Massive security bug found in Debian, Ubuntu, and derivatives apt

The apt package installer carried a huge security bug, but don't worry, it's now patched.

Everyone was surprised to learn that apt had been infected with a bug. This was discovered by security researcher Max Justicz. He found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.

Apt is one of the Linux’s core installation software. But it was a relief to learn that the bug had been fixed before it became a threat. It raises the question of whether the secure https has improved apt security or not.

According to the Debian security team Yves-Alexis, Ubuntu and Debian were under threats. The reason was that they rely on HTTP repository. The attackers were likely to use the HTTP connection to inject the system with malicious content. This would compromise the repository security. Once injected, the malicious content would be recognized as valid. Apt would then execute code programs on the targeted machine.

Fixing the machine could break a few proxies. This would happen, especially where it is used against security.debian.org. In this case, the only available remedy is to switch the APT source. It means that updating the system promptly was one of the methods to use to deal with the bug. Advanced Tool apt has so far worked well. But the researcher Max Justicz discovered that it was easier to dig a hole in the program. It would give a remote attacker a chance to introduce and execute arbitrary root in the package. It would result in attacks.

Apt refers to packages or database that must be installed for programs to run. Also apt, allows one to install, upgrade, and remove the database. Unfortunately apt will install or update a package without checking if there is anything’s wrong with a package’s requested Uniform Resource Identifier (URI). It only focusses on PGP security hashes returned by the URI. It means that it is possible to make a malware look legitimate and allow them to be executed. Apt targets redirect URLs and do not check the new lines.

This loophole allows MiTM attackers to inject malware into the results returned. It makes URL to be embedded into the file. When it happens, it validates downloads, which will then allow for the execution of fake hashes.

Justicz demonstrated that it was easy to get the malicious file into the targeted system. It could be done using a release.gpg file which is easily pulled down when apt is updating itself. Justicz also provided a video showing the demonstration in his blog. The link is located at the bottom of the article.

According to Justicz APT attacks is not a one-day event. The intruder infiltrates and embeds themselves in the system. It helps them get as much information as is necessary. They target to infiltrate the entire network. To get in the system, they may use SQL injection, file inclusion RFI and XSS (cross-site scripting).

As mentioned before, this bug has been already fixed, thanks for the apt maintainers for patching this vulnerability quickly, and to the Debian security team for coordinating the disclosure. Therefore, you should be fine if you have already updated your system. For some reason, if you were not able to update, you can still protect yourself by disabling HTTP redirects while you update. To do that, run the following commands in the Terminal.

sudo apt update -o Acquire::http::AllowRedirect=false
sudo apt upgrade -o Acquire::http::AllowRedirect=false
Elizabeth B
Hey! I'm a Linux Enthusiast and enjoy reading and writing articles on Linux. FOSS Linux is a great place for me to contribute to the Linux platform. Linux distributions have evolved and reached great heights. Thanks for reading my story!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

24,865FansLike
154FollowersFollow

LATEST ARTICLES

RECENT COMMENTS

How to create a bootable CentOS Live USB drive on Windows

create centOS Live USB drive
CentOS ISO downloads are available in two different variations - Minimal ISO and DVD ISO. So what are these? In this guide, you will know how to create a CentOS Live USB drive that can also be used to install CentOS.