Debian DSA-4371-1 : apt - security update

high Nessus Plugin ID 121317

Synopsis

The remote Debian host is missing a security-related update.

Description

Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.

Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using :

apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade

This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use the URL linked in the advisory.

Solution

Upgrade the apt packages.

For the stable distribution (stretch), this problem has been fixed in version 1.4.9.

Specific upgrade instructions :

If upgrading using APT without redirect is not possible in your situation, you can manually download the files (using wget/curl) for your architecture using the URL provided in the advisory, verifying that the hashes match. Then you can install them using dpkg -i.

See Also

https://security-tracker.debian.org/tracker/source-package/apt

https://packages.debian.org/source/stretch/apt

https://www.debian.org/security/2019/dsa-4371

Plugin Details

Severity: High

ID: 121317

File Name: debian_DSA-4371.nasl

Version: 1.6

Type: local

Agent: unix

Published: 1/23/2019

Updated: 6/26/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-3462

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:apt, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/22/2019

Vulnerability Publication Date: 1/28/2019

Reference Information

CVE: CVE-2019-3462

DSA: 4371