Ubuntu Security Podcast

Episode 243

Listen Later
Overview

It’s the end of the year for official duties for the Ubuntu Security team so we

take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

2024 Year in Review for Ubuntu Security (00:55)
full-disclosure necromancy with zombie CVEs
  • full-disclosure spammed with zombie CVEs from Episode 217
    • Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS
    • Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS from Episode 218
      • Linux kernel becomes a CNA
      • Linux kernel becomes a CNA from Episode 219
      • Follow up to Linux kernel CNA from Episode 220
        • Ubuntu participates in Pwn2Own Vancouver
        • Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 from Episode 223
          • xz-utils / SSH backdoor supply-chain attack
          • xz-utils backdoor and Ubuntu from Episode 224
          • Update on xz-utils from Episode 225
            • Linux Security Summit NA and EU
            • Linux Security Summit NA 2024 from Episode 226
            • Linux Security Summit Europe 2024 from Episode 237
              • Release of Ubuntu 24.04 LTS
              • Ubuntu 24.04 LTS (Noble Numbat) released from Episode 227
                • regreSSHion remote unauthenticated code execution vulnerability in OpenSSH
                • Deep-dive into regreSSHion - Remote Unauthenticated Code Execution Vulnerablity in OpenSSH from Episode 232
                  • Various other high profile vulnerabilities
                  • Discussion of CVE-2024-5290 in wpa_supplicant from Episode 234
                  • Deep dive into needrestart local privilege escalation vulnerabilities from Episode 242
                    • Ubuntu/Windows Dual-boot regression
                    • Reports of dual-boot Linux/Windows machines failing to boot from Episode 235
                      • AppArmor-based snap file prompting experimental feature
                      • Ubuntu Security Center with snapd-based AppArmor home file access prompting preview from Episode 236
                      • Official announcement of Permissions Prompting in Ubuntu 24.10 from Episode 237
                        • Predictions for 2025 (14:35)
                        • Increased use of AI to both spam projects with hallucinated CVEs (e.g. curl)
                          • but also to “aid” in dealing with that spam
                          • as the shine wears of AI likely expect OSS projects to ban contributions
                            • generated with the aid of AI - whether CVE reports or code
                          • but also expect companies to try and prove the worth of AI by finding novel
                            • vulns -
                            e.g. apparent first 0-day discovered with AI doing vuln research
                            https://googleprojectzero.blogspot.com/2024/06/project-naptime.html
                          • also more expected uses of AI like automating tasks used in the process of
                            • security-related SW dev - automatically generating fuzz targets and then
                            improving the fuzz targets via AI as well
                            https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html
                          • More malware targeting Linux
                            • didn’t mention it earlier but we covered a number of Linux malware teardowns
                              • this year and expect that trend to increase as Linux keeps growing in
                              popularity
                            • Full LSM stacking still won’t make it into the upstream Linux kernel
                            • Integrity of code and data will play more of a role
                              • both in terms of software supply chain and integrity of distro repos etc,
                                • but also efforts to try and guarantee the integrity of a Linux system
                                itself - whether via new IPE LSM or other mechanisms - mainstream distros
                                will start to care about integrity more
                              • More collaboration across distros to aid in efforts to collectively handle
                                • deluge of CVEs
                              • More efforts to try and fund OSS to learn from lessons of Heartbleed and xz-utils
                                • some more and less successful
                                • More interesting vulns in more software
                                  • During 2024 Qualys have done some of the most interesting vuln research on
                                    • Linux - expect more from them and from others (whether aided by AI or not)
                                    Get in contact
                                    • [email protected]
                                    • #ubuntu-security on the Libera.Chat IRC network
                                    • ubuntu-hardened mailing list
                                    • Security section on discourse.ubuntu.com
                                    • @[email protected], @ubuntu_sec on twitter
                                      • ...more
                                      View all episodesView all episodes
                                      Download on the App Store
                                      Ubuntu Security PodcastBy Ubuntu Security Team
                                      • 4.8
                                      • 4.8
                                      • 4.8
                                      • 4.8
                                      • 4.8

                                      4.8

                                      10 ratings