Security Experts:

Connect with us

Hi, what are you looking for?



Code Execution Vulnerability Impacts Linux Package Manager

A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions. 

A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions. 

Tracked as CVE-2019-3462, the software bug could be exploited by hackers able to perform network man-in-the-middle (MitM) attacks to inject content and have it executed on the target machine with root privileges. Malicious package mirrors can also exploit the bug. 

“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection,” a Debian Security Advisory detailing the vulnerability reads

The issue, security researcher Max Justicz explains, is that, when the HTTP server responds with a redirect, APT’s worker process returns a 103 Redirect instead of a 201 URI Done, and the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response.

“The parent process will trust the hashes returned in the injected 201 URI Done response, and compare them with the values from the signed package manifest. Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package,” the researcher notes. 

APT version 1.6.y, which is present in some Ubuntu distributions, doesn’t just blindly append the URI, but the researcher did find an injection vulnerability in the subsequent 600 URI Acquire requests made to the HTTP fetcher process.

The vulnerability impacts the APT package manager itself, and users are advised to disable redirects in order to prevent exploitation when upgrading to the latest version, which also contains a patch for the vulnerability. 

Users who cannot upgrade using APT without redirect can manually download the files (using wget/curl) for their architecture using specific URLs included in the Debian Security Advisory. File hashes are also provided, to check if they match those for the downloaded files. 

“For the stable distribution (stretch), this problem has been fixed in version 1.4.9. We recommend that you upgrade your apt packages,” the Debian Security Advisory reads. 

Related: Code Execution in Alpine Linux Impacts Containers

Related: Malicious ESLint Packages Steal Software Registry Login Tokens

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.