Heads up: Debian’s package manager is APT for root-level malware injection… Fix out now to thwart MITM hijacks

The Debian Project has patched a security flaw in its software manager Apt that can be exploited by network snoops to execute commands as root on victims’ boxes as they update or install packages.

The Linux distro’s curators have pushed out an fix to address CVE-2019-3462, a vulnerability uncovered and reported by researcher Max Justicz.

The flaw is related to the way Apt and apt-get handle HTTP redirects when downloading packages. Apt fetches packages over plain-old HTTP, rather than a more secure HTTPS connection, and uses cryptographic signatures to check whether the downloaded contents are legit and haven’t been tampered with.

This unfortunately means a man-in-the-middle (MITM) miscreant who was able to intercept and tamper with a victim’s network connection could potentially inject a redirect into the HTTP headers to change the URL used to fetch the package.

And the hacker would be able to control the hashes used by Apt to check the downloaded package, passing the package manager legit values to masquerade the fetched malware as sanctioned software.

All in all, users can be fed malware that’s run as root during installation, allowing it to commandeer the machine.

[…]

As an added wrinkle, Apt is updated by Apt itself. And seeing as the update mechanism is insecure, folks need to take extra steps to install the security fix securely. Admins will want to first disable redirects (see below) and then go through the usual apt update and upgrade steps.

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false

Source: Heads up: Debian’s package manager is APT for root-level malware injection… Fix out now to thwart MITM hijacks • The Register