Overview
This week we dive into Trend Micro’s recent Linux Threat Report and the
release of Ubuntu 20.04.3 LTS, plus we detail security updates for
Inetutils telnetd, the Linux kernel and OpenSSL.
This week in Ubuntu Security Updates
9 unique CVEs addressed
[USN-5048-1] Inetutils vulnerability [00:45]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Buffer overflow in inetutils telnetd - originally CVE was found in netkit
telnetd - but subsequently the GNU inetutils version was also found to
contain basically the same vulnerable function. Very detailed blog post
re exploiting this on Fedora, great example if you are interested in vuln
hunting etc - patched but why run telnetd?
- https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
[USN-5050-1] Linux kernel vulnerabilities [02:03]
- 6 CVEs addressed in Focal (20.04 LTS)
- 2 bluetooth HCI UAFs, NFC NULL ptr deref, Xen PV UAF from guest->host, 2
other bluetooth vulns - info leak - all covered in previous episodes
[USN-5051-1] OpenSSL vulnerabilities [02:49]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- High profile vuln in SM2 algorithm impl in openssl - (Chinese and later
ISO standard elliptic curve algo used for both signature and encryption)
- Usual scheme is to call the API function
EVP_PKEY_decrypt()
twice - call
first time to get the required buffer size to hold the decrypted
plaintext - second time to do the actual decryption passing a buffer of
the specified length to hold the result
- Bug meant the returned length in first call would be smaller than
required -> up to 62 byte buffer overflow using attacker controlled data
- Depending on application, could be heap or stack buffer
- Possible RCE
- Buffer overread in handling of ASN.1 strings
- ASN1 strings in openssl are represented as the bytes plus a length -
unlike normal C strings, bytes array of the string is NOT NUL
terminated in general
- However some internal functions would actually add a NUL byte - and
other functions ended up assuming ASN1 strings would all be NUL
terminated - plus various functions to parse ASN1 data would also add
NUL terminators too - so if had an application that was manually
constructing ASN1 strings without adding a NUL terminator, this could
result in a buffer overread if these were passed to a function which
expected a NUL (ie functions which print the contents etc)
- Again depends on application that uses OpenSSL - so not all will be
vulnerable - but fixed to ensure all internal functions which handle
ASN1 strings in OpenSSL respect the length field and not assume is NUL
terminated
Goings on in Ubuntu Security Community
Ubuntu 20.04.3 LTS released [05:58]
Trend Micro Linux Threat Report 2021 1H [07:20]
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations
- Report which collates data from Trend Micro™ Smart Protection Network™
(SPN) (data lake) - collects data across all Trend Micro products plus
various honeypots and other sensors etc - measure of real-world malware
prevalence and vuln exploitation in enterprises
- Linux makes up 61% of Cloud One users - cloud native product for
protection of cloud deployments
- Ubuntu makes up 16% of that (RH 30%, AWS Linux 18%)
- Top threats:
- Coinminers, Web shells, Ransomware, Trojans, other
- For systems which contained these:
- 51% CentOS, 31% CloudLinux, 10% Ubuntu, 3% RHEL
- Intrusion Protection System (IPS) hits:
- 36% Amazon Linux, 23% RHEL 7, 8% CentOS 7, 7% RHEL 6, Amazon Linux, Ubuntu 18.04, 4% Ubuntu 20.04, 16.04
- Top 15 vulns with known exploits:
- 5 were in Apache Struts2 - incl. vuln used in Equifax breach in 2017
- 1 each in Drupal, Oracle WebLogic, WordPress file manager plugin,
vBulletin, Eclipse Jetty, Alibaba Nacos, Atlassian Jira, NginX, Liferay
- Most of these are not shipped in Ubuntu but clearly orgs are
deploying these sorts of applications on Ubuntu/RHEL etc
- Of 20k vulns from 2020, only ~200 were observed with known public exploits
- roughly the same as above but more of the sorts of things we ship and
support in Ubuntu
- struts, netty, drupal, dnsmasq, JIRA, WebLogic, Wordpress, nginx,
apache httpd, ISC BIND, openssl, tomcat
- 76% are attacks against web apps
- Looking at OWASP top 10 - of all attack by volume, only 21% fit into
OWASP top 10 - ie. SQL injection, command injection, XSS, insecure
deserialisation, XML EE,
- Looking at attacks outside OWASP top 10
- Brute force ~40% of all attacks
- Directory traversal 21%
- Request smuggling
- Also briefly mentions how to secure Linux but only talks technologies -
iptables, seccomp, AppArmor, SELinux etc - and on practical guidance
mentions Antimalware (ie Trend 😉), IPS/IDS, application whitelisting,
vuln patching, activity monitoring etc
- Plus looks a bit at containers - ranks vulns in 15 most popular official
docker images - Python comes in on top with 482 vulns, Node 470,
Wordpress 402, Golang 288, nginx 118, postgres 86, influxdb 85, apache
httpd 84, mysql 76…
- Not surprising perhaps that the more general purpose images have more
vulns - more code, more vulns, also perhaps a larger attack surface etc
too
Get in contact