Episode 243

Posted on Friday, Dec 20, 2024
It’s the end of the year for official duties for the Ubuntu Security team so we take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

Show Notes

Overview

It’s the end of the year for official duties for the Ubuntu Security team so we take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

2024 Year in Review for Ubuntu Security (00:55)

full-disclosure necromancy with zombie CVEs

Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS

Linux kernel becomes a CNA

Ubuntu participates in Pwn2Own Vancouver

xz-utils / SSH backdoor supply-chain attack

Linux Security Summit NA and EU

Release of Ubuntu 24.04 LTS

regreSSHion remote unauthenticated code execution vulnerability in OpenSSH

Various other high profile vulnerabilities

Ubuntu/Windows Dual-boot regression

AppArmor-based snap file prompting experimental feature

Predictions for 2025 (14:35)

  • Increased use of AI to both spam projects with hallucinated CVEs (e.g. curl) but also to “aid” in dealing with that spam
  • More malware targeting Linux
    • didn’t mention it earlier but we covered a number of Linux malware teardowns this year and expect that trend to increase as Linux keeps growing in popularity
  • Full LSM stacking still won’t make it into the upstream Linux kernel
  • Integrity of code and data will play more of a role
    • both in terms of software supply chain and integrity of distro repos etc, but also efforts to try and guarantee the integrity of a Linux system itself - whether via new IPE LSM or other mechanisms - mainstream distros will start to care about integrity more
  • More collaboration across distros to aid in efforts to collectively handle deluge of CVEs
  • More efforts to try and fund OSS to learn from lessons of Heartbleed and xz-utils
    • some more and less successful
  • More interesting vulns in more software
    • During 2024 Qualys have done some of the most interesting vuln research on Linux - expect more from them and from others (whether aided by AI or not)

Get in contact