It’s that time of the year again for a new release of Ubuntu Linux, and here at Mondoo, we’re going to continue our tradition of discovering what’s new in security. Ubuntu 23.04 may not bring revolutionary security changes, as it has only been 6 months since Ubuntu 22.10 came out, and not many core components have received major updates. However, Ubuntu 23.04 offers refinements to its predecessor, with plenty of patch release updates included. There are significant updates to popular bundled servers such as MariaDB, PostgreSQL, and Samba. Domain controller or database server users running Ubuntu should stay tuned for some good reasons to upgrade to 23.04.
Linux Kernel 6.1
The included Linux Kernel in Ubuntu 23.04 has been upgraded from 5.19 to 6.1. Despite the major version bump, this upgrade includes mostly the usual device support and performance improvements. There are however a few interesting security features such as KFCI support, Intel SGX2 support, and improved in-kernel encryption support.
One of the more interesting new security-focused features in this release is Kernel Control Flow Integrity (KCFI) support. This new CFI implementation can more easily be enabled, hardening the kernel against attacks that modify kernel control flow. See this excellent LLWN.net article for a detailed look at how CFI protects the kernel.
This updated kernel release also includes support for Intel’s Software Guard Extensions 2 (SGX2) hardware secure memory feature which was introduced in the Gemini Lake/Ice Lake processors. SGX2 features an improved secure memory enclave that allows processes to encrypt memory space in order to prevent snooping. One particularly interesting use of this technology is encrypting VM memory space to prevent other system processes or VMs from being able to read the contents.
The last security-focused change in this kernel update is improved in-kernel encryption support. Kernel 6.1 includes support for HCTR2, which is a length-preserving (plain text size == encrypted size) encryption method that works well with hardware acceleration in x86 and ARM processors. This release also adds support for ARIA-GCM as well as 256bit TLS hardware offload.
systemd has been updated from 251 to 252 with a number of minor but interesting security improvements:
- Communication between systemd and TPM2 devices is now conducted using a bind key for improved security.
- Systemd-resolved will now continue to use DNS over TLS even if it has been restarted and will no longer hard fail if the nameserver is using an unrecognized protocol.
- Networkd now supports passing values to the Kernel netlabel modules via a new `NetLabel=` config option.
- VM bootstrap configuration data can now be passed to systemd without the need for cloud-init by passing data using the DMI type 11 field.
- The /etc/os-release spec now includes an optional SUPPORT_END field to expose distro EOL dates to tools like Mondoo. Thank you systemd team!
MariaDB has been updated from 10.6.12 all the way to 10.11.2, with a huge number of improvements to the database server including a large number of security improvements.
MariaDB now includes new data types and functions for storing and comparing advanced data formats. By moving potentially unaudited logic out of your application and into the database server, you may be able to avoid data handling vulnerabilities.
- New UUID and INET4 datatypes
- RANDOM_BYTES function for generating random data
- JSON_TABLE data to convert JSON data to relational data
- JSON_EQUALS function to make JSON data comparisons
A large number of improvements have been made to enhance data security throughout MariaDB. SSL support is now enabled by default on the CLI and the server will now fail to start if SSL has not been properly configured in my.cnf file. A new `password_reuse_check` plugin prevents users from reusing passwords during password updates. A new `Hashicorp Key Management` plugin allows encrypting data in tables using HashiCorp Vault.
PostgreSQL has been upgraded from 14.7 to 15.2 with minor security improvements, mostly related to reducing the out-of-the-box DB privileges:
- Improved randomness in the random() function
- CREATE permissions removed for all users except the database owner
- UPDATE/DELETE logical replication no longer allowed when the user does not have SELECT permissions since both UPDATE/DELETE also require reading data
- Allow GRANT on the pg_log_backend_memory_contexts() function so it can be run by non-superusers
- Add new pg_checkpoint so members can run CHECKPOINTS which previously required superuser privileges.
- Allowing GRANT on individual server variables so non-superusers can change the values.
- Add new pg_write_server_files role to allow members to perform server-side base backups which previously required superuser privileges
One of the biggest updates in Samba 4.17 is support for Kerberos 1.20, which has enabled several important features:
- Support for Resource Based Constrained Delegation (RBCD) to allow controlled delegation for increased security and to match the functionality that was originally delivered in Windows 2003.
- Mitigation against the Bronze Bit attack.
- Support for the S4U2Self and S4U2Proxy Kerberos extensions for obtaining tickets on behalf of other users.
This release also includes the ability to entirely disable storing unsalted password hashes, includes support for the Protected Users security group which was introduced in Windows 2012R2, and removed support for the LanMan authentication and password storage mechanisms.
Time to Upgrade
Overall we think this release is well worth the effort to upgrade for desktop users and perhaps even some server users that are willing to brave the shorter support cycle of non-LTS Ubuntu releases.
Experience the simplicity of security by signing up for a free account on Mondoo!