Episode 163
Ubuntu Security Podcast
English - June 10, 2022 06:10 - 14 minutes - 10.5 MB - ★★★★★ - 10 ratingsTechnology Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
This week we dig into some of the details of another recent Linux malware
sample called Symbiote, plus we cover security updates for the Linux
kernel, vim, FreeRDP, NTFS-3G and more.
Overview
This week we dig into some of the details of another recent Linux malware
sample called Symbiote, plus we cover security updates for the Linux
kernel, vim, FreeRDP, NTFS-3G and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5456-1] ImageMagick vulnerability [00:36]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
Heap UAF found by oss-fuzz
[LSN-0086-1] Linux kernel vulnerability [00:51]
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-30594
CVE-2022-29581
CVE-2022-21499
CVE-2022-1116
CVE-2022-1055
CVE-2022-0492
CVE-2021-39713
Various recent local privesc vulns:
cgroups v1 release_agent
UAF in network scheduling subsystem
UAF in network traffic control subsystem
integer overflow in io_uring
seccomp restrictions bypass
UAF in network queuing and scheduling subsystem
Secure boot bypass through kgdb
canonical-livepatch status
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
—
86.3
86.3
86.3
—
aws-5.4
—
—
86.3
—
—
aws-hwe
—
—
—
86.3
—
azure
—
86.3
—
86.3
—
azure-4.15
—
—
86.3
—
—
azure-5.4
—
—
86.3
—
—
gcp
86.4
86.3
—
86.3
—
gcp-4.15
—
—
86.3
—
—
gcp-5.4
—
—
86.3
—
—
generic-4.15
—
—
86.3
86.3
—
generic-4.4
—
—
—
86.3
86.3
generic-5.4
—
86.3
86.3
—
—
gke
86.4
86.3
—
—
—
gke-4.15
—
—
86.3
—
—
gke-5.4
—
—
86.3
—
—
gkeop
—
86.3
—
—
—
gkeop-5.4
—
—
86.3
—
—
ibm
86.4
86.3
—
—
—
ibm-5.4
—
—
86.3
—
—
linux
86.4
—
—
—
—
lowlatency
86.4
—
—
—
—
lowlatency-4.15
—
—
86.3
86.3
—
lowlatency-4.4
—
—
—
86.3
86.3
lowlatency-5.4
—
86.3
86.3
—
—
oem
—
—
86.3
—
—
[USN-5465-1] Linux kernel vulnerabilities [02:02]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2022-30594
CVE-2022-1966
CVE-2022-21499
secure boot bypass via kgdb
UAF in netfliter -> privesc
seccomp restrictions bypass
[USN-5466-1] Linux kernel vulnerabilities
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2022-28390
CVE-2022-28356
CVE-2022-1419
CVE-2022-1016
CVE-2021-4149
CVE-2021-3772
CVE-2022-1966
CVE-2022-21499
secure boot bypass, netfilter UAF plus btrfs deadlock, infoleak in
netfilter + virtual graphics manager, double free in 802.2 LLC driver and
EMS CAN/USB drivers
[USN-5467-1] Linux kernel vulnerabilities [02:29]
21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-28390
CVE-2022-28389
CVE-2022-28356
CVE-2022-26966
CVE-2022-24958
CVE-2022-23042
CVE-2022-23041
CVE-2022-23040
CVE-2022-23039
CVE-2022-23038
CVE-2022-23037
CVE-2022-23036
CVE-2022-1516
CVE-2022-1353
CVE-2022-1198
CVE-2022-1158
CVE-2022-1011
CVE-2021-4197
CVE-2021-3772
CVE-2022-1966
CVE-2022-21499
Most of the above plus privesc via mishandling of permission checks when
migrating processes across cgroups, KVM page table handling -> host crash
(DoS), UAF in USB-Gadget, Microchip CAN BUS Analyzer, 6pack protocol
driver and more
[USN-5468-1] Linux kernel vulnerabilities
6 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
CVE-2022-28390
CVE-2022-24958
CVE-2022-1972
CVE-2022-1158
CVE-2022-1966
CVE-2022-21499
Subset of the above
[USN-5469-1] Linux kernel vulnerabilities
20 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-28390
CVE-2022-28389
CVE-2022-28388
CVE-2022-28356
CVE-2022-1972
CVE-2022-1671
CVE-2022-1651
CVE-2022-1516
CVE-2022-1353
CVE-2022-1263
CVE-2022-1205
CVE-2022-1204
CVE-2022-1199
CVE-2022-1198
CVE-2022-1195
CVE-2022-1158
CVE-2022-1048
CVE-2022-0168
CVE-2022-1966
CVE-2022-21499
More of the same
[USN-5470-1] Linux kernel (OEM) vulnerabilities
4 CVEs addressed in Focal (20.04 LTS)
CVE-2022-1972
CVE-2022-1836
CVE-2022-1966
CVE-2022-21499
[USN-5471-1] Linux kernel (OEM) vulnerabilities
8 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-29968
CVE-2022-1972
CVE-2022-1836
CVE-2022-1734
CVE-2022-1205
CVE-2022-1012
CVE-2022-1966
CVE-2022-21499
[USN-5458-1] Vim vulnerabilities [03:17]
9 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-0443
CVE-2022-0408
CVE-2022-0368
CVE-2022-0361
CVE-2022-0359
CVE-2022-0351
CVE-2022-0319
CVE-2022-0213
CVE-2021-4193
OOB reads, heap buffer overflows, stack buffer overflows, UAFs etc via
crafted input files
[USN-5460-1] Vim vulnerabilities
10 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-1621
CVE-2022-1620
CVE-2022-1619
CVE-2022-1616
CVE-2022-0943
CVE-2022-0729
