Episode 243

Overview

It’s the end of the year for official duties for the Ubuntu Security team so we take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

2024 Year in Review for Ubuntu Security (00:55)

full-disclosure necromancy with zombie CVEs

• full-disclosure spammed with zombie CVEs from Episode 217

Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS

• Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS from Episode 218

Linux kernel becomes a CNA

• Linux kernel becomes a CNA from Episode 219
• Follow up to Linux kernel CNA from Episode 220

Ubuntu participates in Pwn2Own Vancouver

• Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 from Episode 223

xz-utils / SSH backdoor supply-chain attack

• xz-utils backdoor and Ubuntu from Episode 224
• Update on xz-utils from Episode 225

Linux Security Summit NA and EU

• Linux Security Summit NA 2024 from Episode 226
• Linux Security Summit Europe 2024 from Episode 237

Release of Ubuntu 24.04 LTS

• Ubuntu 24.04 LTS (Noble Numbat) released from Episode 227

regreSSHion remote unauthenticated code execution vulnerability in OpenSSH

• Deep-dive into regreSSHion - Remote Unauthenticated Code Execution Vulnerablity in OpenSSH from Episode 232

Various other high profile vulnerabilities

• Discussion of CVE-2024-5290 in wpa_supplicant from Episode 234
• Deep dive into needrestart local privilege escalation vulnerabilities from Episode 242

Ubuntu/Windows Dual-boot regression

• Reports of dual-boot Linux/Windows machines failing to boot from Episode 235

AppArmor-based snap file prompting experimental feature

• Ubuntu Security Center with snapd-based AppArmor home file access prompting preview from Episode 236
• Official announcement of Permissions Prompting in Ubuntu 24.10 from Episode 237

Predictions for 2025 (14:35)

• Increased use of AI to both spam projects with hallucinated CVEs (e.g. curl) but also to “aid” in dealing with that spam
  • as the shine wears of AI likely expect OSS projects to ban contributions generated with the aid of AI - whether CVE reports or code
  • but also expect companies to try and prove the worth of AI by finding novel vulns - e.g. apparent first 0-day discovered with AI doing vuln research https://googleprojectzero.blogspot.com/2024/06/project-naptime.html
  • also more expected uses of AI like automating tasks used in the process of security-related SW dev - automatically generating fuzz targets and then improving the fuzz targets via AI as well https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html
• More malware targeting Linux
  • didn’t mention it earlier but we covered a number of Linux malware teardowns this year and expect that trend to increase as Linux keeps growing in popularity
• Full LSM stacking still won’t make it into the upstream Linux kernel
• Integrity of code and data will play more of a role
  • both in terms of software supply chain and integrity of distro repos etc, but also efforts to try and guarantee the integrity of a Linux system itself - whether via new IPE LSM or other mechanisms - mainstream distros will start to care about integrity more
• More collaboration across distros to aid in efforts to collectively handle deluge of CVEs
• More efforts to try and fund OSS to learn from lessons of Heartbleed and xz-utils
  • some more and less successful
• More interesting vulns in more software
  • During 2024 Qualys have done some of the most interesting vuln research on Linux - expect more from them and from others (whether aided by AI or not)

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter