loader gif

Linux package manager APT contains Remote Code Execution flaw and allows MITM attacks

Linux package manager APT contains Remote Code Execution flaw and allows MITM attacks
  • Attackers intercepting an APT utility and a mirror server can execute malicious code on a system and control access privileges.
  • After the intrusion, they can initiate man-in-the-middle (MITM) attacks by installing malicious packages.

A remote code execution flaw found in Linux’s package manager Advanced Package Tool (APT), can leave attackers to commit MITM attacks. APT is a user interface program that works with core libraries to manage software on Debian, Ubuntu, and other Linux-based computer systems.

It appears that a vulnerability labeled CVE-2019-3462, exists when installing new packages. Security researcher Max Jusicz uncovered this flaw in the popular package manager.

Flaw lies in HTTP redirects

A blog post by Jusicz illustrates his exploit on the bug. Usually, APT HTTP redirects help Linux systems to capture the suitable mirror servers to download software packages.

If the first server fails, then it returns a response with the location of next server from where the client should request the package. Incidentally, APT leaves out certain parameters during these HTTP redirects and makes room for attackers to perform MITM attacks.

“Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,” explained Jusicz in his post. It means that the attacker can inject code at the redirect point.

Absent in latest versions

Jusicz mentions that the flaw has been fixed in the latest versions of the package manager. The developers of APT, Debian has acknowledged the flaw and are currently working to resolve this issue.

Jusicz also advises users to disable HTTP redirects when updating to a new version. This way the flaw is rendered invalid for the meantime till they update their APT package.

Fortunately, the version 1.4.9 of APT which is used in Debian distribution, comes with this issue fixed. Similarly, the bug has been fixed in the Ubuntu-flavored versions of APT including 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1.

loader gif