Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Code Execution Vulnerability Impacts Linux Package Manager

A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions. 

A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions. 

Tracked as CVE-2019-3462, the software bug could be exploited by hackers able to perform network man-in-the-middle (MitM) attacks to inject content and have it executed on the target machine with root privileges. Malicious package mirrors can also exploit the bug. 

“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection,” a Debian Security Advisory detailing the vulnerability reads

The issue, security researcher Max Justicz explains, is that, when the HTTP server responds with a redirect, APT’s worker process returns a 103 Redirect instead of a 201 URI Done, and the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response.

“The parent process will trust the hashes returned in the injected 201 URI Done response, and compare them with the values from the signed package manifest. Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package,” the researcher notes. 

APT version 1.6.y, which is present in some Ubuntu distributions, doesn’t just blindly append the URI, but the researcher did find an injection vulnerability in the subsequent 600 URI Acquire requests made to the HTTP fetcher process.

The vulnerability impacts the APT package manager itself, and users are advised to disable redirects in order to prevent exploitation when upgrading to the latest version, which also contains a patch for the vulnerability. 

Users who cannot upgrade using APT without redirect can manually download the files (using wget/curl) for their architecture using specific URLs included in the Debian Security Advisory. File hashes are also provided, to check if they match those for the downloaded files. 

Advertisement. Scroll to continue reading.

“For the stable distribution (stretch), this problem has been fixed in version 1.4.9. We recommend that you upgrade your apt packages,” the Debian Security Advisory reads. 

Related: Code Execution in Alpine Linux Impacts Containers

Related: Malicious ESLint Packages Steal Software Registry Login Tokens

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights