Sign up to save your podcasts
Or
Share Episode 189
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 189
Overview
This week we dive into the BlackLotus UEFI bootkit teardown and find out how
this malware has some roots in the FOSS ecosystem, plus we look at security
updates for the Linux kernel, DCMTK, ZoneMinder, Python, tar and more.
This week in Ubuntu Security Updates
111 unique CVEs addressed
[USN-5739-2] MariaDB regression [00:48]
[USN-5883-1] Linux kernel (HWE) vulnerabilities [01:05]
vulns
[USN-5884-1] Linux kernel (AWS) vulnerabilities [01:26]
[USN-5882-1] DCMTK vulnerabilities [01:36]
Medicine) image files (used for radiology etc)
[USN-5885-1] APR vulnerability [02:29]
[USN-5886-1] Intel Microcode vulnerabilities [02:44]
processors - allow require privileged access in the first place (ie admin) but
could allow to then say bypass SGX protections and the like
[USN-5887-1] ClamAV vulnerabilities [03:27]
formats for Apple
[USN-5889-1] ZoneMinder vulnerabilities [03:49]
types of issues and then some
passwords as would use a fixed size buffer for these (what year is this?) and
a upload file handling issue resulting in possible remote code execution
[USN-5890-1] Open vSwitch vulnerabilities [04:27]
[USN-5891-1, USN-5894-1] curl vulnerabilities
[USN-5892-1] NSS vulnerabilities
[USN-5893-1] WebKitGTK vulnerabilities [04:34]
been actively exploited in the wild
[USN-5896-1] Rack vulnerabilities
[USN-5895-1] MPlayer vulnerabilities
[USN-5897-1] OpenJDK vulnerabilities [04:55]
[USN-5898-1] OpenJDK vulnerabilities [05:05]
[USN-5888-1] Python vulnerabilities [05:09]
Linux would allow pickles to be deserialized from any user on the same machine
in the same network namespace - therefore as one local user can easily get
code execution as another user on the same machine
[USN-5899-1] AWStats vulnerability
[USN-5901-1] GnuTLS vulnerability
[USN-5902-1] PHP vulnerabilities
[USN-5821-3] pip regression
[USN-5903-1] lighttpd vulnerabilities
[USN-5638-4] Expat vulnerabilities
[USN-5900-1] tar vulnerability [06:15]
flow hence really only a possible DoS
[USN-5880-2] Firefox regressions [06:42]
would clear all cookies - plus a webgl crash when running under vmware on
Linux
Goings on in Ubuntu Security Community
BlackLotus UEFI bootkit teardown [07:23]
by eset
since atleast October 2022
the claims of the malware author, namely:
protect the Windows kernel from modification at runtime), BitLocker and
Windows Defender
bypass - this is something which we theorised was possible via all the
previously disclosed shim and grub vulnerabilities
and grub - but not because they are exploiting any vulnerabilities in them,
but since they are very useful components if you want to boot your own
bootkit
which allows them to subvert the Secure Boot process and load their own code
to bypass Secure Boot and gain persistence on future boots
partition (including shim and grub) - but also a copy of a vulnerable
version of the Windows Boot Manager UEFI binary plus their own custom boot
configuration data - and since they have disabled BitLocker already these
will happily be loaded at next boot without the usual integrity checks etc
loaded, along with their custom boot configuration data which allows them to
exploit the vulnerability and to then load additional binaries into the boot
process
enrolling a new key in the machine owners keyring (aka MOK) db
physically present to confirm the operation - but since they bypasses the
normal Secure Boot protections this can be done without any knowledge of
the sysadmin
unmodified and signed by Microsoft and hence trusted - this will then trust
their malicious grub as it is signed by the key they just enrolled in the
MOK
malicious
installs a bunch of UEFI memory hooks to be able to subvert further stages
of the boot process and eventually Windows itself
the various components are installed into Windows and how they are able to
then load additional drivers etc into Windows, plus the further components of
the malware that are able to download additional binaries, how the C2 and
anti-analysis etc works - but this is the USP so we won’t cover those here
ostensibly designed to boot Linux on machines that were originally designed to
boot Windows
about signing shim in the future - perhaps, but it is not really shim that
is at fault here - the issue is the original vulnerability in the Windows
Boot Manager - shim just helps to make loading additional parts of their
bootkit easier (along with grub) - so hopefully Microsoft don’t go down that
path
have not revoked their vulnerable Windows Boot Manager binary
revoking this Microsoft binary would mean many older systems may fail to
boot, including their recovery images and install media etc
come directly from a PoC that was uploaded to Github in August 2022 - will
likely restart the usual discussions around public PoCs being a “bad thing” as
they can be used for actual malicious purposes
24 hours which allow it to operate on older versions of Windows 10
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we dive into the BlackLotus UEFI bootkit teardown and find out how
this malware has some roots in the FOSS ecosystem, plus we look at security
updates for the Linux kernel, DCMTK, ZoneMinder, Python, tar and more.
