If you want to install a program on the Debian/Ubuntu/Mint Linux distribution family, you almost always end up using the core software installer program Advanced Package Tool (apt). It works well, but security researcher Max Justicz recently found a nasty way to make a man-in-the-middle attack on apt.
Adding salt to this wound, Justicz found the hole would enable a remote attacker to execute arbitrary code as root on any system installing any package. To understand how it attacks, you need to understand how apt works.
Apt is a front-end to the the dpkg packaging system. A packaging system, in turn, is a database of "packages" the files need to be installed for a program, such as Firefox, to run. With apt, you can find and install new programs, upgrade programs, remove programs, and update your local dbkg database.
So far, so good. But, when apt installs a new program or updates an existing one, it doesn't check to see if anything's wrong with a package's requested Uniform Resource Identifier (URI). Instead, it just compares the PGP security hashes returned by the URI Done response with the values from the signed package manifest. But, since the man-in-the-middle attacker controls the reported hashes, they can forge them to make a malware package look legitimate.
As the Ubuntu apt security message stated, "apt, starting with version 0.8.15, decodes target URLs of redirects, but does not check them for newlines, allowing MiTM attackers (or repository mirrors) to inject arbitrary headers into the result returned to the main process. If the URL embeds hashes of the supposed file, it can thus be used to disable any validation of the downloaded file, as the fake hashes will be prepended in front of the right hashes."
Justicz showed he could get a malicious .deb into a target system by using the Release.gpg file. This file is always pulled during apt update and is usually installed into a predictable location.
Justicz demonstrated this can be as obvious as:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
And whatever "oops" points to will get installed.
He also pointed out that, "By default, Debian and Ubuntu both use plain http repositories out of the box." While there's heated debate over whether the more secure https actually improved apt security, Justicz knows his position: "I wouldn't have been able to exploit the Dockerfile at the top of this post if the default package servers had been using https."
So, how bad is this really? Bad.
Yves-Alexis Perez, a member of the Debian security team, wrote: "This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine."
- Civilization VI Gold Ed. for Mac and Linux for $27 CNET
- Why you should use apt-get purge TechRepublic
As potentially damaging as this bug could be, the patches are already available for both Debian and Ubuntu. Patches will soon be available for Mint and other Debian/Ubuntu-based Linux distros. When you do patch apt, the Debian security team recommends you take the following actions first: Disable redirects in order to prevent exploitation, with the following commands as root:
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
The bad news is: "This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use: deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main."
So, as long as you move promptly to update your systems, this new security hole shouldn't be a problem. That said, you don't want to wait too long. It will get exploited in the wild. It's only a matter of time.