Episode 163

Overview

This week we dig into some of the details of another recent Linux malware sample called Symbiote, plus we cover security updates for the Linux kernel, vim, FreeRDP, NTFS-3G and more.

This week in Ubuntu Security Updates

82 unique CVEs addressed

[USN-5456-1] ImageMagick vulnerability [00:36]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2022-28463
• Heap UAF found by oss-fuzz

[LSN-0086-1] Linux kernel vulnerability [00:51]

• 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-30594
  • CVE-2022-29581
  • CVE-2022-21499
  • CVE-2022-1116
  • CVE-2022-1055
  • CVE-2022-0492
  • CVE-2021-39713
• Various recent local privesc vulns:
  • cgroups v1 release_agent
  • UAF in network scheduling subsystem
  • UAF in network traffic control subsystem
  • integer overflow in io_uring
  • seccomp restrictions bypass
  • UAF in network queuing and scheduling subsystem
• Secure boot bypass through kgdb

canonical-livepatch status

[USN-5465-1] Linux kernel vulnerabilities [02:02]

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2022-30594
  • CVE-2022-1966
  • CVE-2022-21499
• secure boot bypass via kgdb
• UAF in netfliter -> privesc
• seccomp restrictions bypass

[USN-5466-1] Linux kernel vulnerabilities

• 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2022-28390
  • CVE-2022-28356
  • CVE-2022-1419
  • CVE-2022-1016
  • CVE-2021-4149
  • CVE-2021-3772
  • CVE-2022-1966
  • CVE-2022-21499
• secure boot bypass, netfilter UAF plus btrfs deadlock, infoleak in netfilter + virtual graphics manager, double free in 802.2 LLC driver and EMS CAN/USB drivers

[USN-5467-1] Linux kernel vulnerabilities [02:29]

• 21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-28390
  • CVE-2022-28389
  • CVE-2022-28356
  • CVE-2022-26966
  • CVE-2022-24958
  • CVE-2022-23042
  • CVE-2022-23041
  • CVE-2022-23040
  • CVE-2022-23039
  • CVE-2022-23038
  • CVE-2022-23037
  • CVE-2022-23036
  • CVE-2022-1516
  • CVE-2022-1353
  • CVE-2022-1198
  • CVE-2022-1158
  • CVE-2022-1011
  • CVE-2021-4197
  • CVE-2021-3772
  • CVE-2022-1966
  • CVE-2022-21499
• Most of the above plus privesc via mishandling of permission checks when migrating processes across cgroups, KVM page table handling -> host crash (DoS), UAF in USB-Gadget, Microchip CAN BUS Analyzer, 6pack protocol driver and more

[USN-5468-1] Linux kernel vulnerabilities

• 6 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-28390
  • CVE-2022-24958
  • CVE-2022-1972
  • CVE-2022-1158
  • CVE-2022-1966
  • CVE-2022-21499
• Subset of the above

[USN-5469-1] Linux kernel vulnerabilities

• 20 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-28390
  • CVE-2022-28389
  • CVE-2022-28388
  • CVE-2022-28356
  • CVE-2022-1972
  • CVE-2022-1671
  • CVE-2022-1651
  • CVE-2022-1516
  • CVE-2022-1353
  • CVE-2022-1263
  • CVE-2022-1205
  • CVE-2022-1204
  • CVE-2022-1199
  • CVE-2022-1198
  • CVE-2022-1195
  • CVE-2022-1158
  • CVE-2022-1048
  • CVE-2022-0168
  • CVE-2022-1966
  • CVE-2022-21499
• More of the same

[USN-5470-1] Linux kernel (OEM) vulnerabilities

• 4 CVEs addressed in Focal (20.04 LTS)
  • CVE-2022-1972
  • CVE-2022-1836
  • CVE-2022-1966
  • CVE-2022-21499

[USN-5471-1] Linux kernel (OEM) vulnerabilities

• 8 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-29968
  • CVE-2022-1972
  • CVE-2022-1836
  • CVE-2022-1734
  • CVE-2022-1205
  • CVE-2022-1012
  • CVE-2022-1966
  • CVE-2022-21499

[USN-5458-1] Vim vulnerabilities [03:17]

• 9 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-0443
  • CVE-2022-0408
  • CVE-2022-0368
  • CVE-2022-0361
  • CVE-2022-0359
  • CVE-2022-0351
  • CVE-2022-0319
  • CVE-2022-0213
  • CVE-2021-4193
• OOB reads, heap buffer overflows, stack buffer overflows, UAFs etc via crafted input files

