Ubuntu 'command-not-found' Tool Could Trick Users into Installing Rogue Packages
17.2.24  Hacking  The Hacker News

Cybersecurity researchers have found that it's possible for threat actors to exploit a well-known utility called command-not-found to recommend their own rogue packages and compromise systems running Ubuntu operating system.

"While 'command-not-found' serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages," cloud security firm Aqua said in a report shared with The Hacker News.

Installed by default on Ubuntu systems, command-not-found suggests packages to install in interactive bash sessions when attempting to run commands that are not available. The suggestions include both the Advanced Packaging Tool (APT) and snap packages.

When the tool uses an internal database ("/var/lib/command-not-found/commands.db") to suggest APT packages, it relies on the "advise-snap" command to suggest snaps that provide the given command.

Thus, should an attacker be able to game this system and have their malicious package recommended by the command-not-found package, it could pave the way for software supply chain attacks.

Aqua said it found a security loophole wherein the alias mechanism can be exploited by the threat actor to potentially register the corresponding snap name associated with an alias and trick users into installing the malicious package.

What's more, an attacker could claim the snap name related to an APT package and upload a malicious snap, which then ends up being suggested when a user types in the command on their terminal.


"The maintainers of the 'jupyter-notebook' APT package had not claimed the corresponding snap name," Aqua security researcher Ilay Goldman said. "This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named 'jupyter-notebook.'"

To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package.

As many as 26% of the APT package commands are vulnerable to impersonation by malicious actors, Aqua noted, presenting a substantial security risk, as they could be registered under an attacker's account.

A third category entails typosquatting attacks in which typographical errors made by users (e.g., ifconfigg instead of ifconfig) are leveraged to suggest bogus snap packages by registering a fraudulent package with the name "ifconfigg."

In such a case, command-not-found "would mistakenly match it to this incorrect command and recommend the malicious snap, bypassing the suggestion for 'net-tools' altogether," Aqua researchers explained.

Describing the abuse of the command-not-found utility to recommend counterfeit packages as a pressing concern, the company is urging users to verify the source of a package before installation and check the maintainers' credibility.

Developers of APT and snap packages have also been advised to register the associated snap name for their commands to prevent them from being misused.

"It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies," Aqua said.