[SOLVED by updates] Flaw in Linux APT Allows Remote Attackers to Hack Systems

Chat about Linux in general
User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

[SOLVED by updates] Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

The issue has already been addressed by updates to relevant apt packages. Please apply the updates through Update Manager.


Edit to include:

from: https://justi.cz/security/2019/01/22/apt-rce.html

If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update. To do that, run:

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false
and
gm10 wrote:
Wed Jan 23, 2019 7:31 pm
You can run those commands safely, the parameters are in case you fear already being under attack, but do note that those commands won't respect any of your settings in Update Manager, including blacklist and levels. These will install all available updates.

You can however simply update using Update Manager as well.



Those who haven't updated their systems already today, please do so as soon as possible.

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

https://usn.ubuntu.com/3863-2/
https://usn.ubuntu.com/3863-1/
Last edited by philotux on Thu Jan 24, 2019 2:26 pm, edited 4 times in total.

User avatar
kc1di
Level 15
Level 15
Posts: 5623
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by kc1di »

I believe a patch was issued for this yesterday and all should upgrade ASAP.
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608

gm10
Level 20
Level 20
Posts: 10870
Joined: Thu Jun 21, 2018 5:11 pm

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by gm10 »

Heh, I had actually posted the USN notice yesterday in a thread from last year where basically everybody except the OP and myself argued against the use of HTTPS with apt, but then I deleted the post again thinking I didn't actually feel like feeding the flames that day. Your thread title does that much better, anyway. :lol: :twisted:
Last edited by gm10 on Wed Jan 23, 2019 2:33 pm, edited 1 time in total.

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

gm10 wrote:
Wed Jan 23, 2019 9:53 am
Your thread title does that much better, anyway. :lol: :twisted:
Nevertheless it's true! Or was true before patches were issued yesterday. Until the next flaw will dawn upon us. Quoting a someone:
There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.
:lol:

User avatar
BenTrabetere
Level 6
Level 6
Posts: 1052
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by BenTrabetere »

philotux wrote:
Tue Jan 22, 2019 3:31 pm
Those who haven't updated their systems already today, please do so as soon as possible.
It seems to me that updating APT is one of those 'it may break your system and void your warranty' activities. Not suitable for experimessing.

I do not think I am alone in thinking the people responsible for documenting the proper steps to update APT should be poked with pointy sticks, stuffed in a barrel and rolled down a hill.

In the announcement, https://justi.cz/security/2019/01/22/apt-rce.html, Max Justicz instructs to run the following to disable HTTP redirects during the update.

Code: Select all

sudo apt update -o Acquire::http::AllowRedirect=false
sudo apt upgrade -o Acquire::http::AllowRedirect=false
Yeah, Max. But what to do next? Every discussion I have seen about this quickly devolves into an HTTP v HTTPS debate. The instructions Ubuntu offers are vague-specific quid nunc.

I downloaded Xenial files from

Code: Select all

https://usn.ubuntu.com/3863-1/
, but I could not find any coherent, specific instructions on how to use them.

I apologize for the rant, but seriously....

I would greatly appreciate it if someone will post a 'treat me like I am 5 years-old' tutorial.

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

BenTrabetere wrote:
Wed Jan 23, 2019 12:32 pm
philotux wrote:
Tue Jan 22, 2019 3:31 pm
Those who haven't updated their systems already today, please do so as soon as possible.
It seems to me that updating APT is one of those 'it may break your system and void your warranty' activities. Not suitable for experimessing.
You are certainly right. Now with the benefit of the hindsight, I should have included the following as well, even though it was only one click away from the original article that I linked to in my OP:

If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update. To do that, run:

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false

from: https://justi.cz/security/2019/01/22/apt-rce.html
BenTrabetere wrote:
Wed Jan 23, 2019 12:32 pm
I would greatly appreciate it if someone will post a 'treat me like I am 5 years-old' tutorial.
Well, if you ask me, I think when it comes to matters of such an importance for the security of the users, the responsibility of even reporting it should be on the people higher up in the hierarchy and not on the end user, let alone providing clear and straight forward steps as how I as end user should go about to mitigate the flaw. No one or nothing has been seen or heard on this matter.

gm10
Level 20
Level 20
Posts: 10870
Joined: Thu Jun 21, 2018 5:11 pm

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by gm10 »

BenTrabetere wrote:
Wed Jan 23, 2019 12:32 pm
I would greatly appreciate it if someone will post a 'treat me like I am 5 years-old' tutorial.
That's the drama and confusion these sorts of threads create. Only come in here for a laugh.

Update Manager handles your updates, don't do anything else (other than actually applying them :P)

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

gm10 wrote:
Wed Jan 23, 2019 2:37 pm
Only come in here for a laugh.
Happy to be the source of joy to someone, always :D

PS. By the way, why couldn't you have come down earlier from your Olympian heights to enlighten us lowly Linux creatures?

gm10
Level 20
Level 20
Posts: 10870
Joined: Thu Jun 21, 2018 5:11 pm

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by gm10 »

philotux wrote:
Wed Jan 23, 2019 3:21 pm
Happy to be the source of joy to someone, always :D

PS. By the way, why couldn't you have come down earlier from your Olympian heights to enlighten us lowly Linux creatures?
Hey, my statement wasn't an attack on you at all, just trying to prevent some people like the guy I responded to from breaking their systems. ;)

The thread is fine, I even applauded your subject line! :D And I wasn't saying to laugh at you but at the drama that always ensues. Drama is fun, see my previous post! I'm sorry you took that wrong.

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

gm10 wrote:
Wed Jan 23, 2019 3:28 pm
philotux wrote:
Wed Jan 23, 2019 3:21 pm
Happy to be the source of joy to someone, always :D

PS. By the way, why couldn't you have come down earlier from your Olympian heights to enlighten us lowly Linux creatures?
Hey, my statement wasn't an attack on you at all, just trying to prevent some people like the guy I responded to from breaking their systems. ;)

The thread is fine, I even applauded your subject line! :D
Sorry, I don't know why I took it personally. That's on me not you. Thank you for writing back!

gm10
Level 20
Level 20
Posts: 10870
Joined: Thu Jun 21, 2018 5:11 pm

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by gm10 »

Successful ninja-edit of two more sentences... check! (not sure if you had seen them but they might make it even clearer I hope). And it's not just on you, it's the words I said/wrote that got misunderstood so I should have been more careful. *hugs*

To contribute something, this was the previous thread I was referring to above: viewtopic.php?t=277231 - might contain some relevant information on the general subject of HTTPS and repositories.

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

gm10 wrote:
Wed Jan 23, 2019 3:28 pm
And I wasn't saying to laugh at you but at the drama that always ensues. Drama is fun, see my previous post!
You are right!
Even me, I am laughing at myself now and my overreaction.
sorry about it!

cheers

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

gm10 wrote:
Wed Jan 23, 2019 3:36 pm
Successful ninja-edit of two more sentences... check! (not sure if you had seen them but they might make it even clearer I hope). And it's not just on you, it's the words I said/wrote that got misunderstood so I should have been more careful. *hugs*

To contribute something, this was the previous thread I was referring to above: viewtopic.php?t=277231 - might contain some relevant information on the general subject of HTTPS and repositories.
Of course I will check into that thread.
Just wanted to say, that I so appreciate your presence on the forums and so respect your competence and knowledge. I feel always indebted and grateful to people from whom I learn things. From you, I learn every day something new.
*hugs back*
:D

User avatar
Moem
Level 20
Level 20
Posts: 10110
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by Moem »

BenTrabetere wrote:
Wed Jan 23, 2019 12:32 pm
It seems to me that updating APT is one of those 'it may break your system and void your warranty' activities. Not suitable for experimessing.
You're making it sound a lot harder and scarier than it is. Just use the update manager like normal, and you're done.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

VoxelMints
Level 1
Level 1
Posts: 49
Joined: Sat Sep 08, 2018 6:20 pm

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by VoxelMints »

I decided to reinstall my Mint. I've been meaning to now is a good time.

