To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Forstått!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Innhold levert av Alex Murray and Ubuntu Security Team. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Alex Murray and Ubuntu Security Team eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.

Lik Ubuntu Security Podcast

Player FM - Podcast-app
Gå frakoblet med Player FM -appen!
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 225

19:42
 
Spill
Avspiller
Del
 

MP3Episoder hjem
Manage episode 412092530 series 2423058
Innhold levert av Alex Murray and Ubuntu Security Team. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Alex Murray and Ubuntu Security Team eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.

Overview

This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.

This week in Ubuntu Security Updates

76 unique CVEs addressed

[LSN-0102-1] Linux kernel vulnerability (00:53)

Kernel type 22.04 20.04 18.04 16.04 14.04
aws 102.1 102.1 102.1 102.1
aws-5.15 102.1
aws-5.4 102.1
aws-6.5 102.1
aws-hwe 102.1
azure 102.1 102.1 102.1
azure-4.15 102.1
azure-5.4 102.1
azure-6.5 102.1
gcp 102.1 102.1 102.1
gcp-4.15 102.1
gcp-5.15 102.1
gcp-5.4 102.1
gcp-6.5 102.1
generic-4.15 102.1 102.1
generic-4.4 102.1 102.1
generic-5.15 102.1
generic-5.4 102.1 102.1
gke 102.1 102.1
gke-5.15 102.1
gkeop 102.1
hwe-6.5 102.1
ibm 102.1 102.1
ibm-5.15 102.1
linux 102.1
lowlatency 102.1
lowlatency-4.15 102.1 102.1
lowlatency-4.4 102.1 102.1
lowlatency-5.15 102.1
lowlatency-5.4 102.1 102.1 
canonical-livepatch status

[USN-6710-2] Firefox regressions (01:54)

  • 2 CVEs addressed in Focal (20.04 LTS)
  • 124.0.2
    • In particular fixes to allow firefox when installed directly from Mozilla to work under 24.04 LTS with the new AppArmor userns restrictions
    • As discussed in previous episodes, default profile allows to use userns but then to be blocked on getting additional capabilities - Firefox would previously try and do both a new userns and a new PID NS in one call - which would be blocked - now split this into two separate calls so the userns can succeed but pidns will be denied (since requires CAP_SYS_ADMIN) - but then firefox correctly detects this and falls back to the correct behaviour

[USN-6721-1] X.Org X Server vulnerabilities (04:11)

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Various OOB reads -> crash / info leaks when handling byte-swapped length values - able to be easily triggered by a client who is using a different endianness than the X server
  • UAF in glyph handling -> crash / RCE

[USN-6721-2] X.Org X Server regression

[USN-6722-1] Django vulnerability (05:19)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • Possible account takeover - would use a case transformation on unicode of the email address - so if an attacker can register an email address that is the same as the intended targets email address after this case transformation - fix simply just discards the transformed email address and sends to the one registered by the user

[USN-6723-1] Bind vulnerabilities (06:11)

[USN-6724-1] Linux kernel vulnerabilities (06:27)

[USN-6725-1] Linux kernel vulnerabilities

[USN-6726-1] Linux kernel vulnerabilities

[USN-6701-4] Linux kernel (Azure) vulnerabilities

[USN-6719-2] util-linux vulnerability (07:08)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Initial fix in [USN-6719-1] util-linux vulnerability from Episode 224 tried to escape output to avoid shell command injection - as is often the case, turned out to be insufficient, so instead have now just removed the setgid permission from the wall/write binaries - can then only send to yourself rather than all users

Goings on in Ubuntu Security Community

Reports of a new local root privilege escalation exploit against Linux kernel (08:32)

Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)

Update on xz-utils (15:18)

  • When we talked about xz-utils last week, didn’t really talk much about the main upstream developer Lasse Collin
  • Thought it could be interesting to dive into how they essentially got compromised by this actor - but that is perhaps done better by others - go listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq (https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the project and comparing this against the more traditional HUMINT elements
  • Lasse Collin’s github account and the Github project for xz was reinstated
  • Backdoor removed
  • Great sense of humour:

  • The executable payloads were embedded as binary blobs in the test files. This was a blatant violation of the Debian Free Software Guidelines.

  • On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback.

  • The maintainer who added the backdoor has disappeared.

  • Backdoors are bad for security.

  • Also removed the ifunc (indirect function) support - ostensibly used to allow a developer to create multiple implementations of a given function and select between then at runtime - in this case was for an optimised version of CRC calculation - but abused by the backdoor to be able to hook into and replace functions in the global symbol table before it gets made read-only by the dynamic loader
    • Says this was not for security reasons but since it makes the code harder to maintain but is clearly a good win for security
  • Lasse still plans to make to write an article on the backdoor etc but is more focused on cleaning up the upstream repo first - next version is likely to be 5.8.0
  • Watch this space…

Get in contact

  continue reading

232 episoder

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 225

Ubuntu Security Podcast

139 subscribers

published

Spill Avspiller
iconDel
 
MP3Episoder hjem
Manage episode 412092530 series 2423058
Innhold levert av Alex Murray and Ubuntu Security Team. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Alex Murray and Ubuntu Security Team eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.

Overview

This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.

