Episode 225

Posted on Friday, Apr 12, 2024
This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.

Show Notes

Overview

This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.

This week in Ubuntu Security Updates

76 unique CVEs addressed

[LSN-0102-1] Linux kernel vulnerability (00:53)

Kernel type 22.04 20.04 18.04 16.04 14.04
aws 102.1 102.1 102.1 102.1
aws-5.15 102.1
aws-5.4 102.1
aws-6.5 102.1
aws-hwe 102.1
azure 102.1 102.1 102.1
azure-4.15 102.1
azure-5.4 102.1
azure-6.5 102.1
gcp 102.1 102.1 102.1
gcp-4.15 102.1
gcp-5.15 102.1
gcp-5.4 102.1
gcp-6.5 102.1
generic-4.15 102.1 102.1
generic-4.4 102.1 102.1
generic-5.15 102.1
generic-5.4 102.1 102.1
gke 102.1 102.1
gke-5.15 102.1
gkeop 102.1
hwe-6.5 102.1
ibm 102.1 102.1
ibm-5.15 102.1
linux 102.1
lowlatency 102.1
lowlatency-4.15 102.1 102.1
lowlatency-4.4 102.1 102.1
lowlatency-5.15 102.1
lowlatency-5.4 102.1 102.1 
canonical-livepatch status

[USN-6710-2] Firefox regressions (01:54)

  • 2 CVEs addressed in Focal (20.04 LTS)
  • 124.0.2
    • In particular fixes to allow firefox when installed directly from Mozilla to work under 24.04 LTS with the new AppArmor userns restrictions
    • As discussed in previous episodes, default profile allows to use userns but then to be blocked on getting additional capabilities - Firefox would previously try and do both a new userns and a new PID NS in one call - which would be blocked - now split this into two separate calls so the userns can succeed but pidns will be denied (since requires CAP_SYS_ADMIN) - but then firefox correctly detects this and falls back to the correct behaviour

[USN-6721-1] X.Org X Server vulnerabilities (04:11)

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Various OOB reads -> crash / info leaks when handling byte-swapped length values - able to be easily triggered by a client who is using a different endianness than the X server
  • UAF in glyph handling -> crash / RCE

[USN-6721-2] X.Org X Server regression

[USN-6722-1] Django vulnerability (05:19)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • Possible account takeover - would use a case transformation on unicode of the email address - so if an attacker can register an email address that is the same as the intended targets email address after this case transformation - fix simply just discards the transformed email address and sends to the one registered by the user

[USN-6723-1] Bind vulnerabilities (06:11)

[USN-6724-1] Linux kernel vulnerabilities (06:27)

[USN-6725-1] Linux kernel vulnerabilities

[USN-6726-1] Linux kernel vulnerabilities

[USN-6701-4] Linux kernel (Azure) vulnerabilities

[USN-6719-2] util-linux vulnerability (07:08)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Initial fix in [USN-6719-1] util-linux vulnerability from Episode 224 tried to escape output to avoid shell command injection - as is often the case, turned out to be insufficient, so instead have now just removed the setgid permission from the wall/write binaries - can then only send to yourself rather than all users

Goings on in Ubuntu Security Community

Reports of a new local root privilege escalation exploit against Linux kernel (08:32)

  • https://github.com/YuriiCrimson/ExploitGMStr
  • Ukrainian hacker YuriiCrimson
  • Has generated a lot of interest since whilst there are always vulns / CVEs in the kernel we don’t always see full PoCs much anymore
  • Originally developed an exploit against the n_gsm driver in the 6.4 and and 6.5 kernels
  • Says they were contacted by another hacker jmpeax (Jammes) - who wanted to purchase the exploit
  • After selling it to them, seems they tried to pass it off as their own
    • https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit
    • https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html
    • commit timestamps of the purported copy by Jammes are all dated over 3 weeks ago
    • but the original is only is only 1 week ago
    • so on the surface would appear the other way around
    • however, Yurii posted a video of their interaction with Jammes on Telegram to try and prove their side
    • looking at repo metadata https://api.github.com/repos/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit shows the so-called copy was created on 22nd March
    • whereas the Yurii’s is 6th April - so would appear that perhaps Jammes is the original author
    • also can compare the two exploits and see they are almost identical - but Jammes has an extra target for the 6.5.0-26-generic kernel from mantic 
      diff -w <(curl https://raw.githubusercontent.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/main/main.c) <(curl https://raw.githubusercontent.com/YuriiCrimson/ExploitGSM/main/ExploitGSM_6_5/main.c)
    • who the actual author is remains unclear (also I don’t have telegram so couldn’t check the video)…
  • Regarding the actual vulnerability - turns out there is at least 2 if not 3 in this module
  • Old CVE-2023-6546 - written up https://github.com/Nassim-Asrir/ZDI-24-020/
    • Fixed in 6.5-rc7
  • Yurii / Jammes
  • Additional exploit by Yurii apparently targeting 5.15-6.1 - also in n_gsm
  • Mixed reports about this last exploit but report the one from Yurii/Jammes does work even on the latest upstream kernel
  • Waiting on a fix from upstream to then integrate in Ubuntu kernels
  • Interesting these exploits all used the same basic info leak from xen via /sys/kernel/notes which leaks the symbol of the xen_startup function and allows to break KASLR
  • Reports this was known since at least 2020
  • Many eyes…?

Ubuntu 24.04 LTS (Noble Numbat) Beta released (14:01)

Update on xz-utils (15:18)

  • When we talked about xz-utils last week, didn’t really talk much about the main upstream developer Lasse Collin
  • Thought it could be interesting to dive into how they essentially got compromised by this actor - but that is perhaps done better by others - go listen to the latest episode of Between Two Nerds from Tom Uren and The Grugq (https://risky.biz/BTN74/) talking about the tradecraft used to infiltrate the project and comparing this against the more traditional HUMINT elements
  • Lasse Collin’s github account and the Github project for xz was reinstated
  • Backdoor removed
  • Great sense of humour:

  • The executable payloads were embedded as binary blobs in the test files. This was a blatant violation of the Debian Free Software Guidelines.

  • On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback.

  • The maintainer who added the backdoor has disappeared.

  • Backdoors are bad for security.

  • Also removed the ifunc (indirect function) support - ostensibly used to allow a developer to create multiple implementations of a given function and select between then at runtime - in this case was for an optimised version of CRC calculation - but abused by the backdoor to be able to hook into and replace functions in the global symbol table before it gets made read-only by the dynamic loader
    • Says this was not for security reasons but since it makes the code harder to maintain but is clearly a good win for security
  • Lasse still plans to make to write an article on the backdoor etc but is more focused on cleaning up the upstream repo first - next version is likely to be 5.8.0
  • Watch this space…

Get in contact