Show Notes
Overview
We cover recent Linux malware from the Magnet Goblin threat actor, plus the news
of Ubuntu 23.10 as a target in Pwn2Own Vancouver 2024 and we detail
vulnerabilities in Puma, AccountsService, Open vSwitch, OVN, and more.
This week in Ubuntu Security Updates
102 unique CVEs addressed
[USN-6679-1] FRR vulnerability (01:11)
- 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
- OOB read when parsing a malformed OSPF LSA packet - would try and access
attributes fields even if none where present
[LSN-0101-1] Linux kernel vulnerability (01:50)
Kernel type |
22.04 |
20.04 |
18.04 |
16.04 |
14.04 |
aws |
101.1 |
101.1 |
101.1 |
101.1 |
— |
aws-5.15 |
— |
101.1 |
— |
— |
— |
aws-5.4 |
— |
— |
101.1 |
— |
— |
aws-6.5 |
101.1 |
— |
— |
— |
— |
aws-hwe |
— |
— |
— |
101.1 |
— |
azure |
101.1 |
101.1 |
— |
101.1 |
— |
azure-4.15 |
— |
— |
101.1 |
— |
— |
azure-5.4 |
— |
— |
101.1 |
— |
— |
azure-6.5 |
101.1 |
— |
— |
— |
— |
gcp |
101.1 |
101.1 |
— |
101.1 |
— |
gcp-4.15 |
— |
— |
101.1 |
— |
— |
gcp-5.15 |
— |
101.1 |
— |
— |
— |
gcp-5.4 |
— |
— |
101.1 |
— |
— |
gcp-6.5 |
101.1 |
— |
— |
— |
— |
generic-4.15 |
— |
— |
101.1 |
101.1 |
— |
generic-4.4 |
— |
— |
— |
101.1 |
101.1 |
generic-5.15 |
— |
101.2 |
— |
— |
— |
generic-5.4 |
— |
101.1 |
101.1 |
— |
— |
gke |
101.1 |
— |
— |
— |
— |
gke-5.15 |
— |
101.1 |
— |
— |
— |
gkeop |
— |
101.1 |
— |
— |
— |
hwe-6.5 |
101.1 |
— |
— |
— |
— |
ibm |
101.1 |
101.1 |
— |
— |
— |
ibm-5.15 |
— |
101.1 |
— |
— |
— |
linux |
101.2 |
— |
— |
— |
— |
lowlatency-4.15 |
— |
— |
101.1 |
101.1 |
— |
lowlatency-4.4 |
— |
— |
— |
101.1 |
101.1 |
lowlatency-5.15 |
— |
101.2 |
— |
— |
— |
lowlatency-5.4 |
— |
101.1 |
101.1 |
— |
— |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
[USN-6680-1] Linux kernel vulnerabilities (02:47)
- 7 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6681-1] Linux kernel vulnerabilities
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6686-1] Linux kernel vulnerabilities
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6680-2] Linux kernel vulnerabilities
- 7 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6681-2] Linux kernel vulnerabilities
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6688-1] Linux kernel (OEM) vulnerabilities (03:32)
- 63 CVEs addressed in Jammy (22.04 LTS)
[USN-6682-1] Puma vulnerabilities (05:00)
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- HTTP server for Ruby/Rack applications that uses threading for improved performance
- [USN-6597-1] Puma vulnerability from Episode 217 - HTTP request smuggling
attack - fixed for mantic and lunar - now for older releases, plus a bunch of
other older HTTP request smuggling issues as well
[USN-6683-1] HtmlCleaner vulnerability (05:45)
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Java library for parsing HTML
- DoS through crafted objects with cyclic dependencies
[USN-6684-1] ncurses vulnerability (06:01)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Possible issue when parsing terminfo files - these are generally trusted, and
since the previous update for CVE-2023-29491 in
[USN-6099-1] ncurses vulnerabilities from
Episode 196 untrusted terminfo files are not parsed when the application is
setuid root. So has no real security impact.
[USN-6685-1] mqtt-client vulnerability ()
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Java MQTT Client library
- Unmarshalling a crafted MQTT frame could lead to a OOM exception -> DoS
[USN-6687-1] AccountsService vulnerability (07:25)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Oldest CVE this week?
