Sign up to save your podcasts
Or
Share Episode 225
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 225
Overview
This week we cover the recent reports of a new local privilege escalation
exploit against the Linux kernel, follow-up on the xz-utils backdoor from last
week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security
vulnerabilities in the X Server, Django, util-linux and more.
This week in Ubuntu Security Updates
76 unique CVEs addressed
[LSN-0102-1] Linux kernel vulnerability (00:53)
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
102.1
102.1
102.1
102.1
—
aws-5.15
—
102.1
—
—
—
aws-5.4
—
—
102.1
—
—
aws-6.5
102.1
—
—
—
—
aws-hwe
—
—
—
102.1
—
azure
102.1
102.1
—
102.1
—
azure-4.15
—
—
102.1
—
—
azure-5.4
—
—
102.1
—
—
azure-6.5
102.1
—
—
—
—
gcp
102.1
102.1
—
102.1
—
gcp-4.15
—
—
102.1
—
—
gcp-5.15
—
102.1
—
—
—
gcp-5.4
—
—
102.1
—
—
gcp-6.5
102.1
—
—
—
—
generic-4.15
—
—
102.1
102.1
—
generic-4.4
—
—
—
102.1
102.1
generic-5.15
—
102.1
—
—
—
generic-5.4
—
102.1
102.1
—
—
gke
102.1
102.1
—
—
—
gke-5.15
—
102.1
—
—
—
gkeop
—
102.1
—
—
—
hwe-6.5
102.1
—
—
—
—
ibm
102.1
102.1
—
—
—
ibm-5.15
—
102.1
—
—
—
linux
102.1
—
—
—
—
lowlatency
102.1
—
—
—
—
lowlatency-4.15
—
—
102.1
102.1
—
lowlatency-4.4
—
—
—
102.1
102.1
lowlatency-5.15
—
102.1
—
—
—
lowlatency-5.4
—
102.1
102.1
—
—
canonical-livepatch status
[USN-6710-2] Firefox regressions (01:54)
work under 24.04 LTS with the new AppArmor userns restrictions
then to be blocked on getting additional capabilities - Firefox would
previously try and do both a new userns and a new PID NS in one call - which
would be blocked - now split this into two separate calls so the userns can
succeed but pidns will be denied (since requires CAP_SYS_ADMIN) - but then
firefox correctly detects this and falls back to the correct behaviour
[USN-6721-1] X.Org X Server vulnerabilities (04:11)
values - able to be easily triggered by a client who is using a different
endianness than the X server
[USN-6721-2] X.Org X Server regression
[USN-6722-1] Django vulnerability (05:19)
email address - so if an attacker can register an email address that is the
same as the intended targets email address after this case transformation -
fix simply just discards the transformed email address and sends to the one
registered by the user
[USN-6723-1] Bind vulnerabilities (06:11)
[USN-6724-1] Linux kernel vulnerabilities (06:27)
[USN-6725-1] Linux kernel vulnerabilities
[USN-6726-1] Linux kernel vulnerabilities
[USN-6701-4] Linux kernel (Azure) vulnerabilities
[USN-6719-2] util-linux vulnerability (07:08)
escape output to avoid shell command injection - as is often the case, turned
out to be insufficient, so instead have now just removed the setgid permission
from the wall/write binaries - can then only send to yourself rather than all
users
Goings on in Ubuntu Security Community
Reports of a new local root privilege escalation exploit against Linux kernel (08:32)
the kernel we don’t always see full PoCs much anymore
to try and prove their side
https://api.github.com/repos/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit shows
the so-called copy was created on 22nd March
the original author
Jammes has an extra target for the 6.5.0-26-generic kernel from mantic
diff -w <(curl https://raw.githubusercontent.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/main/main.c) <(curl https://raw.githubusercontent.com/YuriiCrimson/ExploitGSM/main/ExploitGSM_6_5/main.c)
couldn’t check the video)…
Yurii/Jammes does work even on the latest upstream kernel
/sys/kernel/notes which leaks the symbol of the xen_startup function and
allows to break KASLR
Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)
Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, Xubuntu
Update on xz-utils (15:18)
main upstream developer Lasse Collin
compromised by this actor - but that is perhaps done better by others - go
listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq
(https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the
project and comparing this against the more traditional HUMINT elements
The executable payloads were embedded as binary blobs in
the test files. This was a blatant violation of the
Debian Free Software Guidelines.
On machines that see lots bots poking at the SSH port, the backdoor
noticeably increased CPU load, resulting in degraded user experience
and thus overwhelmingly negative user feedback.
The maintainer who added the backdoor has disappeared.
Backdoors are bad for security.
developer to create multiple implementations of a given function and select
between then at runtime - in this case was for an optimised version of CRC
calculation - but abused by the backdoor to be able to hook into and replace
functions in the global symbol table before it gets made read-only by the
dynamic loader
maintain but is clearly a good win for security
focused on cleaning up the upstream repo first - next version is likely to be
5.8.0
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we cover the recent reports of a new local privilege escalation
exploit against the Linux kernel, follow-up on the xz-utils backdoor from last
week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security
vulnerabilities in the X Server, Django, util-linux and more.
