Sign up to save your podcasts
Or
Share Episode 158
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 158
Overview
Microsoft’s Nimbuspwn sets the Linux security media ablaze but where
there’s smoke there’s not always fire, plus we bring you the first part of
a 2 part series looking at some of the security features in the latest
Ubuntu 22.04 LTS release.
This week in Ubuntu Security Updates
92 unique CVEs addressed
[USN-5381-1] Linux kernel (OEM) vulnerabilities
[USN-5383-1] Linux kernel vulnerabilities
[USN-5384-1] Linux kernel vulnerabilities
[USN-5385-1] Linux kernel vulnerabilities
[USN-5387-1] Barbican vulnerabilities
[USN-5376-2] Git vulnerability
[USN-5388-1] OpenJDK vulnerabilities
[USN-5388-2] OpenJDK vulnerabilities
[USN-5389-1] Libcroco vulnerabilities
[USN-5390-1] Linux kernel vulnerabilities
[USN-5376-3] Git regression
[USN-5391-1] libsepol vulnerabilities
[USN-5366-2] FriBidi vulnerabilities
[USN-5393-1] Thunderbird vulnerabilities
[USN-5371-2] nginx vulnerability
[USN-5394-1] WebKitGTK vulnerabilities
[USN-5392-1] Mutt vulnerabilities
[USN-5395-1] networkd-dispatcher vulnerabilities
[USN-5396-1] Ghostscript vulnerability
[USN-5397-1] curl vulnerabilities
[USN-5398-1] Simple DirectMedia Layer vulnerability
[USN-5399-1] libvirt vulnerabilities
[USN-5400-1] MySQL vulnerabilities
[USN-5400-2] MySQL vulnerabilities
[USN-5390-2] Linux kernel (Raspberry Pi) vulnerabilities
Goings on in Ubuntu Security Community
Nimbuspwn [01:46]
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
gathered a lot of media attention, leading to a lot of outlets seemingly
claiming most Linux systems were affected and that this was a high
severity issue
to get RCE
the systemd-network user (since this user is the only one which can bind
to the right dbus name org.freedesktop.network1)
running under this user.
upgrade so this sounds like a common scenario that would affect most
users (instead of say epmd which is the erlang port mapper daemon, so
unless you are running erland applications you would not be affected by
that)
user - this is definitely not the case for standard Ubuntu - since apt is
very clear to run them under the _apt user account purposefully to
restrict their privileges
then just say they were able to detect several instances of other
processes running under this user in various customer environments but
then state that some of these were due to customer
misconfigurations.
would be affected as all the original media reporting suggested
those where the UID mapped back to the systemd-network user ID on the
host? This is a common pitfall with containers and something which users
need to be aware of when deploying containers
vulnerability in fact is likely more of a bit of a non-issue - whilst it
could be argued that these are real issues in networkd-dispatcher since
they are not able to be exploited in standard configurations they are not
a real threat to most users
amended, all the various media articles which cited the original report
have not been updated and still seem to claim that Ubuntu and other
distros would be affected by this
maintainer of networkd-dispatcher but didn’t involve any downstream
distros - as suggested by Julian Andres Klode from the Ubuntu Foundations
team (and upstream apt maintainer) - perhaps Microsoft should have
pre-disclosed this issue to the linux-distros mailing list - if they had
done so this likely would have been assessed and clarified earlier so
that Microsoft could have more properly understood the extent of the
vulnerabilities which they discovered the internet could have avoided
another brief panic scenario
What’s new in security in Ubuntu 22.04 LTS (part 1) [08:05]
coming weeks on the various security features which are included in
Ubuntu 22.04 LTS. This week we will look at enhancements provided by the
Linux kernel whilst next week we will look at features provided by other
parts of the distribution.
plus 5 years of ESM - total 10 years of support via Ubuntu Advantage
(free for personal use)
know they will be supported for a long time to come
cover - I will only touch on some of them - if you want a more deep dive,
check out the blog posts we published for the interim releases
version upgrades bringing new features etc whilst server will stick
with GA kernel for stability
hardware microarchitectural side-channel attacks like L1TF and the like
(this was only partially mitigated in SW/microcode and could still
potentially affect VMs running across SMT siblings) - so in past had to
disable SMT to be fully certain were protected - now can use core
scheduling to specify to the kernel which processes should not be
scheduled on sibling HTs to avoid these sorts of attack
used not just for tracing and packet filtering but also now BPF LSM and
more use-cases. However, has also caused a number of security vulns as
covered previously - now disabled unprivileged BPF by default. Also
work has been done to try and support signed BPF programs to ensure
only trusted code is executed as well.
allows a process to specify it’s own policy so can sandbox itself -
rather than say traditional MAC systems of AppArmor/SELinux where the
system admin configures the policy
for a more defense-in-depth approach
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
Microsoft’s Nimbuspwn sets the Linux security media ablaze but where
there’s smoke there’s not always fire, plus we bring you the first part of
a 2 part series looking at some of the security features in the latest
Ubuntu 22.04 LTS release.
