Think you have a false positive on this rule?

Sid 1-50190


OS-LINUX Debian apt remote code execution attempt


This event is generated when an attempt to generate a remote code execution in the apt package software manager of Debian, has been detected




CVSS base score 8.1

CVSS impact score 5.9

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

A researcher has found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. CVE-2019-3462: Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.

Affected systems

  • debian apt 1.4.8
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • netapp active_iq -
  • netapp element_software -
  • canonical ubuntu_linux 12.04
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 18.04
  • canonical ubuntu_linux 18.10

Ease of attack


False positives

False negatives

Corrective action

Disabling HTTP redirects while the apt server updates. To do that, run:

$ sudo apt update -o Acquire::http::AllowRedirect=false $ sudo apt upgrade -o Acquire::http::AllowRedirect=false


  • Cisco Talos Intelligence Group

Additional References