Vulnerability within APT lets installation of rogue package

Certain well-known Linux distributions are vulnerable to attack because of a security flaw inside the key interface of package management which by exploiting can let an attacker deceive end-users into loading rogue packages so that the attacker gains basic admission into the target devices.

Max Justicz who works independently as security contractor and consultant unearthed one flaw of code-execution carried out remotely within APT a premium package manager that Ubuntu, Debian along with other kinds of Linux OSs reportedly use. Justicz unearthed vulnerability inside 'APT' that potentially enabled an attacker striking a PC-network towards acquiring basic rights on any target device during installation procedure.

A number of Ubuntu and Debian editions are flawed while both the distributions' managers recently gave out updated editions which rectify the bug. Security flaw exists in all the Ubuntu 18.04 LTS, Ubuntu 18.10, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. But, Debian 1.4.9 is the distribution already patched.

Meanwhile, the program dealing with HTTP redirects within HTTP transport mode does not accurately clean fields that are wire transmitted. An attacker could use this flaw while in a man-in-the-middle (MITM) location with APT at one end and one mirror at the other for inserting rogue data inside the HTTP connect. The rogue data subsequently displays like an authentic package to APT as also gets utilized for executing code remotely while enjoying basic rights of the target device, states a Debian advisory. www.bleepingcomputer.com posted this, January 22, 2019.

A report by Horn reveals the flawed APT editions weren't correctly treating the errors while examining the authenticity of signatures put up for InRelease files. Anyone capable of executing MITM for HTTP requests associated with a suitable cache, which utilizes InRelease files, could exploit the flaw and thereby bypass such files' signature resulting in random code execution.

A basic issue facilitating the flaw's exploitation relates to the servers serving packages on HTTP instead of HTTPS automatically. Albeit legit packages carry authenticating signatures, an attacker capable of gaining privileged network status can utilize Justicz's flaw for getting rogue package onto target PCs. For safeguarding against such attacks, HTTPS should be utilized for automatic transportation of updates.

» SPAMfighter News - 1/28/2019