linux geex:

I don't know what your agenda is. Are you trying to test me or something?

You just gave an example of a MITM situation. What do you want from me? Do you want me to give more MITM examples? Do you want some step by step instructions?

Think what you want. I'm not here to argue or spend time persuading you of anything. IDK who you are. I don't care what you think.

This is what I took issue with - that speculation continues to be without merit. I challenged you to support it, recognise you've chosen not to, and instead have chosen to call into question "who I am". That's ad-hominem. Not particularly adversarial ad-hominem, but it is nonetheless.

I'll provide some examples of some reasonably easy ways to execute MITM.

You're in a dorm, there's people around you running apt-based distros, you know if you put up a hotspot for a while and the credentials become public knowledge that several of them may begin to 'borrow' your network. Those people need to recognise that they are in a high risk situation.

You run a Starbucks... well if your customers are running a laptop with automatic updates they could also fall prey to you.

You run a Blog. You can break into the router config of any of the hundreds of vulnerable wifi router models of your visitors (most of them can be broken merely by directing them to a web page which contains a hidden image with a link to http://192.168.1.1/some_vulnerable_config_path and after that you can take control of their router).

Yes these can all be done relatively easily. But these are low-value targets, not worth the effort and risk of conviction, so you're not going to do it.

Cry wolf? This is a huge issue. The Canonical security team agree with me. They issued a new point release for 16.04 LTS purely because of this issue. They weren't even planning on making another point release for that OS.

I take security seriously. I carefully updated all the apt-based systems under my control to ensure they couldn't be exploited during the update process.

Of note: many apt-based systems (including Ubuntu) will automatically run "apt-get update" without prompting the user. This means those systems could have been rooted with zero user interaction.

If my language seems light/humorous, it's because I try my best to stay that way. It's always best to be calm and high spirited IMO.

P.S. I have no interest in discussing the odds of their being a MITM in any given situation. That's a huge discussion and I don't know who you are. My rule of thumb: all communications received over a public network should be considered not trustworthy and potentially compromised.

Because people who cry wolf make management ignore issues that actually need to be addressed promptly.

Yes. And how exactly would you go about making yourself a man in the middle so you could exercise this exploit "easily" and therefore justify your statement that this exploit is easy and has already compromised a large amount of apt-based systems?

I did enjoy your humour, but please, take security more seriously.

15-20 years ago this might have been easier to exploit - before NOCs started blocking NICs in promiscuous mode that aren't on segmented networks, and before VPS vendors were using point-2-point VETH to allocate IPs. But these days ARP poisoning, DHCP hijacking, sniffing, are impossible in a responsibly operated NOC. So good luck executing MITM without being an infrastructure provider, and good luck not getting caught if you are.

That being said, anyone running a PCI or ISO27000-compliant service needs to apply this patch immediately to stay in compliance, and it will be nice to know that it's been adopted by a majority of systems, to reduce the reward side of the risk-reward equation driving bad actors to make the effort required to actually exploit it.

Not sure why you're so salty.

Regardless: you can learn about the exploit here if you like: https://justi.cz/security/2019/01/22/apt-rce.html

If you don't agree that would be incredibly easy for an attacker to exploit... fair enough.

I think any MITM with modest scripting skills and a day to spare could exploit this reliably & easily.

P.S. my chair has no arms

That's a strong armchair statement of opinion.

Now how about you describe how you personally would go about exploiting this vulnerability in order to get root on any one other system on this entire planet. It's doable, but let's see if you have even a basic understanding of how "easy" it is.

I would be more concerned with why and how many packages are being tampered with in repos.

Separate notes, I have had more than one issue with iso gpg key's and signature verification's. I am a lot less worried about apt or a given package manager. I use Linux for it's ability to be customized, however, that is about as far as I trust it.

Ah, the wonders of the centralized repository or "app store" cancer. Delightful.

Yeah, even Softpedia didn't write anything about it and they are usually on top of all Linux and distro vulnerabilities...

This is a very sensible thing for Canonical to do. Without this point release, you'd have a lot more people installing 16.04 and then running the vulnerable apt to update it; in the process of that update, their system could get compromised.

If any of you reading this have old 16.04 ISOs / disks lying around, consider deleting/destroying them, so that if you do need to install 16.04 again, you will naturally download the latest (16.04.6) ISOs.

I expect lots of systems have already been compromised by exploiting this vulnerability. It would be incredibly easy and reliable to exploit and gives you root access.

I'm surprised this vulnerability didn't get more media attention.