The independent security consultant Max Justicz has discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.
The flaw, tracked as CVE-2019-3462, affects package manager version 0.8.15 and later, it could be exploited by an attacker in a MiTM position to execute arbitrary code as root on a machine and install any package.
“I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” reads a blog post published by
“The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.”
Vulnerable versions of APT fail in sanitizing certain parameters during HTTP redirects and a remote man-in-the-middle attacker could to inject malicious content and trick the system into installing tainted packages.
While using apt-get command, HTTP redirects allow Linux systems to automatically request packages from a mirror server when others are unavailable. When the first server is not able to provide the package, it
“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection.” reads the Debian Security Advisory “This content could then be recognized as a valid package by APT and used later
The expert published a video
In order to mitigate this flaw, it is possible to implement HTTPS that could prevent exploitation of the vulnerability.
APT maintainers quickly patched the CVE-2019-3462 vulnerability with the release of version 1.4.9, Linux users must update their systems as soon as possible.
(SecurityAffairs – Linux distribution, APT package manager)