Episode 222

Posted on Monday, Mar 18, 2024
We cover recent Linux malware from the Magnet Goblin threat actor, plus the news of Ubuntu 23.10 as a target in Pwn2Own Vancouver 2024 and we detail vulnerabilities in Puma, AccountsService, Open vSwitch, OVN, and more.

Show Notes

Overview

We cover recent Linux malware from the Magnet Goblin threat actor, plus the news of Ubuntu 23.10 as a target in Pwn2Own Vancouver 2024 and we detail vulnerabilities in Puma, AccountsService, Open vSwitch, OVN, and more.

This week in Ubuntu Security Updates

102 unique CVEs addressed

[USN-6679-1] FRR vulnerability (01:11)

  • 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • OOB read when parsing a malformed OSPF LSA packet - would try and access attributes fields even if none where present

[LSN-0101-1] Linux kernel vulnerability (01:50)

Kernel type 22.04 20.04 18.04 16.04 14.04
aws 101.1 101.1 101.1 101.1
aws-5.15 101.1
aws-5.4 101.1
aws-6.5 101.1
aws-hwe 101.1
azure 101.1 101.1 101.1
azure-4.15 101.1
azure-5.4 101.1
azure-6.5 101.1
gcp 101.1 101.1 101.1
gcp-4.15 101.1
gcp-5.15 101.1
gcp-5.4 101.1
gcp-6.5 101.1
generic-4.15 101.1 101.1
generic-4.4 101.1 101.1
generic-5.15 101.2
generic-5.4 101.1 101.1
gke 101.1
gke-5.15 101.1
gkeop 101.1
hwe-6.5 101.1
ibm 101.1 101.1
ibm-5.15 101.1
linux 101.2
lowlatency-4.15 101.1 101.1
lowlatency-4.4 101.1 101.1
lowlatency-5.15 101.2
lowlatency-5.4 101.1 101.1

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

[USN-6680-1] Linux kernel vulnerabilities (02:47)

[USN-6681-1] Linux kernel vulnerabilities

[USN-6686-1] Linux kernel vulnerabilities

[USN-6680-2] Linux kernel vulnerabilities

[USN-6681-2] Linux kernel vulnerabilities

[USN-6688-1] Linux kernel (OEM) vulnerabilities (03:32)

[USN-6682-1] Puma vulnerabilities (05:00)

[USN-6683-1] HtmlCleaner vulnerability (05:45)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Java library for parsing HTML
  • DoS through crafted objects with cyclic dependencies

[USN-6684-1] ncurses vulnerability (06:01)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Possible issue when parsing terminfo files - these are generally trusted, and since the previous update for CVE-2023-29491 in [USN-6099-1] ncurses vulnerabilities from Episode 196 untrusted terminfo files are not parsed when the application is setuid root. So has no real security impact.

[USN-6685-1] mqtt-client vulnerability ()

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • Java MQTT Client library
  • Unmarshalling a crafted MQTT frame could lead to a OOM exception -> DoS

[USN-6687-1] AccountsService vulnerability (07:25)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Oldest CVE this week?
  • Only fixed 1 year ago by upstream
  • To change the user’s password, Would invoke usermod with -p option and the new encrypted/salted password - as such any user on the system would be able to see that via inspection of /proc/<pid>/cmdline - very low risk since the process only exists for a very small time AND it is encrypted already - so instead now invokes chpasswd and specifies the new encrypted password over standard input - would then need to be able to ptrace to see it which with YAMA ptrace_scope enabled in Ubuntu means you need to be root (or a parent process of accountsservice, which is started by dbus for the current user) - so then an attacker would have to be able to cause the existing accountservice to stop and then start their own to see the new encrypted password

[USN-6658-2] libxml2 vulnerability (09:41)

[USN-6690-1] Open vSwitch vulnerabilities (10:01)

[USN-6689-1] Rack vulnerabilities (10:41)

  • 3 CVEs addressed in Mantic (23.10)
  • Modular Ruby web server
  • Possible reflected DoS - crafted Range header can result in unexpectedly large responses - can request ranges for a file which ends up being larger than the file itself - so now just return nothing
  • ReDoS in header parsing - used a regex to split options and strip - now just splits on a comma directly then strip each separately