This week in Ubuntu Security Updates

76 unique CVEs addressed

[LSN-0102-1] Linux kernel vulnerability (00:53)

Kernel type 22.04 20.04 18.04 16.04 14.04
aws 102.1 102.1 102.1 102.1
aws-5.15 102.1
aws-5.4 102.1
aws-6.5 102.1
aws-hwe 102.1
azure 102.1 102.1 102.1
azure-4.15 102.1
azure-5.4 102.1
azure-6.5 102.1
gcp 102.1 102.1 102.1
gcp-4.15 102.1
gcp-5.15 102.1
gcp-5.4 102.1
gcp-6.5 102.1
generic-4.15 102.1 102.1
generic-4.4 102.1 102.1
generic-5.15 102.1
generic-5.4 102.1 102.1
gke 102.1 102.1
gke-5.15 102.1
gkeop 102.1
hwe-6.5 102.1
ibm 102.1 102.1
ibm-5.15 102.1
linux 102.1
lowlatency 102.1
lowlatency-4.15 102.1 102.1
lowlatency-4.4 102.1 102.1
lowlatency-5.15 102.1
lowlatency-5.4 102.1 102.1 
canonical-livepatch status

[USN-6710-2] Firefox regressions (01:54)

  • 2 CVEs addressed in Focal (20.04 LTS)
  • 124.0.2
    • In particular fixes to allow firefox when installed directly from Mozilla to work under 24.04 LTS with the new AppArmor userns restrictions
    • As discussed in previous episodes, default profile allows to use userns but then to be blocked on getting additional capabilities - Firefox would previously try and do both a new userns and a new PID NS in one call - which would be blocked - now split this into two separate calls so the userns can succeed but pidns will be denied (since requires CAP_SYS_ADMIN) - but then firefox correctly detects this and falls back to the correct behaviour

[USN-6721-1] X.Org X Server vulnerabilities (04:11)

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Various OOB reads -> crash / info leaks when handling byte-swapped length values - able to be easily triggered by a client who is using a different endianness than the X server
  • UAF in glyph handling -> crash / RCE

[USN-6721-2] X.Org X Server regression

[USN-6722-1] Django vulnerability (05:19)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • Possible account takeover - would use a case transformation on unicode of the email address - so if an attacker can register an email address that is the same as the intended targets email address after this case transformation - fix simply just discards the transformed email address and sends to the one registered by the user

[USN-6723-1] Bind vulnerabilities (06:11)

[USN-6724-1] Linux kernel vulnerabilities (06:27)

[USN-6725-1] Linux kernel vulnerabilities

[USN-6726-1] Linux kernel vulnerabilities

[USN-6701-4] Linux kernel (Azure) vulnerabilities

[USN-6719-2] util-linux vulnerability (07:08)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Initial fix in [USN-6719-1] util-linux vulnerability from Episode 224 tried to escape output to avoid shell command injection - as is often the case, turned out to be insufficient, so instead have now just removed the setgid permission from the wall/write binaries - can then only send to yourself rather than all users

Goings on in Ubuntu Security Community

Reports of a new local root privilege escalation exploit against Linux kernel (08:32)

Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)

Update on xz-utils (15:18)

  • When we talked about xz-utils last week, didn’t really talk much about the main upstream developer Lasse Collin
  • Thought it could be interesting to dive into how they essentially got compromised by this actor - but that is perhaps done better by others - go listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq (https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the project and comparing this against the more traditional HUMINT elements
  • Lasse Collin’s github account and the Github project for xz was reinstated
  • Backdoor removed
  • Great sense of humour:

  • The executable payloads were embedded as binary blobs in the test files. This was a blatant violation of the Debian Free Software Guidelines.

  • On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback.

  • The maintainer who added the backdoor has disappeared.

  • Backdoors are bad for security.

  • Also removed the ifunc (indirect function) support - ostensibly used to allow a developer to create multiple implementations of a given function and select between then at runtime - in this case was for an optimised version of CRC calculation - but abused by the backdoor to be able to hook into and replace functions in the global symbol table before it gets made read-only by the dynamic loader
    • Says this was not for security reasons but since it makes the code harder to maintain but is clearly a good win for security
  • Lasse still plans to make to write an article on the backdoor etc but is more focused on cleaning up the upstream repo first - next version is likely to be 5.8.0
  • Watch this space…

Get in contact

  continue reading

232 episoder

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Alle episoder

×
 
Loading …

Velkommen til Player FM!

Player FM scanner netter for høykvalitets podcaster som du kan nyte nå. Det er den beste podcastappen og fungerer på Android, iPhone og internett. Registrer deg for å synkronisere abonnement på flere enheter.

 

Lik Ubuntu Security Podcast

Lytt til 500+ tema
Player FM - Podcast-app
Gå frakoblet med Player FM -appen!
Get it on App Store Get it on Google Play

Hurtigreferanseguide

Topp podcaster
Indre bane
VG Sporten med Brenne og Borud
NIH-podden
E24-podden
Misjonen med Antonsen og Golden
Radioresepsjonen
Filmpolitiets podkast
Filmfrelst
Dine Penger - Pengerådet
Bekk Open Podcast
Ekko
Dagsnytt 18
Mentaltrener Podcasten
Rekommandert
Uillustrert Vitenskap
Lørdagsrådet
Historier fra virkeligheten
Truecrimepodden
Gåten i Isdalen
To hvite menn
Player FM logo
Hjelp/FAQ | Oppgrader | Advertise
Kunst|Business|Komedie|Økonomi|Underholdning|Nyheter|Politikk|Religion
Vitenskap|Fotball|Sport|Historiefortelling|Teknologi|True Crime
Copyright 2024 | Sitemap | Personvern | Vilkår for bruk | | opphavsrett
Episode being played series thumbnail
icon icon
Hastighet
Serier innstillinger
1x
1x
Volume
100%
icon
icon icon
/

Se Player FM i ...
Player FM
Browser
Chrome
Safari
Firefox