Episode 236

Overview

The long awaited preview of snapd-based AppArmor file prompting is finally seeing the light of day, plus we cover the recent 24.04.1 LTS release and the podcast officially moves to a fortnightly cycle.

This week in Ubuntu Security Updates

45 unique CVEs addressed

[USN-6972-4] Linux kernel (Oracle) vulnerabilities

• 18 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CVE-2023-52470
  • CVE-2024-26687
  • CVE-2024-36901
  • CVE-2024-26654
  • CVE-2024-26679
  • CVE-2024-39484
  • CVE-2023-52806
  • CVE-2023-52760
  • CVE-2024-35955
  • CVE-2023-52629
  • CVE-2024-26600
  • CVE-2024-36940
  • CVE-2024-39292
  • CVE-2023-52644
  • CVE-2024-35835
  • CVE-2024-26903
  • CVE-2024-24860
  • CVE-2024-22099

[USN-6982-1] Dovecot vulnerabilities

• 2 CVEs addressed in Noble (24.04 LTS)
  • CVE-2024-23185
  • CVE-2024-23184

[USN-6983-1] FFmpeg vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-32230

[USN-6984-1] WebOb vulnerability

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-42353

[USN-6973-4] Linux kernel (Raspberry Pi) vulnerabilities

• 9 CVEs addressed in Bionic ESM (18.04 ESM)
  • CVE-2023-52760
  • CVE-2023-52629
  • CVE-2021-46926
  • CVE-2024-26921
  • CVE-2024-26929
  • CVE-2024-36901
  • CVE-2024-39484
  • CVE-2024-26830
  • CVE-2024-24860

[USN-6981-2] Drupal vulnerabilities

• 3 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2020-28949
  • CVE-2020-28948
  • CVE-2020-13671
• 2 of these are in the CISA KEV - Discussion of CISA KEV from Episode 231

[USN-6986-1] OpenSSL vulnerability

• 1 CVEs addressed in Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-6119

[USN-6987-1] Django vulnerabilities

• 2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-45231
  • CVE-2024-45230

[USN-6988-1] Twisted vulnerabilities

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Noble (24.04 LTS)
  • CVE-2024-41810
  • CVE-2024-41671

[USN-6985-1] ImageMagick vulnerabilities

• 11 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2019-12979
  • CVE-2019-12978
  • CVE-2019-12976
  • CVE-2019-12975
  • CVE-2019-12974
  • CVE-2019-11598
  • CVE-2019-11597
  • CVE-2019-11472
  • CVE-2019-11470
  • CVE-2019-10650
  • CVE-2019-10131

Goings on in Ubuntu Security Community

Ubuntu 24.04.1 LTS released (02:55)

• On 29th August - https://lists.ubuntu.com/archives/ubuntu-announce/2024-August/000304.html
• https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890
• Discussed high level features previously in Ubuntu 24.04 LTS (Noble Numbat) released from Episode 227
  • New security features / improvements:
    • Unprivileged user namespace restrictions
    • Binary hardening
    • AppArmor 4
    • Disabling of old TLS versions
    • Upstream Kernel Security Features
      • Intel shadow stack support
      • Secure virtualisation with AMD SEV-SNP and Intel TDX
      • Strict compile-time bounds checking
• Initially offered upgrades from 22.04 but this has been pulled just recently due to reports of a critical bug in the ubuntu-release-upgrader package and its interaction with the apt solver - essentially resulting in packages like linux-headers being in an broken state since it would remove some packages that were seen as obsolete but which were still required due to other packages depending on them
  • likely will not be fixed until early next week

Ubuntu Security Center with snapd-based AppArmor home file access prompting preview (05:45)

• https://news.itsfoss.com/ubuntu-security-center-near-stable/
• Details the new Desktop Security Center application
  • Written by the Ubuntu Desktop team - new application built using Flutter + Dart etc and published a snap
  • Eventually this will allow to manage various security related things like full-disk encryption, enabling/usage of Ubuntu Pro, Firewall control and finally for snap permission prompting
    • this last feature is the only one currently supported - has a single toggle which is to enable “snaps to ask for system permissions” - aka. snapd-based AppArmor prompting
    • and then once this is enabled, allows the specific permissions to be futher fine-tuned

• What is AppArmor?
• AppArmor policies - and MAC systems in general are static - policy defined by sysadmin etc
• Not well suited for dynamic applications that are controlled by a user - like desktop / CLI etc - can’t know in advance every possible file a user may want to open in say Firefox so have to grant access to all files in home directory just in case
• Ideally system would only allow files that the user explicitly chooses - number of ways this can be done, XDG Portals one such way - using Powerbox concept pioneered in tools from the object-capability based security community like CapDesk/Polaris and Plash (principle of least-authority shell) - access is mediated by a privileged component that acts with the users whole authority to then delegate some of that authority to the application - seen say in the file-chooser dialog with portals - this runs outside of the scope of the application itself and so has the full, unrestricted access to the system to allow a file to be chosen - then the application is then just given a file-descriptor to the file to grant it the access (or similar)
• This only works in the case of applications that open files interactively - can’t allow the user to explicitly grant access to the configuration file that gets loaded from a well-known path at startup in a server application etc
• One way to handle that case is to alert the user and explicitly prompt them for that access - and this is currently how this new prompting feature works
• When the feature is enabled, the usual broad-based access rules for the home interface in snapd get tagged with a prompt attribute - any access then which would normally be allowed is instead delegated to a trusted helper application which displays a dialog to the user asking them to explicitly allow such access

• since this happens directly in the system-call path within the kernel, the application itself is unaware that this is happening - but is just suspended whilst waiting for the users response - and then assuming they grant the access it proceeds as normal (or if they deny then the application gets a permission denied error)
• Completely transparent to the application and supports any kind of file-access regardless of which API might be used (unlike portals which only support the regular file-chooser scenario)
• Allows tighter control of what files a snap is granted access to - and can be managed by the user in the Security Center later to revoke any such permission that they granted

• Has been in development for a long time, and is certainly not a new concept - seccomp has supported this via the seccomp_unotify interface - allows to delegate seccomp decisions to userspace in a very similar manner - existed since the 5.5 kernel released in January 2020
• Even before that, prototype LSMs existed which implemented this kind of functionality (https://sourceforge.net/projects/pulse-lsm/ / https://crpit.scem.westernsydney.edu.au/confpapers/CRPITV81Murray.pdf)
• Can test this now on an up-to-date 24.04 or 24.10 install
  • Need to use snapd from the latest/edge channel and then install both the desktop-security-center snap as well as the prompting-client snap
  • Launch Security Center and toggle the option
• Note this is experimental but has undergone a fair amount of internal testing
• Very exciting to see this finally available in this pre-release stage - has been talked about since at least 2018
• Give it a spin and provide feedback - I would suggest to use the link in the security center application itself for this but it is not working currently - instead report via a Github issue on the desktop-security-center project

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter