Episode 243

Overview

It’s the end of the year for official duties for the Ubuntu Security team so we take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

2024 Year in Review for Ubuntu Security (00:55) full-disclosure necromancy with zombie CVEs full-disclosure spammed with zombie CVEs from Episode 217 Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS from Episode 218 Linux kernel becomes a CNA Linux kernel becomes a CNA from Episode 219 Follow up to Linux kernel CNA from Episode 220 Ubuntu participates in Pwn2Own Vancouver Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 from Episode 223 xz-utils / SSH backdoor supply-chain attack xz-utils backdoor and Ubuntu from Episode 224 Update on xz-utils from Episode 225 Linux Security Summit NA and EU Linux Security Summit NA 2024 from Episode 226 Linux Security Summit Europe 2024 from Episode 237 Release of Ubuntu 24.04 LTS Ubuntu 24.04 LTS (Noble Numbat) released from Episode 227 regreSSHion remote unauthenticated code execution vulnerability in OpenSSH Deep-dive into regreSSHion - Remote Unauthenticated Code Execution Vulnerablity in OpenSSH from Episode 232 Various other high profile vulnerabilities Discussion of CVE-2024-5290 in wpa_supplicant from Episode 234 Deep dive into needrestart local privilege escalation vulnerabilities from Episode 242 Ubuntu/Windows Dual-boot regression Reports of dual-boot Linux/Windows machines failing to boot from Episode 235 AppArmor-based snap file prompting experimental feature Ubuntu Security Center with snapd-based AppArmor home file access prompting preview from Episode 236 Official announcement of Permissions Prompting in Ubuntu 24.10 from Episode 237 Predictions for 2025 (14:35) Increased use of AI to both spam projects with hallucinated CVEs (e.g. curl) but also to “aid” in dealing with that spam as the shine wears of AI likely expect OSS projects to ban contributions generated with the aid of AI - whether CVE reports or code but also expect companies to try and prove the worth of AI by finding novel vulns - e.g. apparent first 0-day discovered with AI doing vuln research https://googleprojectzero.blogspot.com/2024/06/project-naptime.html also more expected uses of AI like automating tasks used in the process of security-related SW dev - automatically generating fuzz targets and then improving the fuzz targets via AI as well https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html More malware targeting Linux didn’t mention it earlier but we covered a number of Linux malware teardowns this year and expect that trend to increase as Linux keeps growing in popularity Full LSM stacking still won’t make it into the upstream Linux kernel Integrity of code and data will play more of a role both in terms of software supply chain and integrity of distro repos etc, but also efforts to try and guarantee the integrity of a Linux system itself - whether via new IPE LSM or other mechanisms - mainstream distros will start to care about integrity more More collaboration across distros to aid in efforts to collectively handle deluge of CVEs More efforts to try and fund OSS to learn from lessons of Heartbleed and xz-utils some more and less successful More interesting vulns in more software During 2024 Qualys have done some of the most interesting vuln research on Linux - expect more from them and from others (whether aided by AI or not) Get in contact security@ubuntu.com #ubuntu-security on the Libera.Chat IRC network ubuntu-hardened mailing list Security section on discourse.ubuntu.com @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter