Go offline with the Player FM app!
Episode 225
Manage episode 412092530 series 2423058
Overview
This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.
This week in Ubuntu Security Updates
76 unique CVEs addressed
[LSN-0102-1] Linux kernel vulnerability (00:53)
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- All covered in previous episodes
- netfilter UAF ([USN-6700-1] Linux kernel vulnerabilities from Episode 223)
- OOB write in KTLS ([USN-6648-1] Linux kernel vulnerabilities from Episode 220)
- UAF in AppleTalk network driver ([USN-6648-1] Linux kernel vulnerabilities from Episode 220)
- NULL ptr deref in TLS impl ([LSN-0100-1] Linux kernel vulnerability from Episode 219)
- Memory leak in netfilter ([USN-6383-1] Linux kernel vulnerabilities from Episode 210)
Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | 102.1 | 102.1 | 102.1 | 102.1 | — |
aws-5.15 | — | 102.1 | — | — | — |
aws-5.4 | — | — | 102.1 | — | — |
aws-6.5 | 102.1 | — | — | — | — |
aws-hwe | — | — | — | 102.1 | — |
azure | 102.1 | 102.1 | — | 102.1 | — |
azure-4.15 | — | — | 102.1 | — | — |
azure-5.4 | — | — | 102.1 | — | — |
azure-6.5 | 102.1 | — | — | — | — |
gcp | 102.1 | 102.1 | — | 102.1 | — |
gcp-4.15 | — | — | 102.1 | — | — |
gcp-5.15 | — | 102.1 | — | — | — |
gcp-5.4 | — | — | 102.1 | — | — |
gcp-6.5 | 102.1 | — | — | — | — |
generic-4.15 | — | — | 102.1 | 102.1 | — |
generic-4.4 | — | — | — | 102.1 | 102.1 |
generic-5.15 | — | 102.1 | — | — | — |
generic-5.4 | — | 102.1 | 102.1 | — | — |
gke | 102.1 | 102.1 | — | — | — |
gke-5.15 | — | 102.1 | — | — | — |
gkeop | — | 102.1 | — | — | — |
hwe-6.5 | 102.1 | — | — | — | — |
ibm | 102.1 | 102.1 | — | — | — |
ibm-5.15 | — | 102.1 | — | — | — |
linux | 102.1 | — | — | — | — |
lowlatency | 102.1 | — | — | — | — |
lowlatency-4.15 | — | — | 102.1 | 102.1 | — |
lowlatency-4.4 | — | — | — | 102.1 | 102.1 |
lowlatency-5.15 | — | 102.1 | — | — | — |
lowlatency-5.4 | — | 102.1 | 102.1 | — | — |
canonical-livepatch status
[USN-6710-2] Firefox regressions (01:54)
- 2 CVEs addressed in Focal (20.04 LTS)
- 124.0.2
- In particular fixes to allow firefox when installed directly from Mozilla to work under 24.04 LTS with the new AppArmor userns restrictions
- As discussed in previous episodes, default profile allows to use userns but then to be blocked on getting additional capabilities - Firefox would previously try and do both a new userns and a new PID NS in one call - which would be blocked - now split this into two separate calls so the userns can succeed but pidns will be denied (since requires
CAP_SYS_ADMIN
) - but then firefox correctly detects this and falls back to the correct behaviour
[USN-6721-1] X.Org X Server vulnerabilities (04:11)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Various OOB reads -> crash / info leaks when handling byte-swapped length values - able to be easily triggered by a client who is using a different endianness than the X server
- UAF in glyph handling -> crash / RCE
[USN-6721-2] X.Org X Server regression
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6722-1] Django vulnerability (05:19)
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Possible account takeover - would use a case transformation on unicode of the email address - so if an attacker can register an email address that is the same as the intended targets email address after this case transformation - fix simply just discards the transformed email address and sends to the one registered by the user
[USN-6723-1] Bind vulnerabilities (06:11)
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6633-1] Bind vulnerabilities from Episode 219
[USN-6724-1] Linux kernel vulnerabilities (06:27)
- 12 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6725-1] Linux kernel vulnerabilities
- 46 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-52470
- CVE-2023-52469
- CVE-2023-52451
- CVE-2023-52610
- CVE-2023-52441
