Everyone was surprised to learn that apt had been infected with a bug. This was discovered by security researcher Max Justicz. He found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.
Apt is one of the Linux’s core installation software. But it was a relief to learn that the bug had been fixed before it became a threat. It raises the question of whether the secure https has improved apt security or not.
According to the Debian security team Yves-Alexis, Ubuntu and Debian were under threats. The reason was that they rely on HTTP repository. The attackers were likely to use the HTTP connection to inject the system with malicious content. This would compromise the repository security. Once injected, the malicious content would be recognized as valid. Apt would then execute code programs on the targeted machine.
Fixing the machine could break a few proxies. This would happen, especially where it is used against security.debian.org. In this case, the only available remedy is to switch the APT source. It means that updating the system promptly was one of the methods to use to deal with the bug. Advanced Tool apt has so far worked well. But the researcher Max Justicz discovered that it was easier to dig a hole in the program. It would give a remote attacker a chance to introduce and execute arbitrary root in the package. It would result in attacks.
Apt refers to packages or database that must be installed for programs to run. Also apt, allows one to install, upgrade, and remove the database. Unfortunately apt will install or update a package without checking if there is anything’s wrong with a package’s requested Uniform Resource Identifier (URI). It only focusses on PGP security hashes returned by the URI. It means that it is possible to make a malware look legitimate and allow them to be executed. Apt targets redirect URLs and do not check the new lines.
This loophole allows MiTM attackers to inject malware into the results returned. It makes URL to be embedded into the file. When it happens, it validates downloads, which will then allow for the execution of fake hashes.
Justicz demonstrated that it was easy to get the malicious file into the targeted system. It could be done using a release.gpg file which is easily pulled down when apt is updating itself. Justicz also provided a video showing the demonstration in his blog. The link is located at the bottom of the article.
According to Justicz APT attacks is not a one-day event. The intruder infiltrates and embeds themselves in the system. It helps them get as much information as is necessary. They target to infiltrate the entire network. To get in the system, they may use SQL injection, file inclusion RFI and XSS (cross-site scripting).
As mentioned before, this bug has been already fixed, thanks for the apt maintainers for patching this vulnerability quickly, and to the Debian security team for coordinating the disclosure. Therefore, you should be fine if you have already updated your system. For some reason, if you were not able to update, you can still protect yourself by disabling HTTP redirects while you update. To do that, run the following commands in the Terminal.
sudo apt update -o Acquire::http::AllowRedirect=false sudo apt upgrade -o Acquire::http::AllowRedirect=false
