430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical flaw in Linux APT package manager could allow remote hack

Expert discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu. The independent security consultant Max Justicz has discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu. The flaw, tracked as CVE-2019-3462, affects package manager version 0.8.15 and later, […]

TELNETD Linux RAT

Expert discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.

The independent security consultant Max Justicz has discovered a remote code execution vulnerability in the APT package manager used by several Linux distributions, including Debian and Ubuntu.

The flaw, tracked as CVE-2019-3462, affects package manager version 0.8.15 and later, it could be exploited by an attacker in a MiTM position to execute arbitrary code as root on a machine and install any package.

“I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” reads a blog post published by
Justicz.

“The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.”

Vulnerable versions of APT fail in sanitizing certain parameters during HTTP redirects and a remote man-in-the-middle attacker could to inject malicious content and trick the system into installing tainted packages.

While using apt-get command, HTTP redirects allow Linux systems to automatically request packages from a mirror server when others are unavailable. When the first server is not able to provide the package, it respond by providing the next suitable server.

“The code handling HTTP redirects in the HTTP transport method doesn’t properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection.” reads the Debian Security Advisory “This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.”

The expert published a video PoC that shows an attacker intercepting HTTP traffic between APT package manager and a mirror server, or a rogue mirror, and replace the legitimate package with a malicious one.

https://justi.cz/assets/aptpoc.mp4

According to Justicz, the flaw could affect all package downloads, including packages installed by the user for the first time.

Linux APT package manager

In order to mitigate this flaw, it is possible to implement HTTPS that could prevent exploitation of the vulnerability.

“Supporting http is fine. I just think it’s worth making https repositories the default – the safer default – and allowing users to downgrade their security at a later time if they choose to do so. I wouldn’t have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https.” wrote the expert.

APT maintainers quickly patched the CVE-2019-3462 vulnerability with the release of version 1.4.9, Linux users must update their systems as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Linux distribution, APT package manager)

[adrotate banner=”5″] [adrotate banner=”13″]