Overview
Microsoft’s Nimbuspwn sets the Linux security media ablaze but where
there’s smoke there’s not always fire, plus we bring you the first part of
a 2 part series looking at some of the security features in the latest
Ubuntu 22.04 LTS release.
This week in Ubuntu Security Updates
92 unique CVEs addressed
[USN-5381-1] Linux kernel (OEM) vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS)
[USN-5383-1] Linux kernel vulnerabilities
- 8 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
[USN-5384-1] Linux kernel vulnerabilities
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5385-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5387-1] Barbican vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- 1 CVEs addressed in Jammy (22.04 LTS)
[USN-5388-1] OpenJDK vulnerabilities
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5388-2] OpenJDK vulnerabilities
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5389-1] Libcroco vulnerabilities
- 4 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5390-1] Linux kernel vulnerabilities
- 3 CVEs addressed in Jammy (22.04 LTS)
- Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5391-1] libsepol vulnerabilities
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
[USN-5366-2] FriBidi vulnerabilities
- 3 CVEs addressed in Jammy (22.04 LTS)
[USN-5393-1] Thunderbird vulnerabilities
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
[USN-5371-2] nginx vulnerability
- 3 CVEs addressed in Jammy (22.04 LTS)
[USN-5394-1] WebKitGTK vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
[USN-5392-1] Mutt vulnerabilities
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5395-1] networkd-dispatcher vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5396-1] Ghostscript vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS)
[USN-5397-1] curl vulnerabilities
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5398-1] Simple DirectMedia Layer vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Impish (21.10)
[USN-5399-1] libvirt vulnerabilities
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
[USN-5400-1] MySQL vulnerabilities
- 23 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
[USN-5400-2] MySQL vulnerabilities
- 6 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5390-2] Linux kernel (Raspberry Pi) vulnerabilities
- 3 CVEs addressed in Jammy (22.04 LTS)
Goings on in Ubuntu Security Community
Nimbuspwn [01:46]
- Nimbuspwn -
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
- At the end of April Microsoft disclosed some vulnerabilities which
gathered a lot of media attention, leading to a lot of outlets seemingly
claiming most Linux systems were affected and that this was a high
severity issue
- Describes a number of issues in
networkd-dispatcher
which could be used
to get RCE
- directory traversal
- symlink race
- TOCTOU permissions check race condition
- However, all relies on being able to have an arbitrary process run under
the
systemd-network
user (since this user is the only one which can bind
to the right dbus name org.freedesktop.network1
)
- Originally they provided some vague mentions of gpgv plugins and epmd
running under this user.
- gpgv plugins are launched by
apt=/=apt-get
during package install /
upgrade so this sounds like a common scenario that would affect most
users (instead of say epmd which is the erlang port mapper daemon, so
unless you are running erland applications you would not be affected by
that)
- Looking again though at these gpg plugins running as the
systemd-network
user - this is definitely not the case for standard Ubuntu - since apt
is
very clear to run them under the _apt
user account purposefully to
restrict their privileges
- After we questioned Microsoft about this, they amended the blog post to
then just say they were able to detect several instances of other
processes running under this user in various customer environments but
then state that some of these were due to customer
misconfigurations.
- So there is no real evidence here that in general Ubuntu / Linux users
would be affected as all the original media reporting suggested
- Perhaps these customers were using containers and running processes in
those where the UID mapped back to the systemd-network user ID on the
host? This is a common pitfall with containers and something which users
need to be aware of when deploying containers
- As such, what appeared to be quite a high priority and high profile
vulnerability in fact is likely more of a bit of a non-issue - whilst it
could be argued that these are real issues in
networkd-dispatcher
since
they are not able to be exploited in standard configurations they are not
a real threat to most users
- Interesting to note while the blog post has been
amended, all the various media articles which cited the original report
have not been updated and still seem to claim that Ubuntu and other
distros would be affected by this
- Also interesting to note, Microsoft worked directly with the upstream
maintainer of
networkd-dispatcher
but didn’t involve any downstream
distros - as suggested by Julian Andres Klode from the Ubuntu Foundations
team (and upstream apt maintainer) - perhaps Microsoft should have
pre-disclosed this issue to the linux-distros mailing list - if they had
done so this likely would have been assessed and clarified earlier so
that Microsoft could have more properly understood the extent of the
vulnerabilities which they discovered the internet could have avoided
another brief panic scenario
What’s new in security in Ubuntu 22.04 LTS (part 1) [08:05]
- Preview of the first half of blog post which will be published in the
coming weeks on the various security features which are included in
Ubuntu 22.04 LTS. This week we will look at enhancements provided by the
Linux kernel whilst next week we will look at features provided by other
parts of the distribution.
- 22.04 LTS latest long term support release - 5 years of standard support
plus 5 years of ESM - total 10 years of support via Ubuntu Advantage
(free for personal use)
- Great foundation to use then to deploy services / applications etc and
know they will be supported for a long time to come
- Has been 2 years since the last LTS so there are lots of features to
cover - I will only touch on some of them - if you want a more deep dive,
check out the blog posts we published for the interim releases
- Optimised kernels for different platforms
- OEM desktops - 5.17
- Desktop & server - 5.15
- Desktop will get HWE stack by default so in future will get kernel
version upgrades bringing new features etc whilst server will stick
with GA kernel for stability
- Clouds have their own optimised kernels
- Hardware specific enhancements
- SGX on Intel for secure enclaves
- Memory tagging on ARM64 to protect against memory corruption attacks
- AMD SEV for KVM to protect guest VM registers from the host
- Generic kernel improvements
- Core scheduling to provide a means to use SMT in the face of various
hardware microarchitectural side-channel attacks like L1TF and the like
(this was only partially mitigated in SW/microcode and could still
potentially affect VMs running across SMT siblings) - so in past had to
disable SMT to be fully certain were protected - now can use core
scheduling to specify to the kernel which processes should not be
scheduled on sibling HTs to avoid these sorts of attack
- Kernel stack offset randomisation across system calls
- BPF improvements - one of the most popular subsystems in the kernel,
used not just for tracing and packet filtering but also now BPF LSM and
more use-cases. However, has also caused a number of security vulns as
covered previously - now disabled unprivileged BPF by default. Also
work has been done to try and support signed BPF programs to ensure
only trusted code is executed as well.
- Landlock LSM for application-level sandboxing - like seccomp, Landlock
allows a process to specify it’s own policy so can sandbox itself -
rather than say traditional MAC systems of AppArmor/SELinux where the
system admin configures the policy
- LSM stacking allows Landlock to be used in conjunction with AppArmor
for a more defense-in-depth approach
Get in contact