Do I need to run the following commands on first update? If I run these commands am I updating my system like using the update manager?

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false

gm10
Level 20
Level 20
Posts: 10870
Joined: Thu Jun 21, 2018 5:11 pm

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by gm10 »

VoxelMints wrote:
Wed Jan 23, 2019 7:18 pm
Do I need to run the following commands on first update? If I run these commands am I updating my system like using the update manager?

$ sudo apt update -o Acquire::http::AllowRedirect=false
$ sudo apt upgrade -o Acquire::http::AllowRedirect=false
You can run those commands safely, the parameters are in case you fear already being under attack, but do note that those commands won't respect any of your settings in Update Manager, including blacklist and levels. These will install all available updates.

You can however simply update using Update Manager as well.

VoxelMints
Level 1
Level 1
Posts: 49
Joined: Sat Sep 08, 2018 6:20 pm

Re: [SOLVED by updates] Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by VoxelMints »

I'm definitely ready to update over HTTPS. If someone would like to help and provide instructions on how to switch; I'm sure I and other paranoid users like myself would greatly appreciate it.
Last edited by VoxelMints on Wed Jan 23, 2019 11:54 pm, edited 1 time in total.

User avatar
philotux
Level 5
Level 5
Posts: 833
Joined: Sat Jul 21, 2018 11:14 am
Location: Utopia

Re: [SOLVED by updates] Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by philotux »

VoxelMints wrote:
Wed Jan 23, 2019 9:05 pm
I'm definitely ready to update over HTTPS. If someone would like to help and provide instructions on how to switch; I'm sure I and other paranoid users would definitely appreciate it.
You got already those two commands to run. Please note, as explained by gm10, that the second one will update all the packages there are to update, that is, it will override your preferences set in the Update Manager.

So the answer to your question in your first post would be yes and no. Yes, if you have set up UM to always update everything. No, if you have set up UM to not update packages from, let's say, level 4, kernels, or you have blacklisted some packages for not being updated at all.

User avatar
BenTrabetere
Level 6
Level 6
Posts: 1052
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by BenTrabetere »

Moem wrote:
Wed Jan 23, 2019 5:13 pm
BenTrabetere wrote:
Wed Jan 23, 2019 12:32 pm
It seems to me that updating APT is one of those 'it may break your system and void your warranty' activities. Not suitable for experimessing.
You're making it sound a lot harder and scarier than it is. Just use the update manager like normal, and you're done.
Grrrr!

I have been looking for this update ever since a story about it hit my morning newsfeed, and started looking intently with this post. I just looked at Update Manager history, and ... I applied the update in a pre-caffiene early morning fog and before I read the news story (which did not say anything about security updates being rolled out).

I still think the documentation left a lot to be desired, but that is a rant I could apply to far too many topics.

VoxelMints
Level 1
Level 1
Posts: 49
Joined: Sat Sep 08, 2018 6:20 pm

Re: [SOLVED by updates] Flaw in Linux APT Allows Remote Attackers to Hack Systems

Post by VoxelMints »

philotux wrote:
Wed Jan 23, 2019 11:46 pm
You got already those two commands to run. Please note, as explained by gm10, that the second one will update all the packages there are to update, that is, it will override your preferences set in the Update Manager.

So the answer to your question in your first post would be yes and no. Yes, if you have set up UM to always update everything. No, if you have set up UM to not update packages from, let's say, level 4, kernels, or you have blacklisted some packages for not being updated at all.

Unfortunately my writing isn't as clear as I would like sometimes.

I meant to say I would rather update with HTTPS instead of HTTP after this vulnerability was discovered.
Instructions with setting-up the update manager to use HTTPS would be greatly appreciated.

Someone has offered instructions before on how to accomplish this, but it wasn't complete for a beginner
like myself to follow.

If I gave the impression of asking too often for help I apologize. I appreciate this community and its help.

Unfortunately people are targeted for whatever reason, and this was my worst fears about updating over
HTTP coming true.

Post Reply

Return to “Chat about Linux”