This week in Ubuntu Security Updates
92 unique CVEs addressed
[USN-5381-1] Linux kernel (OEM) vulnerabilities
[USN-5383-1] Linux kernel vulnerabilities
[USN-5384-1] Linux kernel vulnerabilities
[USN-5385-1] Linux kernel vulnerabilities
[USN-5387-1] Barbican vulnerabilities
[USN-5376-2] Git vulnerability
[USN-5388-1] OpenJDK vulnerabilities
[USN-5388-2] OpenJDK vulnerabilities
[USN-5389-1] Libcroco vulnerabilities
[USN-5390-1] Linux kernel vulnerabilities
[USN-5376-3] Git regression
[USN-5391-1] libsepol vulnerabilities
[USN-5366-2] FriBidi vulnerabilities
[USN-5393-1] Thunderbird vulnerabilities
[USN-5371-2] nginx vulnerability
[USN-5394-1] WebKitGTK vulnerabilities
[USN-5392-1] Mutt vulnerabilities
[USN-5395-1] networkd-dispatcher vulnerabilities
[USN-5396-1] Ghostscript vulnerability
[USN-5397-1] curl vulnerabilities
[USN-5398-1] Simple DirectMedia Layer vulnerability
[USN-5399-1] libvirt vulnerabilities
[USN-5400-1] MySQL vulnerabilities
[USN-5400-2] MySQL vulnerabilities
[USN-5390-2] Linux kernel (Raspberry Pi) vulnerabilities
Goings on in Ubuntu Security Community
Nimbuspwn [01:46]
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
gathered a lot of media attention, leading to a lot of outlets seemingly
claiming most Linux systems were affected and that this was a high
severity issue
to get RCE
the systemd-network user (since this user is the only one which can bind
to the right dbus name org.freedesktop.network1)
running under this user.
upgrade so this sounds like a common scenario that would affect most
users (instead of say epmd which is the erlang port mapper daemon, so
unless you are running erland applications you would not be affected by
that)
user - this is definitely not the case for standard Ubuntu - since apt is
very clear to run them under the _apt user account purposefully to
restrict their privileges
then just say they were able to detect several instances of other
processes running under this user in various customer environments but
then state that some of these were due to customer
misconfigurations.
would be affected as all the original media reporting suggested
those where the UID mapped back to the systemd-network user ID on the
host? This is a common pitfall with containers and something which users
need to be aware of when deploying containers
vulnerability in fact is likely more of a bit of a non-issue - whilst it
could be argued that these are real issues in networkd-dispatcher since
they are not able to be exploited in standard configurations they are not
a real threat to most users
amended, all the various media articles which cited the original report
have not been updated and still seem to claim that Ubuntu and other
distros would be affected by this
maintainer of networkd-dispatcher but didn’t involve any downstream
distros - as suggested by Julian Andres Klode from the Ubuntu Foundations
team (and upstream apt maintainer) - perhaps Microsoft should have
pre-disclosed this issue to the linux-distros mailing list - if they had
done so this likely would have been assessed and clarified earlier so
that Microsoft could have more properly understood the extent of the
vulnerabilities which they discovered the internet could have avoided
another brief panic scenario
What’s new in security in Ubuntu 22.04 LTS (part 1) [08:05]
coming weeks on the various security features which are included in
Ubuntu 22.04 LTS. This week we will look at enhancements provided by the
Linux kernel whilst next week we will look at features provided by other
parts of the distribution.
plus 5 years of ESM - total 10 years of support via Ubuntu Advantage
(free for personal use)
know they will be supported for a long time to come
cover - I will only touch on some of them - if you want a more deep dive,
check out the blog posts we published for the interim releases
version upgrades bringing new features etc whilst server will stick
with GA kernel for stability
hardware microarchitectural side-channel attacks like L1TF and the like
(this was only partially mitigated in SW/microcode and could still
potentially affect VMs running across SMT siblings) - so in past had to
disable SMT to be fully certain were protected - now can use core
scheduling to specify to the kernel which processes should not be
scheduled on sibling HTs to avoid these sorts of attack
used not just for tracing and packet filtering but also now BPF LSM and
more use-cases. However, has also caused a number of security vulns as
covered previously - now disabled unprivileged BPF by default. Also
work has been done to try and support signed BPF programs to ensure
only trusted code is executed as well.
allows a process to specify it’s own policy so can sandbox itself -
rather than say traditional MAC systems of AppArmor/SELinux where the
system admin configures the policy
for a more defense-in-depth approach
Get in contact