- Only fixed 1 year ago by upstream
- To change the user’s password, Would invoke usermod with -p option and the new
encrypted/salted password - as such any user on the system would be able to
see that via inspection of
/proc/<pid>/cmdline
- very low risk since the
process only exists for a very small time AND it is encrypted already - so
instead now invokes chpasswd
and specifies the new encrypted password over
standard input - would then need to be able to ptrace to see it which with
YAMA ptrace_scope
enabled in Ubuntu means you need to be root (or a parent
process of accountsservice, which is started by dbus for the current user) -
so then an attacker would have to be able to cause the existing accountservice
to stop and then start their own to see the new encrypted password
[USN-6658-2] libxml2 vulnerability (09:41)
[USN-6690-1] Open vSwitch vulnerabilities (10:01)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- [USN-6514-1] Open vSwitch vulnerability from Episode 214
- Original fix was incomplete - required additional fixes
- OOB read in hardware offload of Geneve packets (protocol for generic network
virtualisation encapsulation) - can mitigate by disabling this option in
config
[USN-6689-1] Rack vulnerabilities (10:41)
- 3 CVEs addressed in Mantic (23.10)
- Modular Ruby web server
- Possible reflected DoS - crafted Range header can result in unexpectedly large
responses - can request ranges for a file which ends up being larger than the
file itself - so now just return nothing
- ReDoS in header parsing - used a regex to split options and strip - now just splits on a
comma directly then strip each separately
[USN-6656-2] PostgreSQL vulnerability (11:51)
[USN-6691-1] OVN vulnerability (12:00)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Enabled bidirectional forwarding detection on logical ports - this is used to
monitor the health of remote nodes and the tunnels between them - BFD packets
are then transmitted in-band in these tunnels along with other traffic - OVN
would then process any BFD packet received on a tunnel where it was enabled -
as such a remote attacker within a container/VM connected to a OVN logical
switch port of such a tunnel could craft BFD packets which would then get
tunnelled to and processed by another node and then change the BFD state of
the tunnel and hence affect future forwarding decisions - ie. could
essentially cause a DoS to future traffic along the tunnel
[USN-6692-1] Gson vulnerability (13:04)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Java library for JSON serialisation/deserialisation to/from Java objects
- Only affected Java Serialisation - and then only if you were not careful when
deserialising to not include circular references between objects
[USN-6693-1] .NET vulnerability (13:27)
- 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
- Patch Tuesday for dotnet7/8 - no real details from MS
[USN-6663-2] OpenSSL update (13:55)
- Affecting Xenial ESM (16.04 ESM)
- [USN-6663-1] OpenSSL update from Episode 220
- Hardening update to return output instead of an exception when wrong padding
was used - removes a timing side-channel for inferring secret key
Ubuntu 23.10 to be a target in Pwn2Own Vancouver 2024 (14:26)
- Part of CanSecWest in Vancouver March 20-22 2024
- Ubuntu Desktop 23.10 target in Local Escalation of Privilege Category - must
leverage a kernel vuln to escalate privs
- Unfortunately the userns restrictions are not enabled by default in 23.10
(Mantic) so will be interesting to see what kinds of vulns get turned up
- Will report back on findings in later episodes
Check Point Research report on Magnet Goblin’s Linux Malware Variants (15:42)
- https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/
- Check Point Research reported on recent attacks targeting Ivanti Connect
Secure VPN by a threat actor they call Magnet Goblin
- Ivanti Connect Secure VPN CVEs were made public in January and have been exploited in the wild
- CPR decided to investigate a cluster of attacks
- In doing so cover the details of MGs Nerbian family of malware
- Report from Eclypsium suggests running an old version of Linux
- CentOS 6.4; which was released in 2013 and officially end of life in 2020
- Linux kernel 2.6.32 (EOL Feb 2016)
- openssl 1.0.2n (EOL Dec 2017)
- Perl 5.6.1 (EOL April 2001)
- Clear then that the malware not only exploits Ivanti Connect but also Linux in general
- CPR report includes details on what TTPs to look for - IP addresses / domains etc
- Then details the NerbianRAT malware
- First disclosed in 2022 by ProofPoint when detailing the Windows variant
- Earliest sample of this Linux variant is in an upload to VT from May 2022
- But unlike the Windows variant, the Linux one does not include any
hardening measures - even has DWARF debugging info present so can easily
decompile
- Only anti-debug/analysis trick is to check there are no other variants of
itself running by trying to allocate a static shared memory segment - if
this succeeds then assumes it is not running and proceeds to:
- collect basic info like current time, $USER, machine name etc
- loads a public RSA key which is later used to encrypt network comms back to a hardcoded IP address used for C2
- then loads config which allows to configure things like when to start /
end, other C2 hosts to use, time to sleep during file transfers and more
- for C2 uses raw TCP sockets and encrypts using the RSA key
- waits for magic string which contains the command to run from C2
- Also detail the MiniNerbian which is a simplified form for just command
execution but which used HTTP and sends POST requests to a
/dashboard/
endpoint - likely to try and hide its network traffic in plain-sight (rather
than the raw TCP sockets with custom encrypted protocol employed by
NerbianRAT)
- For initial access, details are less clear but appears to exploit vulns in
Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ - dubbed 1-day
exploits
- What do we learn?
- Device makers who use OSS need to keep it up-to-date (or build on top of
systems like Ubuntu Core which come with OTA etc OOTB)
- End-users of devices need to keep them up-to-date and deploy usual
defence-in-depth practices (but this is hard when the device is intended to
be deployed on the edge of a network - hard to add additional DiD to a VPN
concentrator)