This week in Ubuntu Security Updates
76 unique CVEs addressed
[LSN-0102-1] Linux kernel vulnerability (00:53)
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
102.1
102.1
102.1
102.1
—
aws-5.15
—
102.1
—
—
—
aws-5.4
—
—
102.1
—
—
aws-6.5
102.1
—
—
—
—
aws-hwe
—
—
—
102.1
—
azure
102.1
102.1
—
102.1
—
azure-4.15
—
—
102.1
—
—
azure-5.4
—
—
102.1
—
—
azure-6.5
102.1
—
—
—
—
gcp
102.1
102.1
—
102.1
—
gcp-4.15
—
—
102.1
—
—
gcp-5.15
—
102.1
—
—
—
gcp-5.4
—
—
102.1
—
—
gcp-6.5
102.1
—
—
—
—
generic-4.15
—
—
102.1
102.1
—
generic-4.4
—
—
—
102.1
102.1
generic-5.15
—
102.1
—
—
—
generic-5.4
—
102.1
102.1
—
—
gke
102.1
102.1
—
—
—
gke-5.15
—
102.1
—
—
—
gkeop
—
102.1
—
—
—
hwe-6.5
102.1
—
—
—
—
ibm
102.1
102.1
—
—
—
ibm-5.15
—
102.1
—
—
—
linux
102.1
—
—
—
—
lowlatency
102.1
—
—
—
—
lowlatency-4.15
—
—
102.1
102.1
—
lowlatency-4.4
—
—
—
102.1
102.1
lowlatency-5.15
—
102.1
—
—
—
lowlatency-5.4
—
102.1
102.1
—
—
canonical-livepatch status
[USN-6710-2] Firefox regressions (01:54)
work under 24.04 LTS with the new AppArmor userns restrictions
then to be blocked on getting additional capabilities - Firefox would
previously try and do both a new userns and a new PID NS in one call - which
would be blocked - now split this into two separate calls so the userns can
succeed but pidns will be denied (since requires CAP_SYS_ADMIN) - but then
firefox correctly detects this and falls back to the correct behaviour
[USN-6721-1] X.Org X Server vulnerabilities (04:11)
values - able to be easily triggered by a client who is using a different
endianness than the X server
[USN-6721-2] X.Org X Server regression
[USN-6722-1] Django vulnerability (05:19)
email address - so if an attacker can register an email address that is the
same as the intended targets email address after this case transformation -
fix simply just discards the transformed email address and sends to the one
registered by the user
[USN-6723-1] Bind vulnerabilities (06:11)
[USN-6724-1] Linux kernel vulnerabilities (06:27)
[USN-6725-1] Linux kernel vulnerabilities
[USN-6726-1] Linux kernel vulnerabilities
[USN-6701-4] Linux kernel (Azure) vulnerabilities
[USN-6719-2] util-linux vulnerability (07:08)
escape output to avoid shell command injection - as is often the case, turned
out to be insufficient, so instead have now just removed the setgid permission
from the wall/write binaries - can then only send to yourself rather than all
users
Goings on in Ubuntu Security Community
Reports of a new local root privilege escalation exploit against Linux kernel (08:32)
the kernel we don’t always see full PoCs much anymore
to try and prove their side
https://api.github.com/repos/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit shows
the so-called copy was created on 22nd March
the original author
Jammes has an extra target for the 6.5.0-26-generic kernel from mantic
diff -w <(curl https://raw.githubusercontent.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/main/main.c) <(curl https://raw.githubusercontent.com/YuriiCrimson/ExploitGSM/main/ExploitGSM_6_5/main.c)
couldn’t check the video)…
Yurii/Jammes does work even on the latest upstream kernel
/sys/kernel/notes which leaks the symbol of the xen_startup function and
allows to break KASLR
Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)
Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, Xubuntu
Update on xz-utils (15:18)
main upstream developer Lasse Collin
compromised by this actor - but that is perhaps done better by others - go
listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq
(https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the
project and comparing this against the more traditional HUMINT elements
The executable payloads were embedded as binary blobs in
the test files. This was a blatant violation of the
Debian Free Software Guidelines.
On machines that see lots bots poking at the SSH port, the backdoor
noticeably increased CPU load, resulting in degraded user experience
and thus overwhelmingly negative user feedback.
The maintainer who added the backdoor has disappeared.
Backdoors are bad for security.
developer to create multiple implementations of a given function and select
between then at runtime - in this case was for an optimised version of CRC
calculation - but abused by the backdoor to be able to hook into and replace
functions in the global symbol table before it gets made read-only by the
dynamic loader
maintain but is clearly a good win for security
focused on cleaning up the upstream repo first - next version is likely to be
5.8.0
Get in contact