Episode 176

Ubuntu Security Podcast

Вміст надано Alex Murray and Ubuntu Security Team. Весь вміст подкастів, включаючи епізоди, графіку та описи подкастів, завантажується та надається безпосередньо компанією Alex Murray and Ubuntu Security Team або його партнером по платформі подкастів. Якщо ви вважаєте, що хтось використовує ваш захищений авторським правом твір без вашого дозволу, ви можете виконати процедуру, описану тут https://uk.player.fm/legal.

1+ y ago 12:49

MP3•Головна епізоду

Overview

On this week’s episode we dive into the Shikitega Linux malware report from AT&T Alien Labs, plus we cover security updates for the Linux kernel, curl and Zstandard as well as some open positions on the team. Join us!

This week in Ubuntu Security Updates

13 unique CVEs addressed

[USN-5591-1, USN-5591-2, USN-5591-3, USN-5591-4, USN-5597-1, USN-5598-1] Linux kernel (+ HWE, AWS, Oracle) vulnerability [00:47]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- CVE-2021-33656
OOB write in virtual terminal driver when changing VGA console fonts - covered back in USN-5580-1 - Linux kernel (AWS) vulnerabilities - in Episode 175

[USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities [01:04]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2021-33656
- CVE-2021-33061
OOB write in virtual terminal driver when changing VGA console fonts
Improper control flow mgmt in Intel 10GbE PCIe driver - local DoS

[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]

9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
Above issues plus:
- NULL pointer deref in KVM on host if a VM tried to execute an illegal instruction
- OOB write in UDF file-system driver
- UAF in NFTS under certain error conditions
- OOB write in Intel SMBus host controller driver
- Race condition in handling of pipe buffers -> OOB

[USN-5587-1] curl vulnerability [02:12]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-35252
Cookies generally contain NAME=VALUE pairs using ASCII chars for both
ASCII character set contains usual A-Za-z0-9 and punctuation (space, “!#&) plus a bunch of control codes - NUL, BEL, LF, CR, HT (\t) and more
These have a byte value below 32
curl since 4.9 would accept cookies with control codes
As with cookies, these get sent back to the server on subsequent requests
Over time web servers have started rejecting cookies with control codes and returning a HTTP 400 response code (Bad Request)
As such, a malicious “sister site” could return a cookie with control codes inside it, this then would get sent by curl to other sites in the same domain, which would then reject the request and effectively DoS the user
Fixed to have curl validate and then reject such cookies in the first place

[USN-5593-1] Zstandard vulnerability [04:34]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2019-11922
Originally discussed all the way back in Episode 44 - [USN-4108-1] Zstandard vulnerability
Race condition when using single-pass compression, might allow attacker to get OOB write IF the caller had provided a smaller output buffer than the recommended size
So likely won’t affect all packages which use zstd (there are many) - should always follow best practice

Goings on in Ubuntu Security Community

AT&T Alien Labs teardown of Shikitega Linux malware [05:40]

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
Targets endpoints and IoT devices running Linux
Uses multiple different binaries to achieve its purpose - each does one task of the process
Uses various components of Metasploit along the way
- Framework containing various exploits plus different tools to help develop exploits as well as scan environments etc
Initial dropper is a very small binary that is encoded using one of the standard Metasploit encoders to help it evade detection from AV scanners etc
Decodes basic shellcode to open a socket to the C2 server and downloads additional shellcode to run plus the mettle interpreter so that it can make use of off-the-shelf components from Metasploit in further stages
Also downloads the next stage dropper
This again is encoded the same as the first component - contained within is shellcode to spawn a shell via /bin/sh - from this shell it then attempts to run commands to exploit two known privesc vulns - CVE-2021-4034 ([USN-5252-1, USN-5252-2] PolicyKit vulnerability from Episode 147) and CVE-2021-3493 ([USN-4916-2] Linux kernel vulnerability in Episode 113)
Once has gained root privileges via these vulns, with then move on to achieve persistence and execute the primary payload - cryptominer
Persistence is achieved simply by using cron to download the cryptominer from C2 on boot - and then another cron job to execute the cryptominer - and this is done for both the standard user and root
As such the only traces left on the machine at reboot is the crontabs
cryptominer is the XMRig and is configured to mine Monero
C2 is seemingly fronted by cloudflare and cloudfront
No details provided on initial compromise but is good to see details on the privesc vulns - both of these were patched in Ubuntu quite a while ago - and we released a Livepatch for the kernel privesc too - shows the value in such services - can still stay protected against the kind of vulnerabilities that attackers are actually exploiting without the need to reboot
Shows the increasing prevalence of Linux malware (and the resulting interest in it from organisations like AT&T) but also the value in ensuring systems are kept updated

systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]

Had mentioned last week that I would likely cover this - is still a work-in-progress so hopefully next week 🤞

Hiring [11:30]

https://canonical.com/careers/engineering?search=security
Security Certifications Product Manager
- Home based, EMEA
Security Engineer - Ubuntu
- Home based, worldwide
Ubuntu Security Manager
- Home based, worldwide

Get in contact

231 епізодів

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 176

Ubuntu Security Podcast

139 subscribers

published 1+ y ago

Поширити

MP3•Головна епізоду

Overview

This week in Ubuntu Security Updates

13 unique CVEs addressed

[USN-5591-1, USN-5591-2, USN-5591-3, USN-5591-4, USN-5597-1, USN-5598-1] Linux kernel (+ HWE, AWS, Oracle) vulnerability [00:47]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- CVE-2021-33656
OOB write in virtual terminal driver when changing VGA console fonts - covered back in USN-5580-1 - Linux kernel (AWS) vulnerabilities - in Episode 175

[USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities [01:04]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2021-33656
- CVE-2021-33061
OOB write in virtual terminal driver when changing VGA console fonts
Improper control flow mgmt in Intel 10GbE PCIe driver - local DoS

[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]

9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
Above issues plus:
- NULL pointer deref in KVM on host if a VM tried to execute an illegal instruction
- OOB write in UDF file-system driver
- UAF in NFTS under certain error conditions
- OOB write in Intel SMBus host controller driver
- Race condition in handling of pipe buffers -> OOB

[USN-5587-1] curl vulnerability [02:12]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-35252
Cookies generally contain NAME=VALUE pairs using ASCII chars for both
ASCII character set contains usual A-Za-z0-9 and punctuation (space, “!#&) plus a bunch of control codes - NUL, BEL, LF, CR, HT (\t) and more
These have a byte value below 32
curl since 4.9 would accept cookies with control codes
As with cookies, these get sent back to the server on subsequent requests
Over time web servers have started rejecting cookies with control codes and returning a HTTP 400 response code (Bad Request)
As such, a malicious “sister site” could return a cookie with control codes inside it, this then would get sent by curl to other sites in the same domain, which would then reject the request and effectively DoS the user
Fixed to have curl validate and then reject such cookies in the first place

[USN-5593-1] Zstandard vulnerability [04:34]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2019-11922
Originally discussed all the way back in Episode 44 - [USN-4108-1] Zstandard vulnerability
Race condition when using single-pass compression, might allow attacker to get OOB write IF the caller had provided a smaller output buffer than the recommended size
So likely won’t affect all packages which use zstd (there are many) - should always follow best practice

Goings on in Ubuntu Security Community

AT&T Alien Labs teardown of Shikitega Linux malware [05:40]

https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
Targets endpoints and IoT devices running Linux
Uses multiple different binaries to achieve its purpose - each does one task of the process
Uses various components of Metasploit along the way
- Framework containing various exploits plus different tools to help develop exploits as well as scan environments etc
Initial dropper is a very small binary that is encoded using one of the standard Metasploit encoders to help it evade detection from AV scanners etc
Decodes basic shellcode to open a socket to the C2 server and downloads additional shellcode to run plus the mettle interpreter so that it can make use of off-the-shelf components from Metasploit in further stages
Also downloads the next stage dropper
This again is encoded the same as the first component - contained within is shellcode to spawn a shell via /bin/sh - from this shell it then attempts to run commands to exploit two known privesc vulns - CVE-2021-4034 ([USN-5252-1, USN-5252-2] PolicyKit vulnerability from Episode 147) and CVE-2021-3493 ([USN-4916-2] Linux kernel vulnerability in Episode 113)
Once has gained root privileges via these vulns, with then move on to achieve persistence and execute the primary payload - cryptominer
Persistence is achieved simply by using cron to download the cryptominer from C2 on boot - and then another cron job to execute the cryptominer - and this is done for both the standard user and root
As such the only traces left on the machine at reboot is the crontabs
cryptominer is the XMRig and is configured to mine Monero
C2 is seemingly fronted by cloudflare and cloudfront
No details provided on initial compromise but is good to see details on the privesc vulns - both of these were patched in Ubuntu quite a while ago - and we released a Livepatch for the kernel privesc too - shows the value in such services - can still stay protected against the kind of vulnerabilities that attackers are actually exploiting without the need to reboot
Shows the increasing prevalence of Linux malware (and the resulting interest in it from organisations like AT&T) but also the value in ensuring systems are kept updated

systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]

Had mentioned last week that I would likely cover this - is still a work-in-progress so hopefully next week 🤞

Hiring [11:30]

https://canonical.com/careers/engineering?search=security
Security Certifications Product Manager
- Home based, EMEA
Security Engineer - Ubuntu
- Home based, worldwide
Ubuntu Security Manager
- Home based, worldwide

Get in contact

231 епізодів

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Усі епізоди

Ласкаво просимо до Player FM!

Player FM сканує Інтернет для отримання високоякісних подкастів, щоб ви могли насолоджуватися ними зараз. Це найкращий додаток для подкастів, який працює на Android, iPhone і веб-сторінці. Реєстрація для синхронізації підписок між пристроями.

Слухайте шоу на 500+ тем

Схожі до Ubuntu Security Podcast

Подкасти, які варто послухати

Ubuntu Security Podcast « » Episode 176

Overview

This week in Ubuntu Security Updates

[USN-5591-1, USN-5591-2, USN-5591-3, USN-5591-4, USN-5597-1, USN-5598-1] Linux kernel (+ HWE, AWS, Oracle) vulnerability [00:47]

[USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities [01:04]

[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]

[USN-5587-1] curl vulnerability [02:12]

[USN-5593-1] Zstandard vulnerability [04:34]

Goings on in Ubuntu Security Community

AT&T Alien Labs teardown of Shikitega Linux malware [05:40]

systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]

Hiring [11:30]

Get in contact

Episode 176

Overview

This week in Ubuntu Security Updates

[USN-5591-1, USN-5591-2, USN-5591-3, USN-5591-4, USN-5597-1, USN-5598-1] Linux kernel (+ HWE, AWS, Oracle) vulnerability [00:47]

[USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities [01:04]

[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]

[USN-5587-1] curl vulnerability [02:12]

[USN-5593-1] Zstandard vulnerability [04:34]

Goings on in Ubuntu Security Community

AT&T Alien Labs teardown of Shikitega Linux malware [05:40]

systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]

Hiring [11:30]

Get in contact

Подкасти, які варто послухати

Ласкаво просимо до Player FM!

Схожі до Ubuntu Security Podcast

Короткий довідник

Ubuntu Security Podcast « »
Episode 176