[USN-6656-2] PostgreSQL vulnerability (11:51)

[USN-6691-1] OVN vulnerability (12:00)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Enabled bidirectional forwarding detection on logical ports - this is used to monitor the health of remote nodes and the tunnels between them - BFD packets are then transmitted in-band in these tunnels along with other traffic - OVN would then process any BFD packet received on a tunnel where it was enabled - as such a remote attacker within a container/VM connected to a OVN logical switch port of such a tunnel could craft BFD packets which would then get tunnelled to and processed by another node and then change the BFD state of the tunnel and hence affect future forwarding decisions - ie. could essentially cause a DoS to future traffic along the tunnel

[USN-6692-1] Gson vulnerability (13:04)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Java library for JSON serialisation/deserialisation to/from Java objects
  • Only affected Java Serialisation - and then only if you were not careful when deserialising to not include circular references between objects

[USN-6693-1] .NET vulnerability (13:27)

  • 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • Patch Tuesday for dotnet7/8 - no real details from MS

[USN-6663-2] OpenSSL update (13:55)

  • Affecting Xenial ESM (16.04 ESM)
  • [USN-6663-1] OpenSSL update from Episode 220
  • Hardening update to return output instead of an exception when wrong padding was used - removes a timing side-channel for inferring secret key

Goings on in Ubuntu Security Community

Ubuntu 23.10 to be a target in Pwn2Own Vancouver 2024 (14:26)

  • Part of CanSecWest in Vancouver March 20-22 2024
  • Ubuntu Desktop 23.10 target in Local Escalation of Privilege Category - must leverage a kernel vuln to escalate privs
  • Unfortunately the userns restrictions are not enabled by default in 23.10 (Mantic) so will be interesting to see what kinds of vulns get turned up
  • Will report back on findings in later episodes

Check Point Research report on Magnet Goblin’s Linux Malware Variants (15:42)

  • https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/
  • Check Point Research reported on recent attacks targeting Ivanti Connect Secure VPN by a threat actor they call Magnet Goblin
    • Ivanti Connect Secure VPN CVEs were made public in January and have been exploited in the wild
    • CPR decided to investigate a cluster of attacks
    • In doing so cover the details of MGs Nerbian family of malware
    • Report from Eclypsium suggests running an old version of Linux
      • CentOS 6.4; which was released in 2013 and officially end of life in 2020
        • Linux kernel 2.6.32 (EOL Feb 2016)
        • openssl 1.0.2n (EOL Dec 2017)
        • Perl 5.6.1 (EOL April 2001)
      • Clear then that the malware not only exploits Ivanti Connect but also Linux in general
    • CPR report includes details on what TTPs to look for - IP addresses / domains etc
    • Then details the NerbianRAT malware
      • First disclosed in 2022 by ProofPoint when detailing the Windows variant
      • Earliest sample of this Linux variant is in an upload to VT from May 2022
      • But unlike the Windows variant, the Linux one does not include any hardening measures - even has DWARF debugging info present so can easily decompile
      • Only anti-debug/analysis trick is to check there are no other variants of itself running by trying to allocate a static shared memory segment - if this succeeds then assumes it is not running and proceeds to:
        • collect basic info like current time, $USER, machine name etc
        • loads a public RSA key which is later used to encrypt network comms back to a hardcoded IP address used for C2
        • then loads config which allows to configure things like when to start / end, other C2 hosts to use, time to sleep during file transfers and more
        • for C2 uses raw TCP sockets and encrypts using the RSA key
        • waits for magic string which contains the command to run from C2
    • Also detail the MiniNerbian which is a simplified form for just command execution but which used HTTP and sends POST requests to a /dashboard/ endpoint - likely to try and hide its network traffic in plain-sight (rather than the raw TCP sockets with custom encrypted protocol employed by NerbianRAT)
  • For initial access, details are less clear but appears to exploit vulns in Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ - dubbed 1-day exploits
  • What do we learn?
    • Device makers who use OSS need to keep it up-to-date (or build on top of systems like Ubuntu Core which come with OTA etc OOTB)
    • End-users of devices need to keep them up-to-date and deploy usual defence-in-depth practices (but this is hard when the device is intended to be deployed on the edge of a network - hard to add additional DiD to a VPN concentrator)

Get in contact