[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Fri Jun 5 13:38:03 UTC 2020 

I recommend the following action points to restore a bit of trust in Ubuntu Product 
after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at Canonical)

- Run all motd scripts including motd-news AND curl as non privileged
account -- not as root

- Move motd-news functionality from base-files to a removable package
called motd-news

- Set ENABLED to 0 by default on all Ubuntu Distos or at least ask the user consent 
  (during install and later with cloud-init)

- Remove private information from User-Agent (uptime, kernel version,
curl version, type of cloud) and stop using HTTPS Header such User-Agent
as proxy to exfiltrate sensible infos from Ubuntu

- Make the code behind https://motd.ubuntu.com auditable, signed and
open source

- Check the logs of https://motd.ubuntu.com if it has been compromised
the last 3 years if it is the case report it so people can reinstall
their Ubuntu Server, Desktop, Laptop to restore trust

Currently Ubuntu users are trapped as they can only disable motd-news but not uninstall it
and any software update of base-files could bring back the security issue.

Anyone who has access to motd.ubuntu.com (or via DNS + MITM) could in
theory execute code on any Ubuntu if a serious vulnerability in curl has
been found or if the user did not update curl.

Running curl as root, reporting the curl version and the kernel version
give all the information needed to implemented a persistent backdoor in
any Ubuntu worldwide.

sudo apt-get purge base-files

WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  base-files bash
0 upgraded, 0 newly installed, 5 to remove and 26 not upgraded.
After this operation, 4,525 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
 ?]

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Confirmed

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list