Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same.
Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines.
The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place.
Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions.
According to a blog post published by Justicz and details shared with The Hacker News, the APT utility doesn’t properly sanitize certain parameters during HTTP redirects, allowing man-in-the-middle attackers to inject malicious content and trick the system into installing altered packages.
APT HTTP redirects help Linux machines to automatically find suitable mirror server to download software packages when others are unavailable. If the first server somehow fails, it returns a response with the location of next server from where the client should request the package.
As shown by the researcher in a video demonstration shared with The Hacker News, an attacker—intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror—can inject malicious packages in the network traffic and execute arbitrary code on the targeted system with the highest level of privileges, i.e. root.
Though Justicz has not tested, he believes the vulnerability affects all type of package downloads, even if you are installing a package for the very first time or updating an old one.
No doubt, to protect the integrity of the software packages, it’s important to use signature-based verification, as software developers do not have control over mirror servers, but that doesn’t mean one should ignore benefits of using HTTPS protocol over the complexity of infrastructural upgrades in some particular cases.
No software, platform or server can claim to be 100% secure, so adopting the idea of defense-in-depth is never a bad idea to consider.
It should also be noted that cybersecurity experts do not expect organizations or open-source developers to implement HTTPS overnight, but they should also not even reject the defensive measures completely.
The developers of APT software have released updated version 1.4.9 to fix the reported remote code execution vulnerability.
Since apt-get is part of many major Linux distributions including Debian and Ubuntu, who have also acknowledged the flaw and released security updates, it is highly recommended for Linux users to update their systems as soon as possible.