- CVE-2023-52467
- CVE-2023-52449
- CVE-2024-26591
- CVE-2023-52458
- CVE-2024-26597
- CVE-2024-26633
- CVE-2023-52436
- CVE-2023-52444
- CVE-2024-26589
- CVE-2024-26586
- CVE-2024-26598
- CVE-2023-52612
- CVE-2023-52439
- CVE-2024-26631
- CVE-2023-52442
- CVE-2023-52443
- CVE-2023-52480
- CVE-2023-52438
- CVE-2023-52454
- CVE-2023-52456
- CVE-2023-52464
- CVE-2023-52457
- CVE-2023-52448
- CVE-2023-52609
- CVE-2023-52462
- CVE-2023-52445
- CVE-2023-52463
- CVE-2024-24860
- CVE-2024-23850
- CVE-2024-22705
- CVE-2024-23851
- CVE-2023-52429
- CVE-2023-52340
- CVE-2023-46838
- CVE-2023-3867
- CVE-2023-38431
- CVE-2023-38430
- CVE-2023-38427
- CVE-2023-32258
- CVE-2023-32254
- CVE-2023-1194
[USN-6726-1] Linux kernel vulnerabilities
- 23 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2023-52438
- CVE-2023-52436
- CVE-2023-52454
- CVE-2023-52470
- CVE-2023-52451
- CVE-2023-52445
- CVE-2023-52469
- CVE-2023-52609
- CVE-2023-52444
- CVE-2023-52449
- CVE-2024-26597
- CVE-2024-26633
- CVE-2023-52612
- CVE-2023-52439
- CVE-2023-52443
- CVE-2023-52457
- CVE-2023-52448
- CVE-2023-52464
- CVE-2024-0607
- CVE-2024-23851
- CVE-2023-52429
- CVE-2023-52340
- CVE-2023-46838
[USN-6701-4] Linux kernel (Azure) vulnerabilities
- 12 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-6719-2] util-linux vulnerability (07:08)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Initial fix in [USN-6719-1] util-linux vulnerability from Episode 224 tried to escape output to avoid shell command injection - as is often the case, turned out to be insufficient, so instead have now just removed the setgid permission from the wall/write binaries - can then only send to yourself rather than all users
Goings on in Ubuntu Security Community
Reports of a new local root privilege escalation exploit against Linux kernel (08:32)
- https://github.com/YuriiCrimson/ExploitGMStr
- Ukrainian hacker YuriiCrimson
- Has generated a lot of interest since whilst there are always vulns / CVEs in the kernel we don’t always see full PoCs much anymore
- Originally developed an exploit against the
n_gsm
driver in the 6.4 and and 6.5 kernels - Says they were contacted by another hacker
jmpeax
(Jammes) - who wanted to purchase the exploit - After selling it to them, seems they tried to pass it off as their own
- https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit
- https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
- commit timestamps of the purported copy by Jammes are all dated over 3 weeks ago
- but the original is only is only 1 week ago
- so on the surface would appear the other way around
- however, Yurii posted a video of their interaction with Jammes on Telegram to try and prove their side
- looking at repo metadata https://api.github.com/repos/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit shows the so-called copy was created on 22nd March
- whereas the Yurii’s is 6th April - so would appear that perhaps Jammes is the original author
- also can compare the two exploits and see they are almost identical - but Jammes has an extra target for the 6.5.0-26-generic kernel from mantic
- who the actual author is remains unclear (also I don’t have telegram so couldn’t check the video)…
- Regarding the actual vulnerability - turns out there is at least 2 if not 3 in this module
- Old CVE-2023-6546 - written up https://github.com/Nassim-Asrir/ZDI-24-020/
- Fixed in 6.5-rc7
- Yurii / Jammes
- Additional exploit by Yurii apparently targeting 5.15-6.1 - also in
n_gsm
- Mixed reports about this last exploit but report the one from Yurii/Jammes does work even on the latest upstream kernel
- Waiting on a fix from upstream to then integrate in Ubuntu kernels
- Interesting these exploits all used the same basic info leak from xen via
/sys/kernel/notes
which leaks the symbol of thexen_startup
function and allows to break KASLR - Reports this was known since at least 2020
- Many eyes…?
Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)
- https://lists.ubuntu.com/archives/ubuntu-announce/2024-April/000300.html
- https://discourse.ubuntu.com/t/noble-numbat-release-notes/
- Also releases for all the flavours
- Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, Xubuntu
- Final release scheduled for 25th April (just under 2 weeks)
Update on xz-utils (15:18)
- When we talked about xz-utils last week, didn’t really talk much about the main upstream developer Lasse Collin
- Thought it could be interesting to dive into how they essentially got compromised by this actor - but that is perhaps done better by others - go listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq (https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the project and comparing this against the more traditional HUMINT elements
- Lasse Collin’s github account and the Github project for xz was reinstated
- Backdoor removed
- Great sense of humour:
The executable payloads were embedded as binary blobs in the test files. This was a blatant violation of the Debian Free Software Guidelines.
On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback.
The maintainer who added the backdoor has disappeared.
Backdoors are bad for security.
- Also removed the ifunc (indirect function) support - ostensibly used to allow a developer to create multiple implementations of a given function and select between then at runtime - in this case was for an optimised version of CRC calculation - but abused by the backdoor to be able to hook into and replace functions in the global symbol table before it gets made read-only by the dynamic loader
- Says this was not for security reasons but since it makes the code harder to maintain but is clearly a good win for security
- Lasse still plans to make to write an article on the backdoor etc but is more focused on cleaning up the upstream repo first - next version is likely to be 5.8.0
- Watch this space…
Get in contact
242 episodes
Manage episode 412092530 series 2423058
Overview
This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.
This week in Ubuntu Security Updates
76 unique CVEs addressed
[LSN-0102-1] Linux kernel vulnerability (00:53)
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- All covered in previous episodes
- netfilter UAF ([USN-6700-1] Linux kernel vulnerabilities from Episode 223)
- OOB write in KTLS ([USN-6648-1] Linux kernel vulnerabilities from Episode 220)
- UAF in AppleTalk network driver ([USN-6648-1] Linux kernel vulnerabilities from Episode 220)
- NULL ptr deref in TLS impl ([LSN-0100-1] Linux kernel vulnerability from Episode 219)
- Memory leak in netfilter ([USN-6383-1] Linux kernel vulnerabilities from Episode 210)
Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | 102.1 | 102.1 | 102.1 | 102.1 | — |
aws-5.15 | — | 102.1 | — | — | — |
aws-5.4 | — | — | 102.1 | — | — |
aws-6.5 | 102.1 | — | — | — | — |
aws-hwe | — | — | — | 102.1 | — |
azure | 102.1 | 102.1 | — | 102.1 | — |
azure-4.15 | — | — | 102.1 | — | — |
azure-5.4 | — | — | 102.1 | — | — |
azure-6.5 | 102.1 | — | — | — | — |
gcp | 102.1 | 102.1 | — | 102.1 | — |
gcp-4.15 | — | — | 102.1 | — | — |
gcp-5.15 | — | 102.1 | — | — | — |
gcp-5.4 | — | — | 102.1 | — | — |
gcp-6.5 | 102.1 | — | — | — | — |
generic-4.15 | — | — | 102.1 | 102.1 | — |
generic-4.4 | — | — | — | 102.1 | 102.1 |
generic-5.15 | — | 102.1 | — | — | — |
generic-5.4 | — | 102.1 | 102.1 | — | — |
gke | 102.1 | 102.1 | — | — | — |
gke-5.15 | — | 102.1 | — | — | — |
gkeop | — | 102.1 | — | — | — |
hwe-6.5 | 102.1 | — | — | — | — |
ibm | 102.1 | 102.1 | — | — | — |
ibm-5.15 | — | 102.1 | — | — | — |
linux | 102.1 | — | — | — | — |
lowlatency | 102.1 | — | — | — | — |
lowlatency-4.15 | — | — | 102.1 | 102.1 | — |
lowlatency-4.4 | — | — | — | 102.1 | 102.1 |
lowlatency-5.15 | — | 102.1 | — | — | — |
lowlatency-5.4 | — | 102.1 | 102.1 | — | — |
canonical-livepatch status
[USN-6710-2] Firefox regressions (01:54)
