Sign up to save your podcasts
Or
Share Episode 163
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 163
Overview
This week we dig into some of the details of another recent Linux malware
sample called Symbiote, plus we cover security updates for the Linux
kernel, vim, FreeRDP, NTFS-3G and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5456-1] ImageMagick vulnerability [00:36]
[LSN-0086-1] Linux kernel vulnerability [00:51]
canonical-livepatch status
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
—
86.3
86.3
86.3
—
aws-5.4
—
—
86.3
—
—
aws-hwe
—
—
—
86.3
—
azure
—
86.3
—
86.3
—
azure-4.15
—
—
86.3
—
—
azure-5.4
—
—
86.3
—
—
gcp
86.4
86.3
—
86.3
—
gcp-4.15
—
—
86.3
—
—
gcp-5.4
—
—
86.3
—
—
generic-4.15
—
—
86.3
86.3
—
generic-4.4
—
—
—
86.3
86.3
generic-5.4
—
86.3
86.3
—
—
gke
86.4
86.3
—
—
—
gke-4.15
—
—
86.3
—
—
gke-5.4
—
—
86.3
—
—
gkeop
—
86.3
—
—
—
gkeop-5.4
—
—
86.3
—
—
ibm
86.4
86.3
—
—
—
ibm-5.4
—
—
86.3
—
—
linux
86.4
—
—
—
—
lowlatency
86.4
—
—
—
—
lowlatency-4.15
—
—
86.3
86.3
—
lowlatency-4.4
—
—
—
86.3
86.3
lowlatency-5.4
—
86.3
86.3
—
—
oem
—
—
86.3
—
—
[USN-5465-1] Linux kernel vulnerabilities [02:02]
[USN-5466-1] Linux kernel vulnerabilities
netfilter + virtual graphics manager, double free in 802.2 LLC driver and
EMS CAN/USB drivers
[USN-5467-1] Linux kernel vulnerabilities [02:29]
migrating processes across cgroups, KVM page table handling -> host crash
(DoS), UAF in USB-Gadget, Microchip CAN BUS Analyzer, 6pack protocol
driver and more
[USN-5468-1] Linux kernel vulnerabilities
[USN-5469-1] Linux kernel vulnerabilities
[USN-5470-1] Linux kernel (OEM) vulnerabilities
[USN-5471-1] Linux kernel (OEM) vulnerabilities
[USN-5458-1] Vim vulnerabilities [03:17]
crafted input files
[USN-5460-1] Vim vulnerabilities
[USN-5459-1] cifs-utils vulnerabilities [03:49]
arguments - used strcpy() to copy the provided IP address after first
checking length - but did comparison using strnlen() which returns the
max length even if the string is longer - so subsequent strcpy() would
then overflow
subshell for password input
kerberos authentication within a container
[USN-5461-1] FreeRDP vulnerabilities [05:21]
mishandled empty password to then improperly authenticate a user
client to authenticate to the server with an empty NTLM password
[USN-5462-1, USN-5462-2] Ruby vulnerabilities [06:11]
so if allow attackers to provide regex which will then get compiled could
abuse this to gain code execution as the ruby interpreter
[USN-5463-1] NTFS-3G vulnerabilities [06:41]
heap buffer overflows -> code execution
nfts-3g and the kernel
[USN-5464-1] E2fsprogs vulnerability [07:17]
badblocks etc on crafted file system image -> code execution
Goings on in Ubuntu Security Community
Symbiote Linux malware analysis [07:58]
to change their behaviour and alter their output so that when running
tools like ls, ps etc they don’t show evidence of infection
when say running a local tcpdump etc
which is compromised
that environment to hide themselves
and others, and then a follow-up blog post from Brad Spengler from
grsecurity looking at Tetragon eBPF Security Observability and Runtime
Environment
and kill exploits
user has elevated privileges etc
be able to achieve this they can just as easily first disable Tetragon
and then go and elevate privileges and hence not be detected
environment itself the attacker is always at an advantage and can change
the environment to evade detection and make everything look normal /
disable checks etc
and analyse it offline from another machine so that the analysis
environment can’t be influenced by the malware itself
Ubuntu 21.10 (Impish Indri) reaches End of Life on July 14 2022 [12:45]
Hiring [13:16]
Security Engineer - Ubuntu
Security Certifications Product Manager - CIS, FIPS, FedRAMP and more
