Overview
This week we cover the recent reports of a new local privilege escalation
exploit against the Linux kernel, follow-up on the xz-utils backdoor from last
week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security
vulnerabilities in the X Server, Django, util-linux and more.
This week in Ubuntu Security Updates
76 unique CVEs addressed
[LSN-0102-1] Linux kernel vulnerability (00:53)
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- All covered in previous episodes
Kernel type |
22.04 |
20.04 |
18.04 |
16.04 |
14.04 |
aws |
102.1 |
102.1 |
102.1 |
102.1 |
— |
aws-5.15 |
— |
102.1 |
— |
— |
— |
aws-5.4 |
— |
— |
102.1 |
— |
— |
aws-6.5 |
102.1 |
— |
— |
— |
— |
aws-hwe |
— |
— |
— |
102.1 |
— |
azure |
102.1 |
102.1 |
— |
102.1 |
— |
azure-4.15 |
— |
— |
102.1 |
— |
— |
azure-5.4 |
— |
— |
102.1 |
— |
— |
azure-6.5 |
102.1 |
— |
— |
— |
— |
gcp |
102.1 |
102.1 |
— |
102.1 |
— |
gcp-4.15 |
— |
— |
102.1 |
— |
— |
gcp-5.15 |
— |
102.1 |
— |
— |
— |
gcp-5.4 |
— |
— |
102.1 |
— |
— |
gcp-6.5 |
102.1 |
— |
— |
— |
— |
generic-4.15 |
— |
— |
102.1 |
102.1 |
— |
generic-4.4 |
— |
— |
— |
102.1 |
102.1 |
generic-5.15 |
— |
102.1 |
— |
— |
— |
generic-5.4 |
— |
102.1 |
102.1 |
— |
— |
gke |
102.1 |
102.1 |
— |
— |
— |
gke-5.15 |
— |
102.1 |
— |
— |
— |
gkeop |
— |
102.1 |
— |
— |
— |
hwe-6.5 |
102.1 |
— |
— |
— |
— |
ibm |
102.1 |
102.1 |
— |
— |
— |
ibm-5.15 |
— |
102.1 |
— |
— |
— |
linux |
102.1 |
— |
— |
— |
— |
lowlatency |
102.1 |
— |
— |
— |
— |
lowlatency-4.15 |
— |
— |
102.1 |
102.1 |
— |
lowlatency-4.4 |
— |
— |
— |
102.1 |
102.1 |
lowlatency-5.15 |
— |
102.1 |
— |
— |
— |
lowlatency-5.4 |
— |
102.1 |
102.1 |
— |
— |
canonical-livepatch status
[USN-6710-2] Firefox regressions (01:54)
- 2 CVEs addressed in Focal (20.04 LTS)
- 124.0.2
- In particular fixes to allow firefox when installed directly from Mozilla to
work under 24.04 LTS with the new AppArmor userns restrictions
- As discussed in previous episodes, default profile allows to use userns but
then to be blocked on getting additional capabilities - Firefox would
previously try and do both a new userns and a new PID NS in one call - which
would be blocked - now split this into two separate calls so the userns can
succeed but pidns will be denied (since requires
CAP_SYS_ADMIN
) - but then
firefox correctly detects this and falls back to the correct behaviour
[USN-6721-1] X.Org X Server vulnerabilities (04:11)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Various OOB reads -> crash / info leaks when handling byte-swapped length
values - able to be easily triggered by a client who is using a different
endianness than the X server
- UAF in glyph handling -> crash / RCE
[USN-6721-2] X.Org X Server regression
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6722-1] Django vulnerability (05:19)
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- Possible account takeover - would use a case transformation on unicode of the
email address - so if an attacker can register an email address that is the
same as the intended targets email address after this case transformation -
fix simply just discards the transformed email address and sends to the one
registered by the user
[USN-6723-1] Bind vulnerabilities (06:11)
[USN-6724-1] Linux kernel vulnerabilities (06:27)
- 12 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6725-1] Linux kernel vulnerabilities
- 46 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6726-1] Linux kernel vulnerabilities
- 23 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6701-4] Linux kernel (Azure) vulnerabilities
- 12 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-6719-2] util-linux vulnerability (07:08)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Initial fix in [USN-6719-1] util-linux vulnerability from Episode 224 tried to
escape output to avoid shell command injection - as is often the case, turned
out to be insufficient, so instead have now just removed the setgid permission
from the wall/write binaries - can then only send to yourself rather than all
users
Goings on in Ubuntu Security Community