[USN-5460-1] Vim vulnerabilities

• 10 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-1621
  • CVE-2022-1620
  • CVE-2022-1619
  • CVE-2022-1616
  • CVE-2022-0943
  • CVE-2022-0729
  • CVE-2022-0714
  • CVE-2022-0685
  • CVE-2022-0572
  • CVE-2022-0554

[USN-5459-1] cifs-utils vulnerabilities [03:49]

• 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-29869
  • CVE-2022-27239
  • CVE-2021-20208
  • CVE-2020-14342
• Tools for managing cifs mounts etc
• Privesc via stack buffer overflow in mount.cifs via crafted command-line arguments - used strcpy() to copy the provided IP address after first checking length - but did comparison using strnlen() which returns the max length even if the string is longer - so subsequent strcpy() would then overflow
• Possible shell command injection into mount.cifs when it spawns a subshell for password input
• Exposure of host kerberos credentials when mounting a CIFS share using kerberos authentication within a container

[USN-5461-1] FreeRDP vulnerabilities [05:21]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-24883
  • CVE-2022-24882
• Episode 162 - Last week we talked about a couple different packages that mishandled empty password to then improperly authenticate a user
  • Similar vuln in FreeRDP when using NTLM authentication - allows a client to authenticate to the server with an empty NTLM password

[USN-5462-1, USN-5462-2] Ruby vulnerabilities [06:11]

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-28739
  • CVE-2022-28738
• Double free in regexp compiler when handling a crafted regex as input - so if allow attackers to provide regex which will then get compiled could abuse this to gain code execution as the ruby interpreter

[USN-5463-1] NTFS-3G vulnerabilities [06:41]

• 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-30787
  • CVE-2022-30785
  • CVE-2022-30789
  • CVE-2022-30788
  • CVE-2022-30786
  • CVE-2022-30784
  • CVE-2022-30783
  • CVE-2021-46790
• ntfsck code execution via crafted disk images (Episode 162)
• Incorrect handling of crafted disk images during mounting etc -> various heap buffer overflows -> code execution
• Logic error exposes a user to intercept the FUSE protocol traffic between nfts-3g and the kernel

[USN-5464-1] E2fsprogs vulnerability [07:17]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-1304
• Similarly, OOB R/W in e2fsprogs -> used when doing fsck, mkfs, resizefs, badblocks etc on crafted file system image -> code execution

Goings on in Ubuntu Security Community

Symbiote Linux malware analysis [07:58]

• https://www.intezer.com/blog/research/new-linux-threat-symbiote/
• Research from Intezer and Blackberry
• Found targeting financial sector in Latin America
• Described as ’nearly impossible’ to detect
• Uses LD_PRELOAD to ‘infect’ binaries on system
• Evades detection by then hooking various functions in libc, libpcap etc to change their behaviour and alter their output so that when running tools like ls, ps etc they don’t show evidence of infection
• Also loads BPF filter to hide it’s own network traffic from being seen when say running a local tcpdump etc
• ‘Nearly impossible to detect’ claim
  • Indeed, is going to be very hard to detect it from the machine itself which is compromised
  • If an attacker has control over the machine they can clearly influence that environment to hide themselves
• Reminds of a recent twitter thread involving halvarflake, Mathias Krause and others, and then a follow-up blog post from Brad Spengler from grsecurity looking at Tetragon eBPF Security Observability and Runtime Environment
  • eBPF based system which allows sysadmins to develop policy to detect and kill exploits
  • Runs on the system itself in kernel-space and tries to detect once a user has elevated privileges etc
    • e.g. kernel memory corruption to set their own uid as 0
  • But since the attacker has already got code execution in the kernel to be able to achieve this they can just as easily first disable Tetragon and then go and elevate privileges and hence not be detected
• Basically if you are trying to detect compromise from within the environment itself the attacker is always at an advantage and can change the environment to evade detection and make everything look normal / disable checks etc
• Instead need to be at a higher level of abstraction
• In the case of detecting Symbiote - would need to say take a disk image and analyse it offline from another machine so that the analysis environment can’t be influenced by the malware itself

Ubuntu 21.10 (Impish Indri) reaches End of Life on July 14 2022 [12:45]

• https://lists.ubuntu.com/archives/ubuntu-announce/2022-May/000280.html

Hiring [13:16]

Security Engineer - Ubuntu

• https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more

• https://canonical.com/careers/3781589/security-certifications-product-manager-cis-fips-fedramp-and-more-remote

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter