Overview
This week we dig into some of the details of another recent Linux malware
sample called Symbiote, plus we cover security updates for the Linux
kernel, vim, FreeRDP, NTFS-3G and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5456-1] ImageMagick vulnerability [00:36]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Heap UAF found by oss-fuzz
[LSN-0086-1] Linux kernel vulnerability [00:51]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various recent local privesc vulns:
- cgroups v1
release_agent
- UAF in network scheduling subsystem
- UAF in network traffic control subsystem
- integer overflow in
io_uring
- seccomp restrictions bypass
- UAF in network queuing and scheduling subsystem
- Secure boot bypass through
kgdb
canonical-livepatch status
Kernel type |
22.04 |
20.04 |
18.04 |
16.04 |
14.04 |
aws |
— |
86.3 |
86.3 |
86.3 |
— |
aws-5.4 |
— |
— |
86.3 |
— |
— |
aws-hwe |
— |
— |
— |
86.3 |
— |
azure |
— |
86.3 |
— |
86.3 |
— |
azure-4.15 |
— |
— |
86.3 |
— |
— |
azure-5.4 |
— |
— |
86.3 |
— |
— |
gcp |
86.4 |
86.3 |
— |
86.3 |
— |
gcp-4.15 |
— |
— |
86.3 |
— |
— |
gcp-5.4 |
— |
— |
86.3 |
— |
— |
generic-4.15 |
— |
— |
86.3 |
86.3 |
— |
generic-4.4 |
— |
— |
— |
86.3 |
86.3 |
generic-5.4 |
— |
86.3 |
86.3 |
— |
— |
gke |
86.4 |
86.3 |
— |
— |
— |
gke-4.15 |
— |
— |
86.3 |
— |
— |
gke-5.4 |
— |
— |
86.3 |
— |
— |
gkeop |
— |
86.3 |
— |
— |
— |
gkeop-5.4 |
— |
— |
86.3 |
— |
— |
ibm |
86.4 |
86.3 |
— |
— |
— |
ibm-5.4 |
— |
— |
86.3 |
— |
— |
linux |
86.4 |
— |
— |
— |
— |
lowlatency |
86.4 |
— |
— |
— |
— |
lowlatency-4.15 |
— |
— |
86.3 |
86.3 |
— |
lowlatency-4.4 |
— |
— |
— |
86.3 |
86.3 |
lowlatency-5.4 |
— |
86.3 |
86.3 |
— |
— |
oem |
— |
— |
86.3 |
— |
— |
[USN-5465-1] Linux kernel vulnerabilities [02:02]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- secure boot bypass via kgdb
- UAF in netfliter -> privesc
- seccomp restrictions bypass
[USN-5466-1] Linux kernel vulnerabilities
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- secure boot bypass, netfilter UAF plus btrfs deadlock, infoleak in
netfilter + virtual graphics manager, double free in 802.2 LLC driver and
EMS CAN/USB drivers
[USN-5467-1] Linux kernel vulnerabilities [02:29]
- 21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Most of the above plus privesc via mishandling of permission checks when
migrating processes across cgroups, KVM page table handling -> host crash
(DoS), UAF in USB-Gadget, Microchip CAN BUS Analyzer, 6pack protocol
driver and more
[USN-5468-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- Subset of the above
[USN-5469-1] Linux kernel vulnerabilities
- 20 CVEs addressed in Jammy (22.04 LTS)
- More of the same
[USN-5470-1] Linux kernel (OEM) vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-5471-1] Linux kernel (OEM) vulnerabilities
- 8 CVEs addressed in Jammy (22.04 LTS)
[USN-5458-1] Vim vulnerabilities [03:17]
- 9 CVEs addressed in Xenial ESM (16.04 ESM)
- OOB reads, heap buffer overflows, stack buffer overflows, UAFs etc via
crafted input files
[USN-5460-1] Vim vulnerabilities
- 10 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5459-1] cifs-utils vulnerabilities [03:49]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Tools for managing cifs mounts etc
- Privesc via stack buffer overflow in
mount.cifs
via crafted command-line
arguments - used strcpy()
to copy the provided IP address after first
checking length - but did comparison using strnlen()
which returns the
max length even if the string is longer - so subsequent strcpy()
would
then overflow
- Possible shell command injection into
mount.cifs
when it spawns a
subshell for password input
- Exposure of host kerberos credentials when mounting a CIFS share using
kerberos authentication within a container
[USN-5461-1] FreeRDP vulnerabilities [05:21]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Episode 162 - Last week we talked about a couple different packages that
mishandled empty password to then improperly authenticate a user
- Similar vuln in FreeRDP when using NTLM authentication - allows a
client to authenticate to the server with an empty NTLM password
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Double free in regexp compiler when handling a crafted regex as input -
so if allow attackers to provide regex which will then get compiled could
abuse this to gain code execution as the ruby interpreter
[USN-5463-1] NTFS-3G vulnerabilities [06:41]
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- ntfsck code execution via crafted disk images (Episode 162)
- Incorrect handling of crafted disk images during mounting etc -> various
heap buffer overflows -> code execution
- Logic error exposes a user to intercept the FUSE protocol traffic between
nfts-3g and the kernel
[USN-5464-1] E2fsprogs vulnerability [07:17]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Similarly, OOB R/W in e2fsprogs -> used when doing fsck, mkfs, resizefs,
badblocks etc on crafted file system image -> code execution
Goings on in Ubuntu Security Community
Symbiote Linux malware analysis [07:58]
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/
- Research from Intezer and Blackberry
- Found targeting financial sector in Latin America
- Described as ’nearly impossible’ to detect
- Uses
LD_PRELOAD
to ‘infect’ binaries on system
- Evades detection by then hooking various functions in libc, libpcap etc
to change their behaviour and alter their output so that when running
tools like ls, ps etc they don’t show evidence of infection
- Also loads BPF filter to hide it’s own network traffic from being seen
when say running a local
tcpdump
etc
- ‘Nearly impossible to detect’ claim
- Indeed, is going to be very hard to detect it from the machine itself
which is compromised
- If an attacker has control over the machine they can clearly influence
that environment to hide themselves
- Reminds of a recent twitter thread involving halvarflake, Mathias Krause
and others, and then a follow-up blog post from Brad Spengler from
grsecurity looking at Tetragon eBPF Security Observability and Runtime
Environment
- eBPF based system which allows sysadmins to develop policy to detect
and kill exploits
- Runs on the system itself in kernel-space and tries to detect once a
user has elevated privileges etc
- e.g. kernel memory corruption to set their own uid as 0
- But since the attacker has already got code execution in the kernel to
be able to achieve this they can just as easily first disable Tetragon
and then go and elevate privileges and hence not be detected
- Basically if you are trying to detect compromise from within the
environment itself the attacker is always at an advantage and can change
the environment to evade detection and make everything look normal /
disable checks etc
- Instead need to be at a higher level of abstraction
- In the case of detecting Symbiote - would need to say take a disk image
and analyse it offline from another machine so that the analysis
environment can’t be influenced by the malware itself
Ubuntu 21.10 (Impish Indri) reaches End of Life on July 14 2022 [12:45]
Hiring [13:16]
Security Engineer - Ubuntu
Security Certifications Product Manager - CIS, FIPS, FedRAMP and more
Get in contact