Reports of a new local root privilege escalation exploit against Linux kernel (08:32)
- https://github.com/YuriiCrimson/ExploitGMStr
- Ukrainian hacker YuriiCrimson
- Has generated a lot of interest since whilst there are always vulns / CVEs in
the kernel we don’t always see full PoCs much anymore
- Originally developed an exploit against the
n_gsm
driver in the 6.4 and and 6.5 kernels
- Says they were contacted by another hacker
jmpeax
(Jammes) - who wanted to purchase the exploit
- After selling it to them, seems they tried to pass it off as their own
- https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit
- https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
- commit timestamps of the purported copy by Jammes are all dated over 3 weeks ago
- but the original is only is only 1 week ago
- so on the surface would appear the other way around
- however, Yurii posted a video of their interaction with Jammes on Telegram
to try and prove their side
- looking at repo metadata
https://api.github.com/repos/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit shows
the so-called copy was created on 22nd March
- whereas the Yurii’s is 6th April - so would appear that perhaps Jammes is
the original author
- also can compare the two exploits and see they are almost identical - but
Jammes has an extra target for the 6.5.0-26-generic kernel from mantic
diff -w <(curl https://raw.githubusercontent.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/main/main.c) <(curl https://raw.githubusercontent.com/YuriiCrimson/ExploitGSM/main/ExploitGSM_6_5/main.c)
- who the actual author is remains unclear (also I don’t have telegram so
couldn’t check the video)…
- Regarding the actual vulnerability - turns out there is at least 2 if not 3 in this module
- Old CVE-2023-6546 - written up https://github.com/Nassim-Asrir/ZDI-24-020/
- Yurii / Jammes
- Additional exploit by Yurii apparently targeting 5.15-6.1 - also in
n_gsm
- Mixed reports about this last exploit but report the one from
Yurii/Jammes does work even on the latest upstream kernel
- Waiting on a fix from upstream to then integrate in Ubuntu kernels
- Interesting these exploits all used the same basic info leak from xen via
/sys/kernel/notes
which leaks the symbol of the xen_startup
function and
allows to break KASLR
- Reports this was known since at least 2020
- Many eyes…?
Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)
Update on xz-utils (15:18)
- When we talked about xz-utils last week, didn’t really talk much about the
main upstream developer Lasse Collin
- Thought it could be interesting to dive into how they essentially got
compromised by this actor - but that is perhaps done better by others - go
listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq
(https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the
project and comparing this against the more traditional HUMINT elements
- Lasse Collin’s github account and the Github project for xz was reinstated
- Backdoor removed
- Great sense of humour:
-
The executable payloads were embedded as binary blobs in
the test files. This was a blatant violation of the
Debian Free Software Guidelines.
-
On machines that see lots bots poking at the SSH port, the backdoor
noticeably increased CPU load, resulting in degraded user experience
and thus overwhelmingly negative user feedback.
-
The maintainer who added the backdoor has disappeared.
-
Backdoors are bad for security.
- Also removed the ifunc (indirect function) support - ostensibly used to allow a
developer to create multiple implementations of a given function and select
between then at runtime - in this case was for an optimised version of CRC
calculation - but abused by the backdoor to be able to hook into and replace
functions in the global symbol table before it gets made read-only by the
dynamic loader
- Says this was not for security reasons but since it makes the code harder to
maintain but is clearly a good win for security
- Lasse still plans to make to write an article on the backdoor etc but is more
focused on cleaning up the upstream repo first - next version is likely to be
5.8.0
- Watch this space…
Get in contact