Overview

It’s the end of the year for official duties for the Ubuntu Security team so we
take a look back on the security highlights of 2024 for Ubuntu and predict what is coming in 2025.

2024 Year in Review for Ubuntu Security (00:55 )

full-disclosure necromancy with zombie CVEs

• full-disclosure spammed with zombie CVEs from Episode 217

Development of unprivileged user namespace restrictions for Ubuntu 24.04 LTS

• Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS from Episode 218

Linux kernel becomes a CNA

• Linux kernel becomes a CNA from Episode 219


• Follow up to Linux kernel CNA from Episode 220

Ubuntu participates in Pwn2Own Vancouver

• Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 from Episode 223

xz-utils / SSH backdoor supply-chain attack

• xz-utils backdoor and Ubuntu from Episode 224


• Update on xz-utils from Episode 225

Linux Security Summit NA and EU

• Linux Security Summit NA 2024 from Episode 226


• Linux Security Summit Europe 2024 from Episode 237

Release of Ubuntu 24.04 LTS

• Ubuntu 24.04 LTS (Noble Numbat) released from Episode 227

regreSSHion remote unauthenticated code execution vulnerability in OpenSSH

• Deep-dive into regreSSHion - Remote Unauthenticated Code Execution Vulnerablity in OpenSSH from Episode 232

Various other high profile vulnerabilities

• Discussion of CVE-2024-5290 in wpa_supplicant from Episode 234


• Deep dive into needrestart local privilege escalation vulnerabilities from Episode 242

Ubuntu/Windows Dual-boot regression

• Reports of dual-boot Linux/Windows machines failing to boot from Episode 235

AppArmor-based snap file prompting experimental feature

• Ubuntu Security Center with snapd-based AppArmor home file access prompting preview from Episode 236


• Official announcement of Permissions Prompting in Ubuntu 24.10 from Episode 237

Predictions for 2025 (14:35 )

• Increased use of AI to both spam projects with hallucinated CVEs (e.g. curl)
  but also to “aid” in dealing with that spam
  
  
  
  • as the shine wears of AI likely expect OSS projects to ban contributions
    generated with the aid of AI - whether CVE reports or code
  
  
  • but also expect companies to try and prove the worth of AI by finding novel
    vulns -
    e.g. apparent first 0-day discovered with AI doing vuln research
    https://googleprojectzero.blogspot.com/2024/06/project-naptime.html
  
  
  • also more expected uses of AI like automating tasks used in the process of
    security-related SW dev - automatically generating fuzz targets and then
    improving the fuzz targets via AI as well
    https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html
  
  
  
  


• More malware targeting Linux
  
  
  
  • didn’t mention it earlier but we covered a number of Linux malware teardowns
    this year and expect that trend to increase as Linux keeps growing in
    popularity
  
  
  
  


• Full LSM stacking still won’t make it into the upstream Linux kernel


• Integrity of code and data will play more of a role
  
  
  
  • both in terms of software supply chain and integrity of distro repos etc,
    but also efforts to try and guarantee the integrity of a Linux system
    itself - whether via new IPE LSM or other mechanisms - mainstream distros
    will start to care about integrity more
  
  
  
  


• More collaboration across distros to aid in efforts to collectively handle
  deluge of CVEs


• More efforts to try and fund OSS to learn from lessons of Heartbleed and xz-utils
  
  
  
  • some more and less successful
  
  
  
  


• More interesting vulns in more software
  
  
  
  • During 2024 Qualys have done some of the most interesting vuln research on
    Linux - expect more from them and from others (whether aided by AI or not)
  
  
  
  

Get in contact

• security@ubuntu.com


• #ubuntu-security on the Libera.Chat IRC network


• ubuntu-hardened mailing list


• Security section on discourse.ubuntu.com


• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter