steven36 Posted January 23, 2019 Share Posted January 23, 2019 A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions. Tracked as CVE-2019-3462, the software bug could be exploited by hackers able to perform network man-in-the-middle (MitM) attacks to inject content and have it executed on the target machine with root privileges. Malicious package mirrors can also exploit the bug. “The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection,” a Debian Security Advisory detailing the vulnerability reads. The issue, security researcher Max Justicz explains, is that, when the HTTP server responds with a redirect, APT’s worker process returns a 103 Redirect instead of a 201 URI Done, and the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response. “The parent process will trust the hashes returned in the injected 201 URI Done response, and compare them with the values from the signed package manifest. Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package,” the researcher notes. APT version 1.6.y, which is present in some Ubuntu distributions, doesn’t just blindly append the URI, but the researcher did find an injection vulnerability in the subsequent 600 URI Acquire requests made to the HTTP fetcher process. The vulnerability impacts the APT package manager itself, and users are advised to disable redirects in order to prevent exploitation when upgrading to the latest version, which also contains a patch for the vulnerability. Users who cannot upgrade using APT without redirect can manually download the files (using wget/curl) for their architecture using specific URLs included in the Debian Security Advisory. File hashes are also provided, to check if they match those for the downloaded files. “For the stable distribution (stretch), this problem has been fixed in version 1.4.9. We recommend that you upgrade your apt packages,” the Debian Security Advisory reads. Source Link to comment Share on other sites More sharing options...
mp68terr Posted January 23, 2019 Share Posted January 23, 2019 Waiting for a fix... or the running linux is maybe already patched! At least there is no need to wait for the next (likely broken) Tuesday fix! Link to comment Share on other sites More sharing options...
steven36 Posted January 23, 2019 Author Share Posted January 23, 2019 1 hour ago, mp68terr said: Waiting for a fix... or the running linux is maybe already patched! At least there is no need to wait for the next (likely broken) Tuesday fix! if using Ubuntu you just update https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353 I done updates for this yesterday today is a new day, i just done more security updates for another bug .it not windows that only release patches once a month, they release patches every workday 5 days a week as needed on linux. I run all my traffic threw a vpn with the kill switch on for a extra layer of security against (MitM) attacks so all my traffic is encrypted on linux regardless if it uses http or https both protocols have had its own set of bugs over the last few years . Nether is trust worthy . Quote Maximum Protection Data encryption: AES-256 Data authentication: SHA256 Handshake: RSA-4096 Link to comment Share on other sites More sharing options...
brain_death Posted January 24, 2019 Share Posted January 24, 2019 I have always loathed APT. Yum and Pacman have my vote, anyday... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.