Welcome to the first post of our series based on the Ubuntu Security Podcast! I’m Alex Murray, the Tech Lead for the Ubuntu Security team at Canonical. Each month, I will be covering the most interesting security fixes around Ubuntu, as well as an in-depth discussion of the different vulnerabilities that we’ve been addressing. I will also talk a bit more about some of the other services that are related to security with Ubuntu, like kernel live patching, extended security maintenance, and more.
Apport: Ubuntu crash handler updated
This update concerns Apport, the Ubuntu crash handler. When an application crashes, Apport hooks into the kernel to find out what process stopped working properly. The kernel can then execute the crash handler to find out information regarding the faulty process and build up a crash report that can be sent to developers. Since Apport is run as root by the kernel, it needs to drop privileges so that it doesn’t overstep the bounds of the user whose application crashed and inadvertently collects more privileged information or enables a possible root privilege escalation attack. That’s what different vulnerabilities often try to exploit, and the one we fixed recently was in the same vein.
As I said, when Apport runs, it tries to read information about the process and the various files in the proc file system. It figures out things like which user ID the process is running as, and then it drops privileges to run as that user before finding out other details about the process. Unfortunately, the attackers realized that if you could manipulate certain files there, even things like the process name, Apport would then get confused while trying to figure out what the details of the process were, and in the end, fail to properly drop privileges. As a result, an attacker could possibly then get code execution as root.
We worked with the researchers who found this vulnerability after they reported these via Launchpad to us. In particular, Senior Engineer Marc Deslauriers on our team worked with them to mitigate these vulnerabilities in Apport.
The other thing I wanted to talk about in this episode was an update that was recently announced for Libgcrypt, a cryptography library that we ship in Ubuntu. Normally, these are the kind of things that we would actually push out updates for but by a stroke of luck, this time, Ubuntu has not been affected by this one.
The vulnerability was found in the latest version of Libgcrypt 1.9.0 by Tavis Ormandy from Google Project Zero. The problem stemmed from a heap buffer overflow where a user could overwrite the buffer contained inside another structure that was followed by a function pointer. As such since an attacker could overrun the bounds of that buffer, keep going past the end of that, and then overwrite the function pointer itself. As this function pointer is then automatically called by Libgcrypt, and the attacker can rewrite that to point somewhere else, they could very easily get remote code execution if libgcrypt was decrypting attacker-controlled data.
Luckily, Ubuntu has not been affected by this since this vulnerability only exists in the latest version of libgcrypt 1.9.0 that was released earlier in January 2021. Even on the current development release of Ubuntu 21.04, Hirsute Hippo, we only use version 1.8.7. So we were lucky not to be affected by this.
Zero days and missing patches: a compromise
To follow on from the above discussion of libgcrypt, it is interesting to consider that most vulnerabilities usually affect more than just the latest releases. Yet there are still some of them, like this one, that only affects the very latest version. This leads to an interesting thought experiment: if you are running the latest version of everything that you can this should then mean you are patched against all of the vulnerabilities that have been found in the past. But you are now also running the latest greatest code that may have newly introduced vulnerabilities that have yet to be discovered lurking within it – aka. zero-day vulnerabilities. And that is a potential threat.
If you think of the other option though, where you are running older versions of software and you are not patching or updating them, then you’re never getting fixes, and so you are obviously worse off.
The best spot here could be to adopt a strategy similar to what we do with Ubuntu: we choose a stable release of something, which means that the end-user isn’t constantly getting new version upgrades that would require applications to be rewritten to deal with changes in behavior or regressions. We then patch vulnerabilities that are affected on top of it and we keep patching them as they are discovered. This middle-road approach ensures that people using Ubuntu are as safe as they can be.
The Ubuntu Security Podcast
If you want to have the full breakdown of our latest updates and patches, check out the Ubuntu Security Podcast on Spotify, Apple Podcast, Google Podcast, and Pocket Casts! And if you want to get in contact with us, you can find us on Twitter at @ubuntu_sec.