Episode 168

Posted on Friday, Jul 15, 2022
This week we rocket back into your podcast feed with a look at the OrBit Linux malware teardown from Intezer, plus we cover security updates for cloud-init, Vim, the Linux kernel, GnuPG, Dovecot and more.

Show Notes

Overview

This week we rocket back into your podcast feed with a look at the OrBit Linux malware teardown from Intezer, plus we cover security updates for cloud-init, Vim, the Linux kernel, GnuPG, Dovecot and more.

This week in Ubuntu Security Updates

52 unique CVEs addressed

[USN-5496-1] cloud-init vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • cloud-init was originally a Canonical developed project but is now widely used by many of the public clouds for configuring cloud images on first boot
  • When validating configuration, would log invalid entries - if one of those was a password then the password would get logged in the clear - and cloud init logs are world readable by default
  • Fixed to instead log a generic error message with details on how to obtain the actual invalid entries via a privileged command

[USN-5497-1] Libjpeg6b vulnerabilities [01:54]

[USN-5498-1] Vim vulnerabilities [02:16]

[USN-5499-1] curl vulnerabilities [02:44]

[USN-5485-2] Linux kernel (OEM) vulnerabilities [02:53]

[USN-5493-2] Linux kernel (HWE) vulnerability [03:03]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS),
  • 5.4 and 5.13 HWE kernels respectively
  • 8 Devices USB2CAN driver -> double free -> crash (DoS)

[USN-5500-1] Linux kernel vulnerabilities [03:21]

[USN-5501-1] Django vulnerability [03:47]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Possible SQL injection if used the Trunc() or Extract() DB functions with untrusted data

[USN-5479-2] PHP vulnerabilities [04:05]

[USN-5479-3] PHP regression

[USN-5502-1] OpenSSL vulnerability [04:21]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Mishandled AES OCB (offset cookbook) mode - combines authentication with encryption - on 32-bit x86 platforms that support AES-NI hardware optimised instructions - would possibly miss one block of data and leave it unencrypted

[USN-5503-1, USN-5503-2] GnuPG vulnerability [05:11]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Possible to craft signed data such that on attempted verification GPG would display output that appeared to show the message was correctly signed when infact it would fail - so could possibly trick user / application

[USN-5488-2] OpenSSL vulnerability [05:37]

[USN-5505-1] Linux kernel vulnerabilities [05:46]

[USN-5506-1] NSS vulnerabilities [06:24]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Crash on empty pkcs7 sequence -> DoS
  • Possible free of invalid pointer -> likely crash -> DoS or possible RCE

[USN-5507-1] Vim vulnerabilities [06:48]

[USN-5509-1] Dovecot vulnerability [06:57]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Possible privilege escalation when using similar primary and non-primary passdb configuration entries - unlikely configuration to use in practice but could then result in the non-primary config allowing users to access as the primary config

[USN-5508-1] Python LDAP vulnerability [07:30]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • ReDoS when using ldap.schema to validate untrusted schemas - DoS via excessive CPU/memory usage

[USN-5510-1, USN-5510-2] X.Org X Server vulnerabilities [07:51]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • 2 different OOB reads via various X server methods - untrusted client could use this to crash X server or expose sensitive info

[USN-5256-1] uriparser vulnerabilities [08:07]

  • 2 CVEs addressed in Bionic (18.04 LTS)
  • C library for parsing RFC 3986 compliant URIs
  • Not surprisingly, since C is memory unsafe, contained 2 different issue with invalid memory management which could be triggered via crafted input -> both resulting in UAF -> DoS / RCE

Goings on in Ubuntu Security Community

OrBit malware analysis [08:44]

  • https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
  • Similar to Symbiote which we covered in Episode 163 - Intezer has detailed another Linux malware sample
  • Like Symbiote, the dropper component for OrBit targets arbitrary binaries via the linker - however, unlike Symbiote, doesn’t use LD_PRELOAD environment variable but instead instructs the dynamic linker via /etc/ld.so.preload - this has benefits for the malware since the use of the LD_PRELOAD env var has various restrictions around setuid binaries etc - but this is not the case of /etc/ld.so.preload meaning all binaries including setuid root ones are also “infected” via this technique and the malware payload gets loaded for all
  • Then payload then hooks functions from libc, libpcap and libpam so that all other binaries on the system which use these libraries then use the payloads malicious variants of these functions
  • Allows it to then harvest credentials (via pam), evade detection (via libpcap) and gain persistence and remote access
  • By hooking libc it can then also hide in plain sight by making sure when other binaries call functions like readdir() the presence of the malware itself is omitted - same for even execve() so that if say a binary like ip, iptables or even strace is then executed, it can modify the output which is returned to omit its own details
  • As we discussed with Symbiote, even though it goes to great lengths to hide in plain sight, could still be detected via offline forensic analysis etc
  • Interesting to see similar techniques used across the various malware samples
  • No info on how initial compromise / privesc is achieved since this is required to allow the malware to use /etc/ld.so.preload - but likely is via vulnerabilities in privileged internet facing applications - as such, MAC systems like AppArmor then become very useful for confining these services so they cannot arbitrarily write to these quite privileged files etc
  • POLA is one of the basic tenets of good security

Ubuntu 21.10 (Impish Indri) EOL [12:40]

  • Officially EOL yesterday (14th July 2022)
  • Will no longer receive security or bug fix updates etc
  • Upgrade to Ubuntu 22.04 LTS - 5 years of standard support plus 5 years of ESM (free for personal use on up to 3 machines) - 10 years total of support

Get in contact