Overview
This week we look at a recent report from Elastic Security Labs on the global
Linux threat landscape, plus we look at a few of the security vulnerabilities
patched by the team in the past 7 days.
This week in Ubuntu Security Updates
81 unique CVEs addressed
[USN-5638-3] Expat vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5739-1] MariaDB vulnerabilities
- 36 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5740-1] X.Org X Server vulnerabilities
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5736-1] ImageMagick vulnerabilities
- 17 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Kinetic (22.10)
[USN-5741-1] Exim vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5742-1] JBIG-KIT vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5743-1] LibTIFF vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5744-1] libICE vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Upstream introduced a change in file-system handling in
useradd
that required
newer glibc - broke on older Ubuntu releases so that update has been reverted
for now on those releases - still is in place on Ubuntu 22.04 LTS / 22.10
[USN-5689-2] Perl vulnerability
- 1 CVEs addressed in Kinetic (22.10)
[USN-5746-1] HarfBuzz vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5747-1] Bind vulnerabilities
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-5748-1] Sysstat vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
[USN-5728-3] Linux kernel (GCP) vulnerabilities
- 12 CVEs addressed in Bionic (18.04 LTS)
- 2 high priority vulnerabilities both found by Jann Horn (GPZ)
- UAF in handling of anonymous VMA mappings
- UAF in memory management subsytem handling of TLBs
- both could be exploited by a local attacker to crash the kernel or get
possible code execution within the kernel and hence escalate privileges
[USN-5749-1] libsamplerate vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5750-1] GnuTLS vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5718-2] pixman vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
Goings on in Ubuntu Security Community
A look at Elastic Security Labs Global Threat Report
- https://www.elastic.co/pdf/elastic-global-threat-report-vol-1-2022.pdf
- Summarises the findings of the Elastic telemetry, which incorporates data from
their various products like Endgame, Endpoint and Security solution.
- 54% of malware on Windows, 39% on Linux, 6% on MacOS
- Of those, top 10 are:
- Meterpreter, Gafgyt, Mirai, Camelot, Generic, Dofloo, BPFDoor, Ransomexx,
Neshta, Getshell
- Of these 80% are trojan-based, 11% are cryptominers, 4% ransomware
- Trojans commonly used to deploy stager and dropper binaries as part of
wider intrusion effort
- Cryptominers generally mining Monero - mostly composed of XMRig family
- Also covers details on Windows and MacOS - interestingly Windows still has
lots of CobaltStrike, Metasploit and MimiKatz which are all ostensibly
red-team tools - also see lots of keyloggers as well as credential stealers
(crypto wallets)
- Mapped behaviour against MITRE ATT&CK - 34% doing defense evasion, 22%
execution, 10% credential access, 8% persistence, 7% C², 6% privesc and 4%
initial access
- of this, masquerading (as another legitimate process) and system binary
proxy execution (using existing system binaries to perform malicious
actions) accounts for 72% of defense evasion techniques
- Then dive into more detail on execution techniques (mostly native command and
scripting interpreters - think PowerShell, Windows Script Host etc) and
abusing Windows Management Instrumentation (WMI) - but won’t go too much into
this here as this is the Ubuntu Security Podcast, not Windows ;)
- Also cover metrics from the various public clouds - AWS had 57% of detections
whilst GCP and Azure each had ~22% - why does AWS have so much more? AWS has
at least ⅓ of the global cloud market share whilst Azure has 20% and GCP only
11%
- Also perhaps AWS users prefer to use Elastic?
- Activities they see most in the clouds are Credential Access, Persistence,
Defense Evasion, Initial Access
- 58% of initial access attempts use brute-force combined with password spraying
- Report then breaks down each cloud to look at the activities mostly performed in each
- AWS - access token stealing is top, Azure showed a large usage of valid
account access to then attempt to retrieve other access tokens or do
phishing, whilst for Google service account abuse was the top
- Perhaps is more indicative of what each cloud is used for - ie AWS general
purpose, whilst Azure is AD and managed services, and Google is service
workers
- Finally, the report does a deep dive on 4 different threat samples and then
has forecasts and recommendations based on those
- Of these most are windows specific, but one does predict that Linux VMs used
for backend DevOps in cloud environments will be an increased target
- This is not really surprising nor novel, and most OSS devs would likely
expect this threat given the nature of modern CI/CD pipelines and the
follow-up threat to code integrity / supply chain security etc (ie if an
attacker can compromise these machines can then tamper with source code /
build artefacts etc)
- As always, requires organisations to have a good security posture and practice
good security hygiene - configure for least privilege, audit what you have,
deploy defense-in-depth solutions, monitoring and logging so can help detect
and have good incident response etc
- simple things too - deploy MFA, install security updates etc
Get in contact