’ credibility before installing them.
Developers of APT and snap suites are also recommended to register associated snap names for their commands to prevent their misuse.
“It is uncertain to what extent these capabilities may be exploited, which underscores the urgency for heightened vigilance and proactive defense strategies,” Akwa said.