This week in Ubuntu Security Updates
111 unique CVEs addressed
[USN-5739-2] MariaDB regression [00:48]
[USN-5883-1] Linux kernel (HWE) vulnerabilities [01:05]
vulns
[USN-5884-1] Linux kernel (AWS) vulnerabilities [01:26]
[USN-5882-1] DCMTK vulnerabilities [01:36]
Medicine) image files (used for radiology etc)
[USN-5885-1] APR vulnerability [02:29]
[USN-5886-1] Intel Microcode vulnerabilities [02:44]
processors - allow require privileged access in the first place (ie admin) but
could allow to then say bypass SGX protections and the like
[USN-5887-1] ClamAV vulnerabilities [03:27]
formats for Apple
[USN-5889-1] ZoneMinder vulnerabilities [03:49]
types of issues and then some
passwords as would use a fixed size buffer for these (what year is this?) and
a upload file handling issue resulting in possible remote code execution
[USN-5890-1] Open vSwitch vulnerabilities [04:27]
[USN-5891-1, USN-5894-1] curl vulnerabilities
[USN-5892-1] NSS vulnerabilities
[USN-5893-1] WebKitGTK vulnerabilities [04:34]
been actively exploited in the wild
[USN-5896-1] Rack vulnerabilities
[USN-5895-1] MPlayer vulnerabilities
[USN-5897-1] OpenJDK vulnerabilities [04:55]
[USN-5898-1] OpenJDK vulnerabilities [05:05]
[USN-5888-1] Python vulnerabilities [05:09]
Linux would allow pickles to be deserialized from any user on the same machine
in the same network namespace - therefore as one local user can easily get
code execution as another user on the same machine
[USN-5899-1] AWStats vulnerability
[USN-5901-1] GnuTLS vulnerability
[USN-5902-1] PHP vulnerabilities
[USN-5821-3] pip regression
[USN-5903-1] lighttpd vulnerabilities
[USN-5638-4] Expat vulnerabilities
[USN-5900-1] tar vulnerability [06:15]
flow hence really only a possible DoS
[USN-5880-2] Firefox regressions [06:42]
would clear all cookies - plus a webgl crash when running under vmware on
Linux
Goings on in Ubuntu Security Community
BlackLotus UEFI bootkit teardown [07:23]
by eset
since atleast October 2022
the claims of the malware author, namely:
protect the Windows kernel from modification at runtime), BitLocker and
Windows Defender
bypass - this is something which we theorised was possible via all the
previously disclosed shim and grub vulnerabilities
and grub - but not because they are exploiting any vulnerabilities in them,
but since they are very useful components if you want to boot your own
bootkit
which allows them to subvert the Secure Boot process and load their own code
to bypass Secure Boot and gain persistence on future boots
partition (including shim and grub) - but also a copy of a vulnerable
version of the Windows Boot Manager UEFI binary plus their own custom boot
configuration data - and since they have disabled BitLocker already these
will happily be loaded at next boot without the usual integrity checks etc
loaded, along with their custom boot configuration data which allows them to
exploit the vulnerability and to then load additional binaries into the boot
process
enrolling a new key in the machine owners keyring (aka MOK) db
physically present to confirm the operation - but since they bypasses the
normal Secure Boot protections this can be done without any knowledge of
the sysadmin
unmodified and signed by Microsoft and hence trusted - this will then trust
their malicious grub as it is signed by the key they just enrolled in the
MOK
malicious
installs a bunch of UEFI memory hooks to be able to subvert further stages
of the boot process and eventually Windows itself
the various components are installed into Windows and how they are able to
then load additional drivers etc into Windows, plus the further components of
the malware that are able to download additional binaries, how the C2 and
anti-analysis etc works - but this is the USP so we won’t cover those here
ostensibly designed to boot Linux on machines that were originally designed to
boot Windows
about signing shim in the future - perhaps, but it is not really shim that
is at fault here - the issue is the original vulnerability in the Windows
Boot Manager - shim just helps to make loading additional parts of their
bootkit easier (along with grub) - so hopefully Microsoft don’t go down that
path
have not revoked their vulnerable Windows Boot Manager binary
revoking this Microsoft binary would mean many older systems may fail to
boot, including their recovery images and install media etc
come directly from a PoC that was uploaded to Github in August 2022 - will
likely restart the usual discussions around public PoCs being a “bad thing” as
they can be used for actual malicious purposes
24 hours which allow it to operate on older versions of Windows 10
Get in contact