Think you have a false positive on this rule?

Sid 1-50190

Message

OS-LINUX Debian apt remote code execution attempt

Summary

This event is generated when an attempt to generate a remote code execution in the apt package software manager of Debian, has been detected

Impact

High

CVE-2019-3462:

CVSS base score 8.1

CVSS impact score 5.9

CVSS exploitability score 2.2

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

A researcher has found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. CVE-2019-3462: Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.

Affected systems

  • debian apt 1.4.8
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • netapp active_iq -
  • netapp element_software -
  • canonical ubuntu_linux 12.04
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 18.04
  • canonical ubuntu_linux 18.10

Ease of attack

Simple

False positives

False negatives

Corrective action

Disabling HTTP redirects while the apt server updates. To do that, run:

$ sudo apt update -o Acquire::http::AllowRedirect=false $ sudo apt upgrade -o Acquire::http::AllowRedirect=false

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • justi.cz/security/2019/01/22/apt-rce.html