Massive security bug found in Debian, Ubuntu, and derivatives apt

The apt package installer carried a huge security bug, but don't worry, it's now patched.

Everyone was surprised to learn that apt had been infected with a bug. This was discovered by security researcher Max Justicz. He found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.

Apt is one of the Linux’s core installation software. But it was a relief to learn that the bug had been fixed before it became a threat. It raises the question of whether the secure https has improved apt security or not.

According to the Debian security team Yves-Alexis, Ubuntu and Debian were under threats. The reason was that they rely on HTTP repository. The attackers were likely to use the HTTP connection to inject the system with malicious content. This would compromise the repository security. Once injected, the malicious content would be recognized as valid. Apt would then execute code programs on the targeted machine.

Fixing the machine could break a few proxies. This would happen, especially where it is used against security.debian.org. In this case, the only available remedy is to switch the APT source. It means that updating the system promptly was one of the methods to use to deal with the bug. Advanced Tool apt has so far worked well. But the researcher Max Justicz discovered that it was easier to dig a hole in the program. It would give a remote attacker a chance to introduce and execute arbitrary root in the package. It would result in attacks.

Apt refers to packages or database that must be installed for programs to run. Also apt, allows one to install, upgrade, and remove the database. Unfortunately apt will install or update a package without checking if there is anything’s wrong with a package’s requested Uniform Resource Identifier (URI). It only focusses on PGP security hashes returned by the URI. It means that it is possible to make a malware look legitimate and allow them to be executed. Apt targets redirect URLs and do not check the new lines.

This loophole allows MiTM attackers to inject malware into the results returned. It makes URL to be embedded into the file. When it happens, it validates downloads, which will then allow for the execution of fake hashes.

Justicz demonstrated that it was easy to get the malicious file into the targeted system. It could be done using a release.gpg file which is easily pulled down when apt is updating itself. Justicz also provided a video showing the demonstration in his blog. The link is located at the bottom of the article.

According to Justicz APT attacks is not a one-day event. The intruder infiltrates and embeds themselves in the system. It helps them get as much information as is necessary. They target to infiltrate the entire network. To get in the system, they may use SQL injection, file inclusion RFI and XSS (cross-site scripting).

As mentioned before, this bug has been already fixed, thanks for the apt maintainers for patching this vulnerability quickly, and to the Debian security team for coordinating the disclosure. Therefore, you should be fine if you have already updated your system. For some reason, if you were not able to update, you can still protect yourself by disabling HTTP redirects while you update. To do that, run the following commands in the Terminal.

sudo apt update -o Acquire::http::AllowRedirect=false
sudo apt upgrade -o Acquire::http::AllowRedirect=false
Divya Kiran Kumar
I'm Editor of FOSS Linux. I worked as a Software Engineer, before taking up blogging as my full-time job. I enjoy using Linux, and can't imagine anything else for my PC. Apart from writing for FOSS Linux, I enjoy reading non-fictional books. Sapiens was my favorite last read. Hope you enjoy reading and using this blog to enhance your Linux experience! Have a great day ahead!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

24,236FansLike
192FollowersFollow

LATEST ARTICLES

How to create a bootable CentOS Live USB drive on Windows

create centOS Live USB drive
CentOS ISO downloads are available in two different variations - Minimal ISO and DVD ISO. So what are these? In this guide, you will know how to create a CentOS Live USB drive that can also be used to install CentOS.
terminate frozen app
For dealing with a frozen app or desktop, you can't use the CTRL+ALT+DEL in Linux system. Instead, there are powerful alternatives that come in handy in frustrating situations. We pick the best methods available for you.
gamemode enable linux
GameMode is a combination of various libraries and daemons that allows all the users to improve the gaming performance on the Linux system. Developed by games publisher Feral Interactive, it improves gaming performance by requesting a group of options that will be applied temporarily to the Linux system.
cool and fun linux commands
The real purpose of this article is to help Linux newbies get comfortable and confident with the Linux command-line.  While knowledge and comfort of the Linux GUI allow great power, it is the mastery of the command line, or CLI, affords the Linux user unlimited power and certifies them as a Linux power user well on their way to becoming an expert.