On a vulnerable system, an attacker in a privileged network position who is able to perform a man-in-the-middle attack could have exploited this vulnerability to run code on the server with full root (superuser) privileges. Note that the SecureDrop and Tor packages are served over HTTPS, providing defense in depth against this type of attack; however, the packages for the base operating system are not served over HTTPS. On the Admin and Journalist Workstations, defense in depth is provided by downloading apt packages over Tor onion services.
The APT vulnerability was disclosed on January 22, and a patched version of the APT package manager was released concurrently. Existing SecureDrop installations were automatically patched as part of nightly system updates. As a result, we believe that the likelihood of a successful attack against running SecureDrop installations is very low.
Existing SecureDrop installations will be automatically updated to this point release. Your Admin and Journalist Workstations should alert you to the availability of workstation updates, which you can perform by clicking “Update Now”. If the graphical updater does not appear, please see our previously issued instructions for performing a manual workstation update. On a subsequent boot, the graphical updater will appear and you can click “Update Now” to update to version 0.11.1.
If you have started a new installation of SecureDrop on or after January 22, you may want to abort the installation, securely wipe your servers, and reinstall using version 0.11.1 to fully exclude the possibility of a successful attack during the installation process.
If you have any questions, please don’t hesitate to reach out: