Critical vulnerability on Linux APT GET in Debian, Ubuntu and Mint distros

APT, one of the major Linux software installation programs, presents a serious security flaw

Users willing to install programs in Linux
distributions such as Debian, Ubuntu, or Mint, usually resort to using the main
software installation program known as the Advance Package Tool (APT). Although
functional under appropriate circumstances, network security and ethical
hacking experts from the International Institute of Cyber Security report the
emergence of a method for deploying a Man-in-the-Middle
attack on ATP. 

As if it wasn’t enough, the people in charge of
this investigation believe that the security loophole would allow an attacker
to execute arbitrary code on any system that installs any package.

According to experts in network
, APT is an interface for the dpkg packaging system. On the
other hand, a packaging system is a ‘packages’ database that files require to
install for a program, Firefox, for example, to run. With APT you can find and
install new programs, update programs, delete programs and update local dbkg databases.

Everything sounds good so far, but the problems
are about to begin. When APT installs a new program or updates one already
installed, it does not check for problems with the Uniform Resource Identifier
(URI) requested by a package. Instead, APT is limited to comparing the PGP
security hashes returned by the URI Done response with the values of the signed
package. Because the attacker controls the reported hashes, they can manipulate
them to make a malicious package look legitimate.

In a security alert, Ubuntu mentions: “From the
0.8.15 version, APT decodes the destination URLs of redirects, but does not
check for new lines, allowing a MiTM attacker to inject arbitrary headers into
the returned result. If the URL embeds the hashes of the so-called file, it can
be used to disable any validation of the downloaded file, because false hashes
will be included in front of the correct hashes,” the Linux distribution notice

The investigators demonstrated that they could
place a malicious .deb on a target system using the Release.gpg file. This file
is always extracted during the APT upgrade and is usually installed in a
predictable location, commented experts in network security.

On the other hand, Yves-Alexis Perez, a member
of the Debian security team, said: “this vulnerability could be exploited using
a Man-in-the-Middle attack between APT and a mirror to inject malicious content
into the HTTP connection. This content could then be recognized as an APT-valid
package to be finally used for code execution with root privileges on the
compromised system.” 

The update patches for Debian and Ubuntu are
already available, while the Mint distro has mentioned that their patches will
be ready as soon as possible.

This vulnerability should not present problems
for users as long as they update their systems accordingly. It is recommended
to install updates as soon as possible, as it is highly probable that this
vulnerability will be exploited in the wild, said experts in cybersecurity.

To Top

Pin It on Pinterest

Share This