CVE-2022-0714
CVE-2022-0685
CVE-2022-0572
CVE-2022-0554
[USN-5459-1] cifs-utils vulnerabilities [03:49]
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
CVE-2022-29869
CVE-2022-27239
CVE-2021-20208
CVE-2020-14342
Tools for managing cifs mounts etc
Privesc via stack buffer overflow in mount.cifs via crafted command-line
arguments - used strcpy() to copy the provided IP address after first
checking length - but did comparison using strnlen() which returns the
max length even if the string is longer - so subsequent strcpy() would
then overflow
Possible shell command injection into mount.cifs when it spawns a
subshell for password input
Exposure of host kerberos credentials when mounting a CIFS share using
kerberos authentication within a container
[USN-5461-1] FreeRDP vulnerabilities [05:21]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
Episode 162 - Last week we talked about a couple different packages that
mishandled empty password to then improperly authenticate a user
Similar vuln in FreeRDP when using NTLM authentication - allows a
client to authenticate to the server with an empty NTLM password
[USN-5462-1, USN-5462-2] Ruby vulnerabilities [06:11]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
Double free in regexp compiler when handling a crafted regex as input -
so if allow attackers to provide regex which will then get compiled could
abuse this to gain code execution as the ruby interpreter
[USN-5463-1] NTFS-3G vulnerabilities [06:41]
8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
CVE-2022-30787
CVE-2022-30785
CVE-2022-30789
CVE-2022-30788
CVE-2022-30786
CVE-2022-30784
CVE-2022-30783
CVE-2021-46790
ntfsck code execution via crafted disk images (Episode 162)
Incorrect handling of crafted disk images during mounting etc -> various
heap buffer overflows -> code execution
Logic error exposes a user to intercept the FUSE protocol traffic between
nfts-3g and the kernel
[USN-5464-1] E2fsprogs vulnerability [07:17]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
Similarly, OOB R/W in e2fsprogs -> used when doing fsck, mkfs, resizefs,
badblocks etc on crafted file system image -> code execution
Goings on in Ubuntu Security Community
Symbiote Linux malware analysis [07:58]
https://www.intezer.com/blog/research/new-linux-threat-symbiote/
Research from Intezer and Blackberry
Found targeting financial sector in Latin America
Described as ’nearly impossible’ to detect
Uses LD_PRELOAD to ‘infect’ binaries on system
Evades detection by then hooking various functions in libc, libpcap etc
to change their behaviour and alter their output so that when running
tools like ls, ps etc they don’t show evidence of infection
Also loads BPF filter to hide it’s own network traffic from being seen
when say running a local tcpdump etc
‘Nearly impossible to detect’ claim
Indeed, is going to be very hard to detect it from the machine itself
which is compromised
If an attacker has control over the machine they can clearly influence
that environment to hide themselves
Reminds of a recent twitter thread involving halvarflake, Mathias Krause
and others, and then a follow-up blog post from Brad Spengler from
grsecurity looking at Tetragon eBPF Security Observability and Runtime
Environment
eBPF based system which allows sysadmins to develop policy to detect
and kill exploits
Runs on the system itself in kernel-space and tries to detect once a
user has elevated privileges etc
e.g. kernel memory corruption to set their own uid as 0
But since the attacker has already got code execution in the kernel to
be able to achieve this they can just as easily first disable Tetragon
and then go and elevate privileges and hence not be detected
Basically if you are trying to detect compromise from within the
environment itself the attacker is always at an advantage and can change
the environment to evade detection and make everything look normal /
disable checks etc
Instead need to be at a higher level of abstraction
In the case of detecting Symbiote - would need to say take a disk image
and analyse it offline from another machine so that the analysis
environment can’t be influenced by the malware itself
Ubuntu 21.10 (Impish Indri) reaches End of Life on July 14 2022 [12:45]
https://lists.ubuntu.com/archives/ubuntu-announce/2022-May/000280.html
Hiring [13:16]
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Security Certifications Product Manager - CIS, FIPS, FedRAMP and more
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter