0

Recently, after doing a fresh install of my Mac's OS, I downloaded VirtualBox and, from an HTTP site, a linux ISO. The ISO had only an MD5 checksum for verification. The hashes matched. So I ran the ISO in VirtualBox multiple times, briefly. Then I learned that MD5 is worthless security-wise, and deleted the ISO, uninstalled VirtualBox, and reinstalled it. Nevertheless should I do a fresh install of my OS, or am I being overly paranoid? Avast and Malwarebytes, for the little that it’s worth, say that my system is clean.

Lijishe
  • 111
  • 2
  • Actually it's not that much the question whether MD5 guarantees the integrity of the ISO image, but more how much you trust the ISO image (even if authentic). For example the authentic VM from the ISO image could try to attack your host in the background over network and send out the results to some site. – U. Windl Jun 29 '23 at 13:09

3 Answers3

2

There is some risk. You're correct that MD5 is unsuitable for protecting the integrity of a file. But even if a proper algorithm like SHA-2 had been used, this would still still have been useless without HTTPS, because in the case of HTTP, an attacker could potentially replace both the file and the hash in transit.

Nevertheless, this isn't a catastrophic case which requires immediate action. Depending on the exact circumstances, an attacker would have to go through a lot of steps to actually compromise your system:

  • In order to exploit the fact that you've used HTTP, they have to actively manipulate the traffic and swap out the image (and the hash). This can be anything from easy (e.g., if you've used a public wifi) to fairly difficult (if you're in a properly configured private network).
  • A virtual machine provides a certain level of isolation from the host system. Even if the guest is compromised due to a manipulated OS image, an attacker cannot simply perform arbitrary actions on the host systems. They're either limited to the shared resources (hardware devices, storage), or they would have to find a vulnerability in VirtualBox to break out of the virtual machine.
  • Lastly, even if the attacker manages to break out of the virtual machine, they are still restricted by the fact that VirtualBox is (hopefully!) running under a normal user account, not root. So replacing system files requires a suitable vulnerability in the host OS.
Ja1024
  • 5,769
  • 14
  • 21
  • 1
    You write, "Lastly, even if the attacker manages to break out of the virtual machine, they are, in principle, still restricted by the host OS and cannot simply manipulate the system." Could you please elaborate? For example, if the hacker were sufficiently skilled to break out of the virtual machine, wouldn't this also mean they'd likely be sufficiently skilled to do whatever they want with the host OS? I'm not understanding why the host OS would suddenly restrict them. On the contrary, wouldn't gaining access to the host OS suddenly empower them? – Lijishe Jun 25 '23 at 00:08
  • 3
    What I mean is that the VirtualBox process is running under a normal user account, not as root (unless you somehow changed that). So even breaking out of the virtual machine doesn't give the attacker root access on the host. To manipulate the host OS, they would have to find and exploit a suitable vulnerability in macOS. They might be able to do that, but it's not trivial and would require a customized attack against your specific setup. It's rather unlikely that anybody would put so much effort into attacking a single user. – Ja1024 Jun 25 '23 at 00:16
-1

You heard wrong. MD5 is worthless if you are using it for securing passwords, not for checking if your download was corrupted.

So it's not risky, and you can keep running your ISO.

Scenario based on the comments:

OP breaks up with his SO who is a professional hacker, and it's the attacker on the scenario. Attacker leaves a computer running Kali Linux on OP's premises, connected to the network and with full remote access.

Attacker have knowledge of OP's habits, interests, is fully motivated, have internal network access, have proper incentives and skills to attack OP. Attacker knows OP want to install a Linux distro and wants to MitM the transaction to infect OP's computer.

Attacker have to:

  • ARP poison OP's computer to make the hidden notebook the gateway
  • Download every Linux distro OP would want to download
  • Backdoor each iso file
  • Calculate the hash of every iso
  • Create filters to intercept the download of those files
  • Create filters to change MD5 sum for each one
  • Intercept every single page OP access over HTTP
  • Match download files on the page with iso files attacker downloaded
  • Match MD5 checksums with the ones attacker calculated
  • Replace traffic onfly to change the MD5 sum on the page
  • Replace downloaded iso file with the one attacker modified
  • Keep checking the internet for new releases of all downloaded distros

All this trouble to make OP download a poisoned iso file.

