Episode 243

2024-12-20

Overview It’s the end of the year for official duties for the Ubuntu Security team so we take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025. 2024 Year in Review for Ubuntu Security (00:55) full-disclosure necromancy with zombie CVEs full-disclosure spammed with zombie CVEs from Episode 217 Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS from Episode 218 Linux k...

Overview

It’s the end of the year for official duties for the Ubuntu Security team so we take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

2024 Year in Review for Ubuntu Security (00:55) full-disclosure necromancy with zombie CVEs

full-disclosure spammed with zombie CVEs from Episode 217

Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS

Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS from Episode 218

Linux kernel becomes a CNA

Linux kernel becomes a CNA from Episode 219
Follow up to Linux kernel CNA from Episode 220

Ubuntu participates in Pwn2Own Vancouver

Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 from Episode 223

xz-utils / SSH backdoor supply-chain attack

xz-utils backdoor and Ubuntu from Episode 224
Update on xz-utils from Episode 225

Linux Security Summit NA and EU

Linux Security Summit NA 2024 from Episode 226
Linux Security Summit Europe 2024 from Episode 237

Release of Ubuntu 24.04 LTS

Ubuntu 24.04 LTS (Noble Numbat) released from Episode 227

regreSSHion remote unauthenticated code execution vulnerability in OpenSSH

Deep-dive into regreSSHion - Remote Unauthenticated Code Execution Vulnerablity in OpenSSH from Episode 232

Various other high profile vulnerabilities

Discussion of CVE-2024-5290 in wpa_supplicant from Episode 234
Deep dive into needrestart local privilege escalation vulnerabilities from Episode 242

Ubuntu/Windows Dual-boot regression

Reports of dual-boot Linux/Windows machines failing to boot from Episode 235

AppArmor-based snap file prompting experimental feature

Ubuntu Security Center with snapd-based AppArmor home file access prompting preview from Episode 236
Official announcement of Permissions Prompting in Ubuntu 24.10 from Episode 237

Predictions for 2025 (14:35)

Increased use of AI to both spam projects with hallucinated CVEs (e.g. curl) but also to “aid” in dealing with that spam
- as the shine wears of AI likely expect OSS projects to ban contributions generated with the aid of AI - whether CVE reports or code
- but also expect companies to try and prove the worth of AI by finding novel vulns - e.g. apparent first 0-day discovered with AI doing vuln research https://googleprojectzero.blogspot.com/2024/06/project-naptime.html
- also more expected uses of AI like automating tasks used in the process of security-related SW dev - automatically generating fuzz targets and then improving the fuzz targets via AI as well https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html
More malware targeting Linux
- didn’t mention it earlier but we covered a number of Linux malware teardowns this year and expect that trend to increase as Linux keeps growing in popularity
Full LSM stacking still won’t make it into the upstream Linux kernel
Integrity of code and data will play more of a role
- both in terms of software supply chain and integrity of distro repos etc, but also efforts to try and guarantee the integrity of a Linux system itself - whether via new IPE LSM or other mechanisms - mainstream distros will start to care about integrity more
More collaboration across distros to aid in efforts to collectively handle deluge of CVEs
More efforts to try and fund OSS to learn from lessons of Heartbleed and xz-utils
- some more and less successful
More interesting vulns in more software
- During 2024 Qualys have done some of the most interesting vuln research on Linux - expect more from them and from others (whether aided by AI or not)