Overview
This week we rocket back into your podcast feed with a look at the OrBit
Linux malware teardown from Intezer, plus we cover security updates for
cloud-init, Vim, the Linux kernel, GnuPG, Dovecot and more.
This week in Ubuntu Security Updates
52 unique CVEs addressed
[USN-5496-1] cloud-init vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
cloud-init
was originally a Canonical developed project but is now widely
used by many of the public clouds for configuring cloud images on first
boot
- When validating configuration, would log invalid entries - if one of
those was a password then the password would get logged in the clear -
and cloud init logs are world readable by default
- Fixed to instead log a generic error message with details on how to
obtain the actual invalid entries via a privileged command
[USN-5497-1] Libjpeg6b vulnerabilities [01:54]
- 5 CVEs addressed in Trusty ESM (14.04 ESM)
- Various DoS via crafted JPEG,PPM or Targa image files
- OOB read, excessive memory consumption etc
[USN-5498-1] Vim vulnerabilities [02:16]
- 8 CVEs addressed in Xenial ESM (16.04 ESM)
- vim is fast becoming one of our most updated packages for security vulns
- More instances of DoS or possible RCE attacks via crafted input files
found via fuzzing
[USN-5499-1] curl vulnerabilities [02:44]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Episode 166
[USN-5485-2] Linux kernel (OEM) vulnerabilities [02:53]
- 3 CVEs addressed in Focal (20.04 LTS)
- 5.14 OEM kernel
- MMIO stale data vulns (Episode 165)
[USN-5493-2] Linux kernel (HWE) vulnerability [03:03]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS),
- 5.4 and 5.13 HWE kernels respectively
- 8 Devices USB2CAN driver -> double free -> crash (DoS)
[USN-5500-1] Linux kernel vulnerabilities [03:21]
- 8 CVEs addressed in Xenial ESM (16.04 ESM)
- 4.4 GA + AWS
- Usual mix of issues in various drivers -> UAFs due to various race
conditions, information leak (uninitialised memory) etc -> DoS or
possible code execution
[USN-5501-1] Django vulnerability [03:47]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Possible SQL injection if used the
Trunc()
or Extract()
DB functions with
untrusted data
[USN-5479-2] PHP vulnerabilities [04:05]
- 2 CVEs addressed in Bionic (18.04 LTS)
[USN-5502-1] OpenSSL vulnerability [04:21]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Mishandled AES OCB (offset cookbook) mode - combines authentication with
encryption - on 32-bit x86 platforms that support AES-NI hardware
optimised instructions - would possibly miss one block of data and leave
it unencrypted
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Possible to craft signed data such that on attempted verification GPG
would display output that appeared to show the message was correctly
signed when infact it would fail - so could possibly trick user /
application
[USN-5488-2] OpenSSL vulnerability [05:37]
[USN-5505-1] Linux kernel vulnerabilities [05:46]
- 19 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 - 16.04 ESM kvm kernel + 14.04 ESM HWE kernel
- MMIO stale data plus various other kernel issues that have been covered
in recent episodes
[USN-5506-1] NSS vulnerabilities [06:24]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Crash on empty pkcs7 sequence -> DoS
- Possible free of invalid pointer -> likely crash -> DoS or possible RCE
[USN-5507-1] Vim vulnerabilities [06:48]
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
- Moar vim CVEs
[USN-5509-1] Dovecot vulnerability [06:57]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Possible privilege escalation when using similar primary and non-primary
passdb configuration entries - unlikely configuration to use in practice
but could then result in the non-primary config allowing users to access
as the primary config
[USN-5508-1] Python LDAP vulnerability [07:30]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- ReDoS when using
ldap.schema
to validate untrusted schemas - DoS via
excessive CPU/memory usage
[USN-5510-1, USN-5510-2] X.Org X Server vulnerabilities [07:51]
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- 2 different OOB reads via various X server methods - untrusted client
could use this to crash X server or expose sensitive info
[USN-5256-1] uriparser vulnerabilities [08:07]
- 2 CVEs addressed in Bionic (18.04 LTS)
- C library for parsing RFC 3986 compliant URIs
- Not surprisingly, since C is memory unsafe, contained 2 different issue
with invalid memory management which could be triggered via crafted input
-> both resulting in UAF -> DoS / RCE
Goings on in Ubuntu Security Community
OrBit malware analysis [08:44]
- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
- Similar to Symbiote which we covered in Episode 163 - Intezer has
detailed another Linux malware sample
- Like Symbiote, the dropper component for OrBit targets arbitrary binaries
via the linker - however, unlike Symbiote, doesn’t use
LD_PRELOAD
environment variable but instead instructs the dynamic linker via
/etc/ld.so.preload
- this has benefits for the malware since the use of
the LD_PRELOAD
env var has various restrictions around setuid binaries
etc - but this is not the case of /etc/ld.so.preload
meaning all binaries
including setuid root ones are also “infected” via this technique and the
malware payload gets loaded for all
- Then payload then hooks functions from libc, libpcap and libpam so that
all other binaries on the system which use these libraries then use the
payloads malicious variants of these functions
- Allows it to then harvest credentials (via pam), evade detection (via
libpcap) and gain persistence and remote access
- By hooking libc it can then also hide in plain sight by making sure when
other binaries call functions like
readdir()
the presence of the malware
itself is omitted - same for even execve()
so that if say a binary like
ip
, iptables
or even strace
is then executed, it can modify the output
which is returned to omit its own details
- As we discussed with Symbiote, even though it goes to great lengths to
hide in plain sight, could still be detected via offline forensic
analysis etc
- Interesting to see similar techniques used across the various malware
samples
- No info on how initial compromise / privesc is achieved since this is
required to allow the malware to use
/etc/ld.so.preload
- but likely is
via vulnerabilities in privileged internet facing applications - as such,
MAC systems like AppArmor then become very useful for confining these
services so they cannot arbitrarily write to these quite privileged files
etc
- POLA is one of the basic tenets of good security
Ubuntu 21.10 (Impish Indri) EOL [12:40]
- Officially EOL yesterday (14th July 2022)
- Will no longer receive security or bug fix updates etc
- Upgrade to Ubuntu 22.04 LTS - 5 years of standard support plus 5 years of
ESM (free for personal use on up to 3 machines) - 10 years total of
support
Get in contact