Pierluigi Paganini January 22, 2019

Expert discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.

The independent security consultant Max Justicz has discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.

The flaw, tracked as CVE-2019-3462, affects package manager version 0.8.15 and later, it could be exploited by an attacker in a MiTM position to execute arbitrary code as root on a machine and install any package.

“I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” reads a blog post published by
Justicz.

“The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.”

Vulnerable versions of APT fail in sanitizing certain parameters during HTTP redirects and a remote man-in-the-middle attacker could to inject malicious content and trick the system into installing tainted packages.

While using apt-get command, HTTP redirects allow Linux systems to automatically request packages from a mirror server when others are unavailable. When the first server is not able to provide the package, it respond by providing the next suitable server.

“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection.” reads the Debian Security Advisory “This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.”

The expert published a video PoC that shows an attacker intercepting HTTP traffic between APT package manager and a mirror server, or a rogue mirror, and replace the legitimate package with a malicious one.

https://justi.cz/assets/aptpoc.mp4

According to Justicz, the flaw could affect all package downloads, including packages installed by the user for the first time.

In order to mitigate this flaw, it is possible to implement HTTPS that could prevent exploitation of the vulnerability.

“Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so. I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.” wrote the expert.

APT maintainers quickly patched the CVE-2019-3462 vulnerability with the release of version 1.4.9, Linux users must update their systems as soon as possible.

Pierluigi Paganini

(SecurityAffairs – Linux distribution, APT package manager)

[adrotate banner=”5″] [adrotate banner=”13″]