Sign up to save your podcasts
Or
Share Episode 168
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 168
Overview
This week we rocket back into your podcast feed with a look at the OrBit
Linux malware teardown from Intezer, plus we cover security updates for
cloud-init, Vim, the Linux kernel, GnuPG, Dovecot and more.
This week in Ubuntu Security Updates
52 unique CVEs addressed
[USN-5496-1] cloud-init vulnerability
used by many of the public clouds for configuring cloud images on first
boot
those was a password then the password would get logged in the clear -
and cloud init logs are world readable by default
obtain the actual invalid entries via a privileged command
[USN-5497-1] Libjpeg6b vulnerabilities [01:54]
[USN-5498-1] Vim vulnerabilities [02:16]
found via fuzzing
[USN-5499-1] curl vulnerabilities [02:44]
[USN-5485-2] Linux kernel (OEM) vulnerabilities [02:53]
[USN-5493-2] Linux kernel (HWE) vulnerability [03:03]
[USN-5500-1] Linux kernel vulnerabilities [03:21]
conditions, information leak (uninitialised memory) etc -> DoS or
possible code execution
[USN-5501-1] Django vulnerability [03:47]
untrusted data
[USN-5479-2] PHP vulnerabilities [04:05]
[USN-5479-3] PHP regression
[USN-5502-1] OpenSSL vulnerability [04:21]
encryption - on 32-bit x86 platforms that support AES-NI hardware
optimised instructions - would possibly miss one block of data and leave
it unencrypted
[USN-5503-1, USN-5503-2] GnuPG vulnerability [05:11]
would display output that appeared to show the message was correctly
signed when infact it would fail - so could possibly trick user /
application
[USN-5488-2] OpenSSL vulnerability [05:37]
[USN-5505-1] Linux kernel vulnerabilities [05:46]
in recent episodes
[USN-5506-1] NSS vulnerabilities [06:24]
[USN-5507-1] Vim vulnerabilities [06:48]
[USN-5509-1] Dovecot vulnerability [06:57]
passdb configuration entries - unlikely configuration to use in practice
but could then result in the non-primary config allowing users to access
as the primary config
[USN-5508-1] Python LDAP vulnerability [07:30]
excessive CPU/memory usage
[USN-5510-1, USN-5510-2] X.Org X Server vulnerabilities [07:51]
could use this to crash X server or expose sensitive info
[USN-5256-1] uriparser vulnerabilities [08:07]
with invalid memory management which could be triggered via crafted input
-> both resulting in UAF -> DoS / RCE
Goings on in Ubuntu Security Community
OrBit malware analysis [08:44]
detailed another Linux malware sample
via the linker - however, unlike Symbiote, doesn’t use LD_PRELOAD
environment variable but instead instructs the dynamic linker via
/etc/ld.so.preload - this has benefits for the malware since the use of
the LD_PRELOAD env var has various restrictions around setuid binaries
etc - but this is not the case of /etc/ld.so.preload meaning all binaries
including setuid root ones are also “infected” via this technique and the
malware payload gets loaded for all
all other binaries on the system which use these libraries then use the
payloads malicious variants of these functions
libpcap) and gain persistence and remote access
other binaries call functions like readdir() the presence of the malware
itself is omitted - same for even execve() so that if say a binary like
ip, iptables or even strace is then executed, it can modify the output
which is returned to omit its own details
hide in plain sight, could still be detected via offline forensic
analysis etc
samples
required to allow the malware to use /etc/ld.so.preload - but likely is
via vulnerabilities in privileged internet facing applications - as such,
MAC systems like AppArmor then become very useful for confining these
services so they cannot arbitrarily write to these quite privileged files
etc
Ubuntu 21.10 (Impish Indri) EOL [12:40]
ESM (free for personal use on up to 3 machines) - 10 years total of
support
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we rocket back into your podcast feed with a look at the OrBit
Linux malware teardown from Intezer, plus we cover security updates for
cloud-init, Vim, the Linux kernel, GnuPG, Dovecot and more.
This week in Ubuntu Security Updates
52 unique CVEs addressed
[USN-5496-1] cloud-init vulnerability
used by many of the public clouds for configuring cloud images on first
boot
those was a password then the password would get logged in the clear -
and cloud init logs are world readable by default
obtain the actual invalid entries via a privileged command
[USN-5497-1] Libjpeg6b vulnerabilities [01:54]
[USN-5498-1] Vim vulnerabilities [02:16]
found via fuzzing
[USN-5499-1] curl vulnerabilities [02:44]
[USN-5485-2] Linux kernel (OEM) vulnerabilities [02:53]
[USN-5493-2] Linux kernel (HWE) vulnerability [03:03]
[USN-5500-1] Linux kernel vulnerabilities [03:21]
conditions, information leak (uninitialised memory) etc -> DoS or
possible code execution
[USN-5501-1] Django vulnerability [03:47]
untrusted data
[USN-5479-2] PHP vulnerabilities [04:05]
[USN-5479-3] PHP regression
[USN-5502-1] OpenSSL vulnerability [04:21]
encryption - on 32-bit x86 platforms that support AES-NI hardware
optimised instructions - would possibly miss one block of data and leave
it unencrypted
[USN-5503-1, USN-5503-2] GnuPG vulnerability [05:11]
would display output that appeared to show the message was correctly
signed when infact it would fail - so could possibly trick user /
application
[USN-5488-2] OpenSSL vulnerability [05:37]
[USN-5505-1] Linux kernel vulnerabilities [05:46]
in recent episodes
[USN-5506-1] NSS vulnerabilities [06:24]
[USN-5507-1] Vim vulnerabilities [06:48]
[USN-5509-1] Dovecot vulnerability [06:57]
passdb configuration entries - unlikely configuration to use in practice
but could then result in the non-primary config allowing users to access
as the primary config
[USN-5508-1] Python LDAP vulnerability [07:30]
excessive CPU/memory usage
[USN-5510-1, USN-5510-2] X.Org X Server vulnerabilities [07:51]
could use this to crash X server or expose sensitive info
[USN-5256-1] uriparser vulnerabilities [08:07]
with invalid memory management which could be triggered via crafted input
-> both resulting in UAF -> DoS / RCE
Goings on in Ubuntu Security Community
OrBit malware analysis [08:44]
detailed another Linux malware sample
via the linker - however, unlike Symbiote, doesn’t use LD_PRELOAD
environment variable but instead instructs the dynamic linker via
/etc/ld.so.preload - this has benefits for the malware since the use of
the LD_PRELOAD env var has various restrictions around setuid binaries
etc - but this is not the case of /etc/ld.so.preload meaning all binaries
including setuid root ones are also “infected” via this technique and the
malware payload gets loaded for all
all other binaries on the system which use these libraries then use the
payloads malicious variants of these functions
libpcap) and gain persistence and remote access
other binaries call functions like readdir() the presence of the malware
itself is omitted - same for even execve() so that if say a binary like
ip, iptables or even strace is then executed, it can modify the output
which is returned to omit its own details
hide in plain sight, could still be detected via offline forensic
analysis etc
samples
required to allow the malware to use /etc/ld.so.preload - but likely is
via vulnerabilities in privileged internet facing applications - as such,
MAC systems like AppArmor then become very useful for confining these
services so they cannot arbitrarily write to these quite privileged files
etc
Ubuntu 21.10 (Impish Indri) EOL [12:40]
ESM (free for personal use on up to 3 machines) - 10 years total of
support
Get in contact