- 2 CVEs addressed in Focal (20.04 LTS)
- 124.0.2
- In particular fixes to allow firefox when installed directly from Mozilla to work under 24.04 LTS with the new AppArmor userns restrictions
- As discussed in previous episodes, default profile allows to use userns but then to be blocked on getting additional capabilities - Firefox would previously try and do both a new userns and a new PID NS in one call - which would be blocked - now split this into two separate calls so the userns can succeed but pidns will be denied (since requires
CAP_SYS_ADMIN
) - but then firefox correctly detects this and falls back to the correct behaviour
[USN-6721-1] X.Org X Server vulnerabilities (04:11)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Various OOB reads -> crash / info leaks when handling byte-swapped length values - able to be easily triggered by a client who is using a different endianness than the X server
- UAF in glyph handling -> crash / RCE
[USN-6721-2] X.Org X Server regression
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6722-1] Django vulnerability (05:19)
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Possible account takeover - would use a case transformation on unicode of the email address - so if an attacker can register an email address that is the same as the intended targets email address after this case transformation - fix simply just discards the transformed email address and sends to the one registered by the user
[USN-6723-1] Bind vulnerabilities (06:11)
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6633-1] Bind vulnerabilities from Episode 219
[USN-6724-1] Linux kernel vulnerabilities (06:27)
- 12 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6725-1] Linux kernel vulnerabilities
- 46 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-52470
- CVE-2023-52469
- CVE-2023-52451
- CVE-2023-52610
- CVE-2023-52441
- CVE-2023-52467
- CVE-2023-52449
- CVE-2024-26591
- CVE-2023-52458
- CVE-2024-26597
- CVE-2024-26633
- CVE-2023-52436
- CVE-2023-52444
- CVE-2024-26589
- CVE-2024-26586
- CVE-2024-26598
- CVE-2023-52612
- CVE-2023-52439
- CVE-2024-26631
- CVE-2023-52442
- CVE-2023-52443
- CVE-2023-52480
- CVE-2023-52438
- CVE-2023-52454
- CVE-2023-52456
- CVE-2023-52464
- CVE-2023-52457
- CVE-2023-52448
- CVE-2023-52609
- CVE-2023-52462
- CVE-2023-52445
- CVE-2023-52463
- CVE-2024-24860
- CVE-2024-23850
- CVE-2024-22705
- CVE-2024-23851
- CVE-2023-52429
- CVE-2023-52340
- CVE-2023-46838
- CVE-2023-3867
- CVE-2023-38431
- CVE-2023-38430
- CVE-2023-38427
- CVE-2023-32258
- CVE-2023-32254
- CVE-2023-1194
[USN-6726-1] Linux kernel vulnerabilities
- 23 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2023-52438
- CVE-2023-52436
- CVE-2023-52454
- CVE-2023-52470
- CVE-2023-52451
- CVE-2023-52445
- CVE-2023-52469
- CVE-2023-52609
- CVE-2023-52444
- CVE-2023-52449
- CVE-2024-26597
- CVE-2024-26633
- CVE-2023-52612
- CVE-2023-52439
- CVE-2023-52443
- CVE-2023-52457
- CVE-2023-52448
- CVE-2023-52464
- CVE-2024-0607
- CVE-2024-23851
- CVE-2023-52429
- CVE-2023-52340
- CVE-2023-46838
[USN-6701-4] Linux kernel (Azure) vulnerabilities
- 12 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-6719-2] util-linux vulnerability (07:08)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Initial fix in [USN-6719-1] util-linux vulnerability from Episode 224 tried to escape output to avoid shell command injection - as is often the case, turned out to be insufficient, so instead have now just removed the setgid permission from the wall/write binaries - can then only send to yourself rather than all users
Goings on in Ubuntu Security Community
Reports of a new local root privilege escalation exploit against Linux kernel (08:32)
- https://github.com/YuriiCrimson/ExploitGMStr
- Ukrainian hacker YuriiCrimson
- Has generated a lot of interest since whilst there are always vulns / CVEs in the kernel we don’t always see full PoCs much anymore
