The independent security consultant Max Justicz has discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.
The flaw, tracked as CVE-2019-3462, affects package manager version 0.8.15 and later, it could be exploited by an attacker in a MiTM position to execute arbitrary code as root on a machine and install any package.
“I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” reads a blog post published by
“The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.”
Vulnerable versions of APT fail in sanitizing certain parameters during HTTP redirects and a remote man-in-the-middle attacker could to inject malicious content and trick the system into installing tainted packages.
While using apt-get command, HTTP redirects allow Linux systems to automatically request packages from a mirror server when others are unavailable. When the first server is not able to provide the package, it
“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection.” reads the Debian Security Advisory “This content could then be recognized as a valid package by APT and used later
The expert published a video
In order to mitigate this flaw, it is possible to implement HTTPS that could prevent exploitation of the vulnerability.
APT maintainers quickly patched the CVE-2019-3462 vulnerability with the release of version 1.4.9, Linux users must update their systems as soon as possible.
(SecurityAffairs – Linux distribution, APT package manager)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.