A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions.
Tracked as CVE-2019-3462, the software bug could be exploited by hackers able to perform network man-in-the-middle (MitM) attacks to inject content and have it executed on the target machine with root privileges. Malicious package mirrors can also exploit the bug.
“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection,” a Debian Security Advisory detailing the vulnerability reads.
The issue, security researcher Max Justicz explains, is that, when the HTTP server responds with a redirect, APT’s worker process returns a 103 Redirect instead of a 201 URI Done, and the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response.
“The parent process will trust the hashes returned in the injected 201 URI Done response, and compare them with the values from the signed package manifest. Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package,” the researcher notes.
APT version 1.6.y, which is present in some Ubuntu distributions, doesn’t just blindly append the URI, but the researcher did find an injection vulnerability in the subsequent 600 URI Acquire requests made to the HTTP fetcher process.
The vulnerability impacts the APT package manager itself, and users are advised to disable redirects in order to prevent exploitation when upgrading to the latest version, which also contains a patch for the vulnerability.
Users who cannot upgrade using APT without redirect can manually download the files (using wget/curl) for their architecture using specific URLs included in the Debian Security Advisory. File hashes are also provided, to check if they match those for the downloaded files.
“For the stable distribution (stretch), this problem has been fixed in version 1.4.9. We recommend that you upgrade your apt packages,” the Debian Security Advisory reads.