1 Vulnerability Overview
Recently, a security researcher discovered a critical vulnerability in the Advanced Packaging Tool (APT) of Linux. This vulnerability stems from the APT’s failure to properly handle redirects, which can be triggered via a man-in-the-middle attack or a malicious package mirror, resulting in remote code execution.
By changing the flag bit of the response, an attacker can redirect the download link of an installation package to a malicious server. In this case, if the attacker also changes the hash in communication data to that of the malicious package, he or she can get by the local authentication of the APT. The attacker can then trigger the vulnerability via a man-in-the-middle attack in the network environment or the mirror download server controlled by him or her, so as to execute malicious code with root privileges.
Reference link:
https://justi.cz/security/2019/01/22/apt-rce.html
2 Scope of Impact
Affected Versions
- Ubuntu 18.10 apt < 1.7.0ubuntu0.1
- Ubuntu 18.04 LTS apt < 1.6.6ubuntu0.1
- Ubuntu 16.04 LTS apt < 1.2.29ubuntu0.1
- Ubuntu 14.04 LTS apt < 1.0.1ubuntu2.19
- Debian apt 1.8.0- alpha3
- Debian apt 1.4.8
- Debian apt 1.9.8.4
Unaffected versions:
- Ubuntu 18.10 apt – 1.7.0ubuntu0.1
- Ubuntu 18.04 LTS apt – 1.6.6ubuntu0.1
- Ubuntu 16.04 LTS apt – 1.2.29ubuntu0.1
- Ubuntu 14.04 LTS apt – 1.0.1ubuntu2.19
- Debian apt 1.8.0- alpha3.1
- Debian apt 1.0.9.8.5
- Debian apt 1.4.9
3 Vulnerability Check
3.1 Version Check
Users can run the following command to query the APT version of the current system. If the version number is within the affected range, the current system is affected by the vulnerability.
Users can run the following command to query the version of Ubuntu:
4 Vulnerability Protection
4.1 Version Upgrade
Ubuntu and Debian have released fixes for this vulnerability. Users can upgrade to the latest APT version to protect their systems.
For the security of the system, users are advised to disable HTTP redirect during the upgrade by running the following commands:
Users who cannot upgrade the APT online can download an appropriate offline installation package for local installation.
- Debian users can refer to the following link for the upgrade:
https://lists.debian.org/debian-security-announce/2019/msg00010.html
- Ubuntu users can refer to the following link for the upgrade:
- https://usn.ubuntu.com/3863-1
Appendix
-
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
-
About NSFOCUS
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
https://www.nsfocusglobal.com.
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.