Just in time…when some cybersecurity experts this week were fighting over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification just because APT on Linux also does the same, a researcher today revealed details of a critical remote code execution flaw for a similar scenario that could have been mitigated if APT was strictly using HTTPS to communicate securely.Discovered by security researcher Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions.
According to a blog post published by Justicz, the vulnerable versions of APT doesn’t properly sanitize certain parameters during HTTP redirects, allowing a remote man-in-the-middle attacker to inject malicious content and trick the system into installing altered packages.HTTP redirects while using apt-get command help Linux machines to automatically request packages from a suitable mirror server when others are unavailable. If the first server fails, it returns a response with the location of next server from where the client should request the package.
“Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response,” Justicz explains.
As shown by the researcher in a video demonstration, an attacker intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror, eventually could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root, Justicz told The Hacker News.
“You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well, if you wanted to,” Justicz told THN.
Though Justicz has not tested, he believes the vulnerability affects all package downloads, even if you are installing a package for the very first time or updating an old one.
No doubt, to protect the integrity of the software packages, it’s important to use signature-based verification, as software developers do not have control over mirror servers, but at the same time, implementing HTTPS could prevent active exploitation after the discovery of such vulnerabilities.
No software, platform or sever can be 100 percent secure, so having every possible later of security is never a bad idea.
“By default, Debian and Ubuntu both use plain http repositories out of the box (Debian lets you pick what mirror you want during installation, but doesn’t actually ship with support for https repositories – you have to install apt-transport-https first),” the researcher explains.
“Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so.”
The developers of APT have released version 1.4.9 that addresses the issue.
Since APT is being used by many major Linux distributions including Debian and Ubuntu, who have also acknowledged and released security patches for the vulnerability, it is highly recommended for Linux users to update their systems as soon as possible.