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we dig into some of the details of another recent Linux malware
sample called Symbiote, plus we cover security updates for the Linux
kernel, vim, FreeRDP, NTFS-3G and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5456-1] ImageMagick vulnerability [00:36]
[LSN-0086-1] Linux kernel vulnerability [00:51]
canonical-livepatch status
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
—
86.3
86.3
86.3
—
aws-5.4
—
—
86.3
—
—
aws-hwe
—
—
—
86.3
—
azure
—
86.3
—
86.3
—
azure-4.15
—
—
86.3
—
—
azure-5.4
—
—
86.3
—
—
gcp
86.4
86.3
—
86.3
—
gcp-4.15
—
—
86.3
—
—
gcp-5.4
—
—
86.3
—
—
generic-4.15
—
—
86.3
86.3
—
generic-4.4
—
—
—
86.3
86.3
generic-5.4
—
86.3
86.3
—
—
gke
86.4
86.3
—
—
—
gke-4.15
—
—
86.3
—
—
gke-5.4
—
—
86.3
—
—
gkeop
—
86.3
—
—
—
gkeop-5.4
—
—
86.3
—
—
ibm
86.4
86.3
—
—
—
ibm-5.4
—
—
86.3
—
—
linux
86.4
—
—
—
—
lowlatency
86.4
—
—
—
—
lowlatency-4.15
—
—
86.3
86.3
—
lowlatency-4.4
—
—
—
86.3
86.3
lowlatency-5.4
—
86.3
86.3
—
—
oem
—
—
86.3
—
—
[USN-5465-1] Linux kernel vulnerabilities [02:02]
[USN-5466-1] Linux kernel vulnerabilities
netfilter + virtual graphics manager, double free in 802.2 LLC driver and
EMS CAN/USB drivers
[USN-5467-1] Linux kernel vulnerabilities [02:29]
migrating processes across cgroups, KVM page table handling -> host crash
(DoS), UAF in USB-Gadget, Microchip CAN BUS Analyzer, 6pack protocol
driver and more
[USN-5468-1] Linux kernel vulnerabilities
[USN-5469-1] Linux kernel vulnerabilities
[USN-5470-1] Linux kernel (OEM) vulnerabilities
[USN-5471-1] Linux kernel (OEM) vulnerabilities
[USN-5458-1] Vim vulnerabilities [03:17]
crafted input files
[USN-5460-1] Vim vulnerabilities
[USN-5459-1] cifs-utils vulnerabilities [03:49]
arguments - used strcpy() to copy the provided IP address after first
checking length - but did comparison using strnlen() which returns the
max length even if the string is longer - so subsequent strcpy() would
then overflow
subshell for password input
kerberos authentication within a container
[USN-5461-1] FreeRDP vulnerabilities [05:21]
mishandled empty password to then improperly authenticate a user
client to authenticate to the server with an empty NTLM password
[USN-5462-1, USN-5462-2] Ruby vulnerabilities [06:11]
so if allow attackers to provide regex which will then get compiled could
abuse this to gain code execution as the ruby interpreter
[USN-5463-1] NTFS-3G vulnerabilities [06:41]
heap buffer overflows -> code execution
nfts-3g and the kernel
[USN-5464-1] E2fsprogs vulnerability [07:17]
badblocks etc on crafted file system image -> code execution
Goings on in Ubuntu Security Community
Symbiote Linux malware analysis [07:58]
to change their behaviour and alter their output so that when running
tools like ls, ps etc they don’t show evidence of infection
when say running a local tcpdump etc
which is compromised
that environment to hide themselves
and others, and then a follow-up blog post from Brad Spengler from
grsecurity looking at Tetragon eBPF Security Observability and Runtime
Environment
and kill exploits
user has elevated privileges etc
be able to achieve this they can just as easily first disable Tetragon
and then go and elevate privileges and hence not be detected
environment itself the attacker is always at an advantage and can change
the environment to evade detection and make everything look normal /
disable checks etc
and analyse it offline from another machine so that the analysis
environment can’t be influenced by the malware itself
Ubuntu 21.10 (Impish Indri) reaches End of Life on July 14 2022 [12:45]
Hiring [13:16]
Security Engineer - Ubuntu
Security Certifications Product Manager - CIS, FIPS, FedRAMP and more
Get in contact