Just in time…
Cybersecurity experts this week fighting over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification just because APT on Linux also does the same.
Just today, a security researcher revealed details of a critical remote code execution flaw in Linux APT, exploitation of which could have been mitigated if the software download manager was strictly using HTTPS to communicate securely.
Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions.
According to a blog post published by Justicz, the vulnerable versions of APT doesn’t properly sanitize certain parameters during HTTP redirects, allowing a remote man-in-the-middle attacker to inject malicious content and trick the system into installing altered packages.
HTTP redirects while using apt-get command help Linux machines to automatically request packages from a suitable mirror server when others are unavailable. If the first server fails, it returns a response with the location of next server from where the client should request the package.
As shown by the researcher in a video demonstration, an attacker intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror, eventually could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root, Justicz told The Hacker News.
Though Justicz has not tested, he believes the vulnerability affects all package downloads, even if you are installing a package for the very first time or updating an old one.
No doubt, to protect the integrity of the software packages, it’s important to use signature-based verification, as software developers do not have control over mirror servers, but at the same time, implementing HTTPS could prevent active exploitation after the discovery of such vulnerabilities.
No software, platform or sever can be 100 percent secure, so having every possible layer of security is never a bad idea to consider.
The developers of APT have released version 1.4.9 that addresses the issue.
Since APT is being used by many major Linux distributions including Debian and Ubuntu, who have also acknowledged and released security patches for the vulnerability, it is highly recommended for Linux users to update their systems as soon as possible.