I can confirm that the latest apt-get update to Ubuntu 24.04 as of a few minutes ago is disabling the aead module.
For an un-updated system, running python3 copy_fail_exp.py gets you a root shell. For an updated system it gets an error. For Ubuntu 26.04 it merely asks for the root password. Ted -----Original Message----- From: PLUG <[email protected]> On Behalf Of Russell Senior Sent: Thursday, April 30, 2026 5:10 PM To: Portland Linux/Unix Group <[email protected]> Subject: Re: [PLUG] exploit in the wild I am just going to alias sudo to the exploit script. On Thu, Apr 30, 2026 at 4:39 PM Ted Mittelstaedt <[email protected]> wrote: > Ubuntu's servers are now offline with a 503 Service Unavailable - > probably as a result of > > https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available > > Maybe they will come back by the time you read this but as of 4:38PM > PST they are offline. > > Fortunately the Internet Archive crawled the page, it's here: > > > https://web.archive.org/web/20260430191621/https://ubuntu.com/blog/cop > y-fail-vulnerability-fixes-available > > TLDR: No recompiled kernel available at this time, they are "fixing" > it by the same fix - disabling the kernel module - that's already been > discussed. > > Ted > > -----Original Message----- > From: PLUG <[email protected]> On Behalf Of Ted > Mittelstaedt > Sent: Thursday, April 30, 2026 4:02 PM > To: 'Portland Linux/Unix Group' <[email protected]> > Subject: Re: [PLUG] exploit in the wild > > I don't believe in luck. If it wasn't advanced, they waited to inform > the main kernel devs until they were close enough to the Ubuntu 26 > release yet far enough out that they could just slip in the patch and it > would be > included in 26 It's just way to "coincidental" and "lucky" that it > happened that way since Ubuntu is the largest distro. > > The second this patch was slipped into the kernel the approving > developer would have immediately recognized the significance and known > there would be a complete shit show once it was announced. I assume > that was Linus himself and you better believe he would have informed a > few people at Canonical and RedHat and a few other places via his > little secret back channels. Canonical had a month to release a > kernel patch for 24.04 and > 22.04 but they obviously waited so as to not tip off anyone. Why they > haven't immediately released kernel updates for those distros is > because they are not above using Zero days to push people into > upgrading. I'm also betting an update will quietly appear for Pro > before it appears for the community stuff. > > These "security researchers" absolutely monetize these things. The > particular one who found this will get his invite to the next White > Hat conference and will go and make is presentation then someone, like > Oracle or RedHat or someone like that will slap down a $500k yearly > employment contract in front of him, if that already hasn't happened. > > If he had waited a few weeks then it would have been too late for > Ubuntu to ship and it would have been egg on Canonical's face and they > would have been pissed - and he would certainly not have gotten any employment > contract from them. You don't deliberately make enemies of the largest > Linux distro unless you are really stupid. > > The business of breaking into computers is a dirty business. You and > I both do this but I like to think that we are the whitest of the > white knights since we are merely taking control of our own stuff away > from networking companies who have no business with their fingers in > our routers. And we don't do this to stuff we don't own nor is anything we > publish usable for malcontents to do this to other people. But we can > still smell the stink of it even a removed as we are. > > There's going to be a lot of people hurt by this one. And claiming > that they deserved it because they weren’t updating is victim-blaming > no better than blaming the woman who got raped for wearing a short skirt. > > Spin it how you like but this entire thing stinks. And incidentally > the Canonical servers right now are melting down as I'm observing by > running apt-update...very very slow right now. > > Ted > > -----Original Message----- > From: PLUG <[email protected]> On Behalf Of Russell > Senior > Sent: Thursday, April 30, 2026 7:13 AM > To: [email protected] > Subject: Re: [PLUG] exploit in the wild > > > > On 4/30/26 06:42, Ted Mittelstaedt wrote: > > Note that Ubuntu 26.04 was released on the 23rd of April, and its > > NOT vulnerable. I suspect that there is a connection here and that > > the > 26.04 release date was Advanced. > > I don't think the Ubuntu 26.04 release schedule was advanced. The > release date is consistent with past releases, see here: > > https://documentation.ubuntu.com/project/release-team/list-of-releases > / > > The reason it isn't vulnerable is that the fix got into v7.0 and (I'm > not sure of the Ubuntu policy, but guessing) because v7.0 was released > before Ubuntu 26.04 was released, they went with it. > > The thing that kind of surprises me is that the major distributions > didn't have the fix in by the disclosure day. ArchLinux was also not > vulnerable, if you update reasonably regularly because they stay > pretty close to upstream stable kernels and so had the fix as a matter > of course. Debian and Ubuntu (and Fedora?) seem to have been caught a bit > flat footed. > > The thing I haven't seen reported yet is: "are non-x86/ architectures > also affected?" You would guess so, since this was apparently a > logical error, but the published python script exploit doesn't work on > them to test, and I haven't seen anyone say. An exploit tuned for ARM, might. > > -- > Russell Senior > [email protected] > > >