- Originally developed an exploit against the
n_gsm
driver in the 6.4 and and 6.5 kernels - Says they were contacted by another hacker
jmpeax
(Jammes) - who wanted to purchase the exploit - After selling it to them, seems they tried to pass it off as their own
- https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit
- https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
- commit timestamps of the purported copy by Jammes are all dated over 3 weeks ago
- but the original is only is only 1 week ago
- so on the surface would appear the other way around
- however, Yurii posted a video of their interaction with Jammes on Telegram to try and prove their side
- looking at repo metadata https://api.github.com/repos/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit shows the so-called copy was created on 22nd March
- whereas the Yurii’s is 6th April - so would appear that perhaps Jammes is the original author
- also can compare the two exploits and see they are almost identical - but Jammes has an extra target for the 6.5.0-26-generic kernel from mantic
- who the actual author is remains unclear (also I don’t have telegram so couldn’t check the video)…
- Regarding the actual vulnerability - turns out there is at least 2 if not 3 in this module
- Old CVE-2023-6546 - written up https://github.com/Nassim-Asrir/ZDI-24-020/
- Fixed in 6.5-rc7
- Yurii / Jammes
- Additional exploit by Yurii apparently targeting 5.15-6.1 - also in
n_gsm
- Mixed reports about this last exploit but report the one from Yurii/Jammes does work even on the latest upstream kernel
- Waiting on a fix from upstream to then integrate in Ubuntu kernels
- Interesting these exploits all used the same basic info leak from xen via
/sys/kernel/notes
which leaks the symbol of thexen_startup
function and allows to break KASLR - Reports this was known since at least 2020
- Many eyes…?
Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)
- https://lists.ubuntu.com/archives/ubuntu-announce/2024-April/000300.html
- https://discourse.ubuntu.com/t/noble-numbat-release-notes/
- Also releases for all the flavours
- Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, Xubuntu
- Final release scheduled for 25th April (just under 2 weeks)
Update on xz-utils (15:18)
- When we talked about xz-utils last week, didn’t really talk much about the main upstream developer Lasse Collin
- Thought it could be interesting to dive into how they essentially got compromised by this actor - but that is perhaps done better by others - go listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq (https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the project and comparing this against the more traditional HUMINT elements
- Lasse Collin’s github account and the Github project for xz was reinstated
- Backdoor removed
- Great sense of humour:
The executable payloads were embedded as binary blobs in the test files. This was a blatant violation of the Debian Free Software Guidelines.
On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback.
The maintainer who added the backdoor has disappeared.
Backdoors are bad for security.
- Also removed the ifunc (indirect function) support - ostensibly used to allow a developer to create multiple implementations of a given function and select between then at runtime - in this case was for an optimised version of CRC calculation - but abused by the backdoor to be able to hook into and replace functions in the global symbol table before it gets made read-only by the dynamic loader
- Says this was not for security reasons but since it makes the code harder to maintain but is clearly a good win for security
- Lasse still plans to make to write an article on the backdoor etc but is more focused on cleaning up the upstream repo first - next version is likely to be 5.8.0
- Watch this space…
Get in contact
242 episodes
All episodes
×Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.