Linux APT Package Manager Remote Code Execution Bug Patched
Original Source: BleepingComputer
Independent consultant and security contractor Max Justicz discovered a remote code execution issue in the APT high level package manager used by Debian, Ubuntu, and other related Linux distributions.
As described by Justicz, the APT vulnerability present in the package manager starting with version 0.8.15 “allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. The bug has been fixed in the latest versions of apt.”
Moreover, as detailed in the DSA-4371-1 Debian Security Advisory by Yves-Alexis Perez:
The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.
Because the vulnerability described as a “content injection in http method” on Ubuntu’s Launchpad repository and tracked as CVE-2019-3462 affects the package manager, the tool used to update the OS components, the Debian advisory recommends users to take a few extra steps to avoid having their systems exploited until they update APT to the latest, patched version:
Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using:
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use:
deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main
Users who cannot update their installation using APT without having redirects enabled can also download the updated versions manually with the help of curl or wget from the DSA-4371-1 Advisory, check the hashes to make sure that the packages haven’t been tampered with, and install them with the help of dpkg -i.
A short video proof of concept demo of the man-in-the-middle attack while exploiting a Dockerfile was also provided by Justicz:
The RCE bug has been fixed today in the APT 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1 packages, as well as in APT 1.4.9 for the Debian distribution.
A similar issue was discovered by Google Project Zero’s Jann Horn in December 2016, which was later patched in the 1.0.9.8.4 and 1.4~beta2 versions of APT.
According to Horn’s report, the vulnerable APT versions were not properly handling “errors when validating signatures on InRelease files. An attacker able to man-in-the-middle HTTP requests to an apt repository that uses InRelease files (clearsigned Release files), can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution.”