It’s that time of the year again for a new release of Ubuntu Linux, and here at Mondoo, we’re going to continue our tradition of discovering what’s new in security. Ubuntu 23.04 may not bring revolutionary security changes, as it has only been 6 months since Ubuntu 22.10 came out, and not many core components have received major updates. However, Ubuntu 23.04 offers refinements to its predecessor, with plenty of patch release updates included. There are significant updates to popular bundled servers such as MariaDB, PostgreSQL, and Samba. Domain controller or database server users running Ubuntu should stay tuned for some good reasons to upgrade to 23.04.
The included Linux Kernel in Ubuntu 23.04 has been upgraded from 5.19 to 6.2. Despite the major version bump, this upgrade includes mostly the usual device support and performance improvements. There are however a few interesting security features such as KFCI support, Intel SGX2 support, and improved in-kernel encryption support.
One of the more interesting new security-focused features in this release is Kernel Control Flow Integrity (KCFI) support. This new CFI implementation can more easily be enabled, hardening the kernel against attacks that modify kernel control flow. See this excellent LLWN.net article for a detailed look at how CFI protects the kernel.
This updated kernel release also includes support for Intel’s Software Guard Extensions 2 (SGX2) hardware secure memory feature which was introduced in the Gemini Lake/Ice Lake processors. SGX2 features an improved secure memory enclave that allows processes to encrypt memory space in order to prevent snooping. One particularly interesting use of this technology is encrypting VM memory space to prevent other system processes or VMs from being able to read the contents.
The last security-focused change in this kernel update is improved in-kernel encryption support. Kernel 6.2 includes support for HCTR2, which is a length-preserving (plain text size == encrypted size) encryption method that works well with hardware acceleration in x86 and ARM processors. This release also adds support for ARIA-GCM as well as 256bit TLS hardware offload.
systemd has been updated from 251 to 252 with a number of minor but interesting security improvements:
MariaDB has been updated from 10.6.12 all the way to 10.11.2, with a huge number of improvements to the database server including a large number of security improvements.
MariaDB now includes new data types and functions for storing and comparing advanced data formats. By moving potentially unaudited logic out of your application and into the database server, you may be able to avoid data handling vulnerabilities.
A large number of improvements have been made to enhance data security throughout MariaDB. SSL support is now enabled by default on the CLI and the server will now fail to start if SSL has not been properly configured in my.cnf file. A new `password_reuse_check` plugin prevents users from reusing passwords during password updates. A new `Hashicorp Key Management` plugin allows encrypting data in tables using HashiCorp Vault.
PostgreSQL has been upgraded from 14.7 to 15.2 with minor security improvements, mostly related to reducing the out-of-the-box DB privileges:
One of the biggest updates in Samba 4.17 is support for Kerberos 1.20, which has enabled several important features:
This release also includes the ability to entirely disable storing unsalted password hashes, includes support for the Protected Users security group which was introduced in Windows 2012R2, and removed support for the LanMan authentication and password storage mechanisms.
Overall we think this release is well worth the effort to upgrade for desktop users and perhaps even some server users that are willing to brave the shorter support cycle of non-LTS Ubuntu releases.
Experience the simplicity of security by signing up for a free account on Mondoo!