Episode 163
Posted on Friday, Jun 10, 2022
This week we dig into some of the details of another recent Linux malware
sample called Symbiote, plus we cover security updates for the Linux
kernel, vim, FreeRDP, NTFS-3G and more.
Show Notes
Overview
This week we dig into some of the details of another recent Linux malware sample called Symbiote, plus we cover security updates for the Linux kernel, vim, FreeRDP, NTFS-3G and more.
This week in Ubuntu Security Updates
82 unique CVEs addressed
[USN-5456-1] ImageMagick vulnerability [00:36]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Heap UAF found by oss-fuzz
[LSN-0086-1] Linux kernel vulnerability [00:51]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various recent local privesc vulns:
- cgroups v1
release_agent - UAF in network scheduling subsystem
- UAF in network traffic control subsystem
- integer overflow in
io_uring - seccomp restrictions bypass
- UAF in network queuing and scheduling subsystem
- cgroups v1
- Secure boot bypass through
kgdb
canonical-livepatch status
| Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
|---|---|---|---|---|---|
| aws | — | 86.3 | 86.3 | 86.3 | — |
| aws-5.4 | — | — | 86.3 | — | — |
| aws-hwe | — | — | — | 86.3 | — |
| azure | — | 86.3 | — | 86.3 | — |
| azure-4.15 | — | — | 86.3 | — | — |
| azure-5.4 | — | — | 86.3 | — | — |
| gcp | 86.4 | 86.3 | — | 86.3 | — |
| gcp-4.15 | — | — | 86.3 | — | — |
| gcp-5.4 | — | — | 86.3 | — | — |
| generic-4.15 | — | — | 86.3 | 86.3 | — |
| generic-4.4 | — | — | — | 86.3 | 86.3 |
| generic-5.4 | — | 86.3 | 86.3 | — | — |
| gke | 86.4 | 86.3 | — | — | — |
| gke-4.15 | — | — | 86.3 | — | — |
| gke-5.4 | — | — | 86.3 | — | — |
| gkeop | — | 86.3 | — | — | — |
| gkeop-5.4 | — | — | 86.3 | — | — |
| ibm | 86.4 | 86.3 | — | — | — |
| ibm-5.4 | — | — | 86.3 | — | — |
| linux | 86.4 | — | — | — | — |
| lowlatency | 86.4 | — | — | — | — |
| lowlatency-4.15 | — | — | 86.3 | 86.3 | — |
| lowlatency-4.4 | — | — | — | 86.3 | 86.3 |
| lowlatency-5.4 | — | 86.3 | 86.3 | — | — |
| oem | — | — | 86.3 | — | — |
[USN-5465-1] Linux kernel vulnerabilities [02:02]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- secure boot bypass via kgdb
- UAF in netfliter -> privesc
- seccomp restrictions bypass
[USN-5466-1] Linux kernel vulnerabilities
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- secure boot bypass, netfilter UAF plus btrfs deadlock, infoleak in netfilter + virtual graphics manager, double free in 802.2 LLC driver and EMS CAN/USB drivers
[USN-5467-1] Linux kernel vulnerabilities [02:29]
- 21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2022-28390
- CVE-2022-28389
- CVE-2022-28356
- CVE-2022-26966
- CVE-2022-24958
- CVE-2022-23042
- CVE-2022-23041
- CVE-2022-23040
- CVE-2022-23039
- CVE-2022-23038
- CVE-2022-23037
- CVE-2022-23036
- CVE-2022-1516
- CVE-2022-1353
- CVE-2022-1198
- CVE-2022-1158
- CVE-2022-1011
- CVE-2021-4197
- CVE-2021-3772
- CVE-2022-1966
- CVE-2022-21499
- Most of the above plus privesc via mishandling of permission checks when migrating processes across cgroups, KVM page table handling -> host crash (DoS), UAF in USB-Gadget, Microchip CAN BUS Analyzer, 6pack protocol driver and more
[USN-5468-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- Subset of the above
[USN-5469-1] Linux kernel vulnerabilities
- 20 CVEs addressed in Jammy (22.04 LTS)
- More of the same
[USN-5470-1] Linux kernel (OEM) vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-5471-1] Linux kernel (OEM) vulnerabilities
- 8 CVEs addressed in Jammy (22.04 LTS)
[USN-5458-1] Vim vulnerabilities [03:17]
- 9 CVEs addressed in Xenial ESM (16.04 ESM)
- OOB reads, heap buffer overflows, stack buffer overflows, UAFs etc via crafted input files
[USN-5460-1] Vim vulnerabilities
- 10 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5459-1] cifs-utils vulnerabilities [03:49]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Tools for managing cifs mounts etc
