Episode 158

Posted on Friday, May 6, 2022
Microsoft’s Nimbuspwn sets the Linux security media ablaze but where there’s smoke there’s not always fire, plus we bring you the first part of a 2 part series looking at some of the security features in the latest Ubuntu 22.04 LTS release.

Show Notes

Overview

Microsoft’s Nimbuspwn sets the Linux security media ablaze but where there’s smoke there’s not always fire, plus we bring you the first part of a 2 part series looking at some of the security features in the latest Ubuntu 22.04 LTS release.

This week in Ubuntu Security Updates

92 unique CVEs addressed

[USN-5381-1] Linux kernel (OEM) vulnerabilities

[USN-5383-1] Linux kernel vulnerabilities

[USN-5384-1] Linux kernel vulnerabilities

[USN-5385-1] Linux kernel vulnerabilities

[USN-5387-1] Barbican vulnerabilities

[USN-5376-2] Git vulnerability

[USN-5388-1] OpenJDK vulnerabilities

[USN-5388-2] OpenJDK vulnerabilities

[USN-5389-1] Libcroco vulnerabilities

[USN-5390-1] Linux kernel vulnerabilities

[USN-5376-3] Git regression

  • Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

[USN-5391-1] libsepol vulnerabilities

[USN-5366-2] FriBidi vulnerabilities

[USN-5393-1] Thunderbird vulnerabilities

[USN-5371-2] nginx vulnerability

[USN-5394-1] WebKitGTK vulnerabilities

[USN-5392-1] Mutt vulnerabilities

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

[USN-5395-1] networkd-dispatcher vulnerabilities

[USN-5396-1] Ghostscript vulnerability

[USN-5397-1] curl vulnerabilities

[USN-5398-1] Simple DirectMedia Layer vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Impish (21.10)

[USN-5399-1] libvirt vulnerabilities

[USN-5400-1] MySQL vulnerabilities

[USN-5400-2] MySQL vulnerabilities

[USN-5390-2] Linux kernel (Raspberry Pi) vulnerabilities

Goings on in Ubuntu Security Community

Nimbuspwn [01:46]

  • Nimbuspwn - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
  • At the end of April Microsoft disclosed some vulnerabilities which gathered a lot of media attention, leading to a lot of outlets seemingly claiming most Linux systems were affected and that this was a high severity issue
  • Describes a number of issues in networkd-dispatcher which could be used to get RCE
    • directory traversal
    • symlink race
    • TOCTOU permissions check race condition
  • However, all relies on being able to have an arbitrary process run under the systemd-network user (since this user is the only one which can bind to the right dbus name org.freedesktop.network1)
  • Originally they provided some vague mentions of gpgv plugins and epmd running under this user.
  • gpgv plugins are launched by apt=/=apt-get during package install / upgrade so this sounds like a common scenario that would affect most users (instead of say epmd which is the erlang port mapper daemon, so unless you are running erland applications you would not be affected by that)
  • Looking again though at these gpg plugins running as the systemd-network user - this is definitely not the case for standard Ubuntu - since apt is very clear to run them under the _apt user account purposefully to restrict their privileges
  • After we questioned Microsoft about this, they amended the blog post to then just say they were able to detect several instances of other processes running under this user in various customer environments but then state that some of these were due to customer misconfigurations.
  • So there is no real evidence here that in general Ubuntu / Linux users would be affected as all the original media reporting suggested
  • Perhaps these customers were using containers and running processes in those where the UID mapped back to the systemd-network user ID on the host? This is a common pitfall with containers and something which users need to be aware of when deploying containers
  • As such, what appeared to be quite a high priority and high profile vulnerability in fact is likely more of a bit of a non-issue - whilst it could be argued that these are real issues in networkd-dispatcher since they are not able to be exploited in standard configurations they are not a real threat to most users
  • Interesting to note while the blog post has been amended, all the various media articles which cited the original report have not been updated and still seem to claim that Ubuntu and other distros would be affected by this
  • Also interesting to note, Microsoft worked directly with the upstream maintainer of networkd-dispatcher but didn’t involve any downstream distros - as suggested by Julian Andres Klode from the Ubuntu Foundations team (and upstream apt maintainer) - perhaps Microsoft should have pre-disclosed this issue to the linux-distros mailing list - if they had done so this likely would have been assessed and clarified earlier so that Microsoft could have more properly understood the extent of the vulnerabilities which they discovered the internet could have avoided another brief panic scenario

What’s new in security in Ubuntu 22.04 LTS (part 1) [08:05]

  • Preview of the first half of blog post which will be published in the coming weeks on the various security features which are included in Ubuntu 22.04 LTS. This week we will look at enhancements provided by the Linux kernel whilst next week we will look at features provided by other parts of the distribution.
  • 22.04 LTS latest long term support release - 5 years of standard support plus 5 years of ESM - total 10 years of support via Ubuntu Advantage (free for personal use)
  • Great foundation to use then to deploy services / applications etc and know they will be supported for a long time to come
  • Has been 2 years since the last LTS so there are lots of features to cover - I will only touch on some of them - if you want a more deep dive, check out the blog posts we published for the interim releases
  • Optimised kernels for different platforms
    • OEM desktops - 5.17
    • Desktop & server - 5.15
    • Desktop will get HWE stack by default so in future will get kernel version upgrades bringing new features etc whilst server will stick with GA kernel for stability
    • Clouds have their own optimised kernels
  • Hardware specific enhancements
    • SGX on Intel for secure enclaves
    • Memory tagging on ARM64 to protect against memory corruption attacks
    • AMD SEV for KVM to protect guest VM registers from the host
  • Generic kernel improvements
    • Core scheduling to provide a means to use SMT in the face of various hardware microarchitectural side-channel attacks like L1TF and the like (this was only partially mitigated in SW/microcode and could still potentially affect VMs running across SMT siblings) - so in past had to disable SMT to be fully certain were protected - now can use core scheduling to specify to the kernel which processes should not be scheduled on sibling HTs to avoid these sorts of attack
    • Kernel stack offset randomisation across system calls
    • BPF improvements - one of the most popular subsystems in the kernel, used not just for tracing and packet filtering but also now BPF LSM and more use-cases. However, has also caused a number of security vulns as covered previously - now disabled unprivileged BPF by default. Also work has been done to try and support signed BPF programs to ensure only trusted code is executed as well.
    • Landlock LSM for application-level sandboxing - like seccomp, Landlock allows a process to specify it’s own policy so can sandbox itself - rather than say traditional MAC systems of AppArmor/SELinux where the system admin configures the policy
      • LSM stacking allows Landlock to be used in conjunction with AppArmor for a more defense-in-depth approach

Get in contact