By A distant code execution flaw was freshly detected in APT, the high level package manager employed in different Linux arrangements. Trailed as CVE-2019-3462, the software vulnerability could be employed by attackers capable to carry through network Man-in-the-Middle threats to enclose content and have it implemented on the reference machine with base privileges. Harmful package reflects can merely effort the flaw.
“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection,” a Debian Security Advisory detailing the vulnerability reads.
The problem, security analyst Max Justicz informs, is that, when the HTTP server reacts with a redirect, APT’s worker method provides a 103 Redirect alternatively a 201 URI Done, and the HTTP fetcher method URL-decodes the HTTP Location header and unsighted affixes it to the 103 Redirect outcome.
“The parent process will trust the hashes returned in the injected 201 URI Done response, and compare them with the values from the signed package manifest. Since the attacker controls the reported hashes, they can use this vulnerability to convincingly forge any package,” the researcher notes.
APT version 1.6.y, which is existing in several Ubuntu systems, does not merely unsighted affix the URI, however the analyst did discover an injection flaw in the resulting 600 URI Gain demands generated to the HTTP fetcher method.
The flaw influences the APT package manager itself, and users are discussed to deactivated redirects so as to save development when modifying to the current version, which also comprises of a fix for the bug.
Clients who cannot modify employing APT needing redirect can manually download the data files utilizing wget/curl) for their structure employing particular URLs contained in the Debian Security Advisory. File hashes are merely rendered, to inspect if they equate those for the downloaded data files.
“For the stable distribution (stretch), this problem has been fixed in version 1.4.9. We recommend that you upgrade your apt packages,” the Debian Security Advisory reads.
