As announced previously, there was a security breach on the Ubuntu Forums. The Ubuntu Forums are now back up and running. What follows is a detailed post mortem of the breach and corrective actions taken by the Canonical IS team. In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings.
At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.
This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.
The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.
One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.
Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.
Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user’ table to a file on disk which they then downloaded.
The attacker returned on 20 July to upload the defacement page.
The attacker had full access to the vBulletin environment as an administrator and shell access as the ‘www-data’ user on the Forums app servers.
Having administrator access to the vBulletin environment means they were able to read and write to any table in the Forums database.
They used this access to download the ‘user’ table which contained usernames, email addresses and salted and hashed (using md5) passwords for 1.82 million users.
We believe the attacker was NOT able to escalate past the ‘www-data’ user (i.e. gain root access) on the Forums app servers.
We believe the attacker was NOT able to escalate past remote SQL access to the Forums database on the Forums database servers.
We believe the attacker did NOT gain any access at all to the Forums front end servers.
We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.
We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.
We don’t know how the attacker gained access to the moderator account used to start the attack.
The announcement the attacker posted was deleted by one of the Forum administrators so we don’t know exactly what XSS attack was used.
Before bringing the Forums back online, we implemented a series of changes both designed to clean up after this attack and also to defend against and mitigate the fallout from possible attacks in the future.
Finally, we’d like once again to apologize for the security breach, the data leak and downtime.
Interested in running Ubuntu Desktop in your organisation?
2019年4月18日，Canonical今天宣布Ubuntu 19.04 正式发布，新版系统将聚焦开源基础设施部署，开发者桌面，物联网和云到端的软件分发等领域。 “Ubuntu在电信，金融和多媒体领域的开源优势已经扩展到其他领域。从公有云到私有数据中心再到边缘设备或集群，开源已成为效率和创新的标志。Ubuntu 19.04包含了支持领先项目的转换，以及用于加速这些域的应用程序的开发人员工具。” Canonical的CEO Mark Shuttleworth说道。…
OpenJDK 11 is the default JRE/JDK for 18.04 LTS and is covered under LTS upstream security support. OpenJDK 11 will be the default package for the upcoming 19.04 release.
18th April, 2019: Canonical today announced the release of Ubuntu 19.04, focused on open infrastructure deployments, the developer desktop, IoT, and cloud to edge software distribution. “The open-source-first on Ubuntu movement in telco,…