Could let remote attackers install malicious packages

Jan 23, 2019 14:07 GMT  ·  By

The Debian Project and Canonical have released patched APT packages for all of their supported distributions to address a critical security vulnerability that could allow remote attackers to perform a man-in-the-middle attack.

The security vulnerability was discovered by Max Justicz in the APT package, the high-level package manager used by the Debian GNU/Linux and Ubuntu operating systems, as well as any other derivative, official or unofficial, such as Kubuntu, Lubuntu, Xubuntu, Ubuntu MATE, and even the popular Linux Mint.

The issue could allow a remote attacker to trick APT into installing malicious packages that pose as valid ones, but which could be used for code execution with administrative (root) privileges after installation to gain control of the vulnerable machine. More details are available for further reading at CVE-2019-3462.

"The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection," reads the Debian security advisory.

All Debian and Ubuntu users are urged to update APT immediately

All Debian and Ubuntu users, as well as users of any derivatives using the APT package manager, are urged to update their installations as soon as possible to the new APT versions that are already available in the main software repositories of their GNU/Linux distributions.

Canonical has released patched versions of APT for Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), Ubuntu 14.04 LTS (Trusty Tahr), and Ubuntu 12.04 ESM (Precise Pangolin). On the other hand, the Debian Project released patched APT packages for the Debian GNU/Linux 9 "Stretch" series.

A standard system update will address the issue, but the Debian Project recommends you disable redirects in APT to prevent exploitation of the update process using the commands below. If you can't update APT without redirects, you can manually download the patched APT versions from the security advisory.

apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade