Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 163

14 min • 10 juni 2022

Overview

This week we dig into some of the details of another recent Linux malware sample called Symbiote, plus we cover security updates for the Linux kernel, vim, FreeRDP, NTFS-3G and more.

This week in Ubuntu Security Updates

82 unique CVEs addressed

[USN-5456-1] ImageMagick vulnerability [00:36]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • Heap UAF found by oss-fuzz

[LSN-0086-1] Linux kernel vulnerability [00:51]

  • 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Various recent local privesc vulns:
    • cgroups v1 release_agent
    • UAF in network scheduling subsystem
    • UAF in network traffic control subsystem
    • integer overflow in io_uring
    • seccomp restrictions bypass
    • UAF in network queuing and scheduling subsystem
  • Secure boot bypass through kgdb
canonical-livepatch status
Kernel type 22.04 20.04 18.04 16.04 14.04
aws 86.3 86.3 86.3
aws-5.4 86.3
aws-hwe 86.3
azure 86.3 86.3
azure-4.15 86.3
azure-5.4 86.3
gcp 86.4 86.3 86.3
gcp-4.15 86.3
gcp-5.4 86.3
generic-4.15 86.3 86.3
generic-4.4 86.3 86.3
generic-5.4 86.3 86.3
gke 86.4 86.3
gke-4.15 86.3
gke-5.4 86.3
gkeop 86.3
gkeop-5.4 86.3
ibm 86.4 86.3
ibm-5.4 86.3
linux 86.4
lowlatency 86.4
lowlatency-4.15 86.3 86.3
lowlatency-4.4 86.3 86.3
lowlatency-5.4 86.3 86.3
oem 86.3

[USN-5465-1] Linux kernel vulnerabilities [02:02]

[USN-5466-1] Linux kernel vulnerabilities

[USN-5467-1] Linux kernel vulnerabilities [02:29]

[USN-5468-1] Linux kernel vulnerabilities

[USN-5469-1] Linux kernel vulnerabilities

[USN-5470-1] Linux kernel (OEM) vulnerabilities

[USN-5471-1] Linux kernel (OEM) vulnerabilities

[USN-5458-1] Vim vulnerabilities [03:17]

[USN-5460-1] Vim vulnerabilities

[USN-5459-1] cifs-utils vulnerabilities [03:49]

  • 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Tools for managing cifs mounts etc
  • Privesc via stack buffer overflow in mount.cifs via crafted command-line arguments - used strcpy() to copy the provided IP address after first checking length - but did comparison using strnlen() which returns the max length even if the string is longer - so subsequent strcpy() would then overflow
  • Possible shell command injection into mount.cifs when it spawns a subshell for password input
  • Exposure of host kerberos credentials when mounting a CIFS share using kerberos authentication within a container

[USN-5461-1] FreeRDP vulnerabilities [05:21]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Episode 162 - Last week we talked about a couple different packages that mishandled empty password to then improperly authenticate a user
    • Similar vuln in FreeRDP when using NTLM authentication - allows a client to authenticate to the server with an empty NTLM password

[USN-5462-1, USN-5462-2] Ruby vulnerabilities [06:11]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Double free in regexp compiler when handling a crafted regex as input - so if allow attackers to provide regex which will then get compiled could abuse this to gain code execution as the ruby interpreter

[USN-5463-1] NTFS-3G vulnerabilities [06:41]

[USN-5464-1] E2fsprogs vulnerability [07:17]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Similarly, OOB R/W in e2fsprogs -> used when doing fsck, mkfs, resizefs, badblocks etc on crafted file system image -> code execution

Goings on in Ubuntu Security Community

Symbiote Linux malware analysis [07:58]

  • https://www.intezer.com/blog/research/new-linux-threat-symbiote/
  • Research from Intezer and Blackberry
  • Found targeting financial sector in Latin America
  • Described as ’nearly impossible’ to detect
  • Uses LD_PRELOAD to ‘infect’ binaries on system
  • Evades detection by then hooking various functions in libc, libpcap etc to change their behaviour and alter their output so that when running tools like ls, ps etc they don’t show evidence of infection
  • Also loads BPF filter to hide it’s own network traffic from being seen when say running a local tcpdump etc
  • ‘Nearly impossible to detect’ claim
    • Indeed, is going to be very hard to detect it from the machine itself which is compromised
    • If an attacker has control over the machine they can clearly influence that environment to hide themselves
  • Reminds of a recent twitter thread involving halvarflake, Mathias Krause and others, and then a follow-up blog post from Brad Spengler from grsecurity looking at Tetragon eBPF Security Observability and Runtime Environment
    • eBPF based system which allows sysadmins to develop policy to detect and kill exploits
    • Runs on the system itself in kernel-space and tries to detect once a user has elevated privileges etc
      • e.g. kernel memory corruption to set their own uid as 0
    • But since the attacker has already got code execution in the kernel to be able to achieve this they can just as easily first disable Tetragon and then go and elevate privileges and hence not be detected
  • Basically if you are trying to detect compromise from within the environment itself the attacker is always at an advantage and can change the environment to evade detection and make everything look normal / disable checks etc
  • Instead need to be at a higher level of abstraction
  • In the case of detecting Symbiote - would need to say take a disk image and analyse it offline from another machine so that the analysis environment can’t be influenced by the malware itself

Ubuntu 21.10 (Impish Indri) reaches End of Life on July 14 2022 [12:45]

Hiring [13:16]

Security Engineer - Ubuntu

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more

Get in contact

Kategorier
Förekommer på
00:00 -00:00