MitM is possible on this scenario, but the preparation before the attack is more complex than most of the alternatives. Even a dedicated hacker close physically and with lots of knowledge on OP routines, replacing a downloaded iso file is troublesome at least and downright impossible at most.

OP already stated he ran the downloaded iso a few times. Attacker could have replaced the iso with an executable file, and OP would have not run it multiple times: I downloaded Tiny Core, but I got this Gentoo? Sure! Let me boot it again!

MD5 here is not to provide authentication, but only to make sure the download wasn't corrupted. This happens way less on modern internet, and there's decades since I had to re-download something because of a download corruption. I would say it's impossible to a download to be corrupted and the MD5 matches the original.

With this kind of access, attacker have multiple faster, easier and more powerful attacks than modifying a iso file in transit. And if attacker tried all other simpler attacks and OP didn't fell for them, OP would not fell for this too.

ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
  • 4
    The OP used plaintext HTTP, so any hash offered together with the image is useless, because an attacker could replace it in transit. Hashes only make sense over a protocol which provides integrity and authenticity (like HTTPS). Besides that, MD5 is definitely not fine for checking the integrity of data, since there are practical collision attacks. It's true that MD5 probably still works for some scenarios where collisions aren't a problem, but it's absolutely not recommended as a general-purpose hashing algorithm. – Ja1024 Jun 25 '23 at 00:30
  • Security is not always about what can possibly be done, but sometimes on what is reasonable to be done to an extent. It's unreasonable to believe some attacker would replace an ISO file while in transit AND replace the webpage with its checksum while in transit. It is possible, but the probability is so low it could be discarded, as there are several other ways some orders of magnitude easier than running a MitM process to change an ISO file. – ThoriumBR Jun 25 '23 at 01:55
  • An attacker with that much resources would better MitM the developers, got their credentials and backdoor the ISO itself. Or modify the backend to host a tainted image to some users, or email the user a link with another ISO because "the previous one is corrupt." – ThoriumBR Jun 25 '23 at 01:57
  • 1
    I have no idea how you've come to the conclusion that MitM attacks are so extremely difficult that they can generally be discarded. For very pratical attacks, look into wifi-attacks, be it with hardware like the Wifi Pineapple or software like Aircrack -- or attacks made possible simply through poor wifi-passwords. Transport encryption wasn't invented just for fun. – Ja1024 Jun 25 '23 at 02:05
  • Aircrack and Pineapple are local area attacks, and that kind of attack isn't practical to change an ISO file on the fly. The user would click the download link, wait the attacker to detect a ISO download is about to take place, intercept it, download the entire file, patch it, and send to the user, while the user looks at the browser waiting for at least a minute. – ThoriumBR Jun 25 '23 at 02:16
  • If the attacker is that close to the user, and have your wifi password, isn't easier to change the DNS settings than intercepting a very large download file to implement a backdoor? ARP poison the user, redirect him to a fake site and give him an executable instead. I am not stating that MitM is extremely difficult, it's just way easier to do other things first. – ThoriumBR Jun 25 '23 at 02:20
  • 1
    A MitM attacker doesn't have to intercept and manipulate the legitimate file, they can redirect the user to an arbitrary ISO image. Anyway, I'll happily admit that the risk of a MitM attack can be anything from very small to significant, and it's of course not the only attack. But the blanket statement that there is no risk of downloading malware in this case seemed over the top. – Ja1024 Jun 25 '23 at 02:34
  • "[A] very large download file" — in this case I was downloading Tiny Core Linux (~17 MBs) from the insecure HTTP Tiny Core website (why wouldn't they know to use HTTPS and SHA256?). So I guess if a hacker was monitoring the traffic of the Tiny Core website, a MitM attack modifying the files in transit would be very easy, no? – Lijishe Jun 25 '23 at 02:34
  • 1
    As stated, there isn't even a need for an attacker to download and manipulate the legitimate file. They could point you to arbitrary malware which has nothing to do with Tiny Core Linux. – Ja1024 Jun 25 '23 at 02:46
  • I agree with @ThoriumBR that an attack on an individual user in the manner that he describes is probably unlikely. But, an MITM attack at (or near) tinycorelinux.net (e.g. by a rogue sysadmin at tinycorelinux.net's hosting provider) would be fairly easy to pull off in the manner that Ja1024 describes, and would impact every user that downloads an ISO from tinycorelinux.net. This is similar to what happened to Linux Mint in 2016, although in that case LM's server was hacked not MITM'd, but the end result was the same. – mti2935 Jun 26 '23 at 11:09
  • @mti2935 an upstream provider would not risk ruining its reputation by running a MitM attack against a Linux distro. And any rogue sysadmin could easily slip a backdoor on the iso itself instead of MitM the download. The networks between the download site and OP have a very high risk/absolutely no reward situation if they execute or facilitate an MitM against this sort of thing. – ThoriumBR Jun 26 '23 at 14:41
  • Consider a cyber criminal with a penchant for ransomware, botnets, etc., who happens to get a sysadmin job with the upstream provider. Or an oppressive government with a state-run ISP that likes to spy on its citizens. Tiny Linux is probably too 'tiny', but imagine how those actors would be licking their chops at the prospect of being able to MITM a larger Linux distro that provides its users with only http access to their ISO's, and no effective way to verify their integrity. – mti2935 Jun 26 '23 at 18:57
  • Regardless of the motives of actors that are able to gain an MITM position - any distro that provides no way whatsoever to verify the integrity of their ISO's makes me question the distro's commitment to security altogether. – mti2935 Jun 26 '23 at 18:58
  • A large Linux distro being compromised would be even more risky. Canonical have more resources and leverage to pursue who tainted an Ubuntu iso than devs from Tiny Linux. – ThoriumBR Jun 26 '23 at 18:59
-4

You're likely fine. Contrary to some of the other follow-ups, a hash is not something that can get "replaced" during transit. It's not part of the payload (downloaded file). It's a calculated value. There is no additional risk associated with having downloaded over HTTP vs. HTTPS when it comes to checking/calculating the hash of the ISO. Any statement otherwise is due to a fundamental misunderstanding of the topic.

In the future, get your ISOs from the authoritative sites and you'll have little to worry about.

Fer5i827
  • 3
  • 4
    This is plain wrong and dangerous advice. The hash you've calculated locally tells you nothing at all without a reference hash to compare it to. When this reference hash is loaded over HTTP, then an attacker who is able to replace the file can of course replace the reference hash as well, so there is zero integrity and authenticity. You might as well ask the attacker if the file they've handed out is trustworthy. – Ja1024 Jun 25 '23 at 01:36
  • 2
    I'd generally be very careful with claims that everything is fine when you don't fully understand the technical concepts and the specific circumstances. – Ja1024 Jun 25 '23 at 01:45
  • 2
    If the reference hash is transmitted over a separate channel which provides authenticity and integrity, then the download itself can of course be safely transmitted over HTTP, but nothing what the OP said justifies this assumption. – Ja1024 Jun 25 '23 at 02:13
  • 1
    'Ja' . str(2 ^ 10) is spot on here. If the checksum hash and the URL of the ISO are accessed via http, then this provides no security at all, as anyone in a MITM position can change both and point to the attacker's own ISO. See https://security.stackexchange.com/questions/243562/how-to-verify-integrity-of-software-when-the-download-provider-doesnt-publish-h for more info. – mti2935 Jun 25 '23 at 03:15
  • You are correct. The file's hash is calculated. That can't be "replaced". But you've totally overlooked the other and most important part of the process ... – schroeder Jun 25 '23 at 11:56
  • @Ja1024 -- I fully understand the concept, you're just looking to jump on anything that even bears the appearance of contradicting you, as evidenced by your response. If you look really closely with an objective eye there is nothing inaccurate in what I said if you consider it within the context of OPs actions. – Fer5i827 Jun 26 '23 at 05:09
  • 2
    The OP has now said exactly which ISO file they're talking about, so you can actually check the source yourself. As you can see, both the image and the reference hash of the image are served via plaintext HTTP. This means a man-in-the-middle attacker who is able to manipulate the network traffic can 1) replace the ISO file with any malware they want and 2) swap out the reference hash to make it match their own ISO file. When the OP hashes the downloaded file and compares the result with the reference hash, all will look fine -- but it's malware. – Ja1024 Jun 26 '23 at 08:13
  • 2
    Also, the website is the official site of Tiny Core Linux, so the statement that there's no risk as long as the file is downloaded from an authoritative source is demonstrably wrong. – Ja1024 Jun 26 '23 at 08:16