CVE-2019-3462: Linux APT Remote Code Execution Vulnerability


On January 22, researcher Max Justicz announced a remote code execution vulnerability in Linux apt/apt-get. The CVE number is CVE-2019-3462. The vulnerability stems from the fact that apt does not reasonably handle certain parameters when redirecting. An attacker can conduct a man-in-the-middle attack or a malicious download image to trigger the vulnerability, causing remote code execution.

“When fetching data, apt forks off worker processes that specialize in the various protocols that will be used for data transfer. The parent process then communicates with these workers over stdin/stdout to tell them what to download and where to put it on the filesystem using a protocol that looks a little like HTTP. Unfortunately, the HTTP fetcher process URL-decodes the HTTP Location header and blindly appends it to the 103 Redirect response”

Affected version

  • Apt version < 1.4.9

Unaffected version

  • Apt version 1.4.9

Apt has released a new version 1.4.9 that fixes this vulnerability. Users can ensure the security during the upgrade process by disabling the HTTP redirect function during the upgrade. The operation is as follows:

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false