- Privesc via stack buffer overflow in
mount.cifsvia crafted command-line arguments - usedstrcpy()to copy the provided IP address after first checking length - but did comparison usingstrnlen()which returns the max length even if the string is longer - so subsequentstrcpy()would then overflow - Possible shell command injection into
mount.cifswhen it spawns a subshell for password input - Exposure of host kerberos credentials when mounting a CIFS share using kerberos authentication within a container
[USN-5461-1] FreeRDP vulnerabilities [05:21]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Episode 162 - Last week we talked about a couple different packages that
mishandled empty password to then improperly authenticate a user
- Similar vuln in FreeRDP when using NTLM authentication - allows a client to authenticate to the server with an empty NTLM password
[USN-5462-1, USN-5462-2] Ruby vulnerabilities [06:11]
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Double free in regexp compiler when handling a crafted regex as input - so if allow attackers to provide regex which will then get compiled could abuse this to gain code execution as the ruby interpreter
[USN-5463-1] NTFS-3G vulnerabilities [06:41]
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- ntfsck code execution via crafted disk images (Episode 162)
- Incorrect handling of crafted disk images during mounting etc -> various heap buffer overflows -> code execution
- Logic error exposes a user to intercept the FUSE protocol traffic between nfts-3g and the kernel
[USN-5464-1] E2fsprogs vulnerability [07:17]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Similarly, OOB R/W in e2fsprogs -> used when doing fsck, mkfs, resizefs, badblocks etc on crafted file system image -> code execution
Goings on in Ubuntu Security Community
Symbiote Linux malware analysis [07:58]
- https://www.intezer.com/blog/research/new-linux-threat-symbiote/
- Research from Intezer and Blackberry
- Found targeting financial sector in Latin America
- Described as ’nearly impossible’ to detect
- Uses
LD_PRELOADto ‘infect’ binaries on system - Evades detection by then hooking various functions in libc, libpcap etc to change their behaviour and alter their output so that when running tools like ls, ps etc they don’t show evidence of infection
- Also loads BPF filter to hide it’s own network traffic from being seen
when say running a local
tcpdumpetc - ‘Nearly impossible to detect’ claim
- Indeed, is going to be very hard to detect it from the machine itself which is compromised
- If an attacker has control over the machine they can clearly influence that environment to hide themselves
- Reminds of a recent twitter thread involving halvarflake, Mathias Krause
and others, and then a follow-up blog post from Brad Spengler from
grsecurity looking at Tetragon eBPF Security Observability and Runtime
Environment
- eBPF based system which allows sysadmins to develop policy to detect and kill exploits
- Runs on the system itself in kernel-space and tries to detect once a
user has elevated privileges etc
- e.g. kernel memory corruption to set their own uid as 0
- But since the attacker has already got code execution in the kernel to be able to achieve this they can just as easily first disable Tetragon and then go and elevate privileges and hence not be detected
- Basically if you are trying to detect compromise from within the environment itself the attacker is always at an advantage and can change the environment to evade detection and make everything look normal / disable checks etc
- Instead need to be at a higher level of abstraction
- In the case of detecting Symbiote - would need to say take a disk image and analyse it offline from another machine so that the analysis environment can’t be influenced by the malware itself