239 avsnitt • Längd: 20 min • Månadsvis
A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some of the goings on in the wider Ubuntu Security community.
The podcast Ubuntu Security Podcast is created by Ubuntu Security Team. The podcast and the artwork on this page are embedded on this page using the public podcast feed (RSS).
For the first in a 3-part series for Cybersecurity Awareness month, Luci Stanescu joins Alex to discuss the recent CUPS vulnerabilities as well as the evolution of cybersecurity since the origin of the internet.
John and Maximé have been talking about Ubuntu’s AppArmor user namespace restrictions at the the Linux Security Summit in Europe this past week, plus we cover some more details from the official announcement of permission prompting in Ubuntu 24.10, a new release of Intel TDX for Ubuntu 24.04 LTS and more.
613 unique CVEs addressed in the past fortnight
The long awaited preview of snapd-based AppArmor file prompting is finally seeing the light of day, plus we cover the recent 24.04.1 LTS release and the podcast officially moves to a fortnightly cycle.
45 unique CVEs addressed
home
interface in snapd get tagged with a prompt attribute - any access then which
would normally be allowed is instead delegated to a trusted helper application
which displays a dialog to the user asking them to explicitly allow such
access
seccomp_unotify
interface - allows to
delegate seccomp decisions to userspace in a very similar manner - existed
since the 5.5 kernel released in January 2020desktop-security-center
snap as well as the prompting-client
snapA recent Microsoft Windows update breaks Linux dual-boot - or does it? This week we look into reports of the recent Windows patch-Tuesday update breaking dual-boot, including a deep-dive into the technical details of Secure Boot, SBAT, grub, shim and more, plus we look at a vulnerability in GNOME Shell and the handling of captive portals as well.
135 unique CVEs addressed
grub,1
grub,2
, ie sets the minimum generation number
for grub to 3
mokutil --list-sbat-revocations
cat /sys/firmware/efi/efivars/SbatLevelRT-605dab50-e046-4300-abb6-3dd810dd8b23
mokutil --list-sbat-revocations
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
objdump -j .sbat -s /boot/efi/EFI/ubuntu/grubx64.efi | xxd -r
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.ubuntu,2,Ubuntu,grub2,2.12-5ubuntu4,https://www.ubuntu.com/
grub.peimage,2,Canonical,grub2,2.12-5ubuntu4,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
rm -rf grub2-signed
mkdir grub2-signed
pushd grub2-signed >/dev/null || exit
for rel in focal jammy noble; do
mkdir $rel
pushd $rel >/dev/null || exit
pull-lp-debs grub2-signed $rel-security 1>/dev/null 2>/dev/null || pull-lp-debs grub2-signed $rel-release 1>/dev/null 2>/dev/null
dpkg-deb -x grub-efi-amd64-signed*.deb grub2-signed
echo $rel
echo -----
find . -name grubx64.efi.signed -exec objdump -j .sbat -s {} \; | tail -n +5 | xxd -r
popd >/dev/null || exit
done
popd >/dev/null
focal
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.06-2ubuntu14.4,https://www.ubuntu.com/
jammy
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.ubuntu,1,Ubuntu,grub2,2.06-2ubuntu14.4,https://www.ubuntu.com/
noble
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,4,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.ubuntu,2,Ubuntu,grub2,2.12-1ubuntu7,https://www.ubuntu.com/
grub.peimage,2,Canonical,grub2,2.12-1ubuntu7,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
rm -rf shim-signed
mkdir shim-signed
pushd shim-signed >/dev/null || exit
for rel in focal jammy noble; do
mkdir $rel
pushd $rel >/dev/null || exit
pull-lp-debs shim-signed $rel-security 1>/dev/null 2>/dev/null || pull-lp-debs shim-signed $rel-release 1>/dev/null 2>/dev/null
dpkg-deb -x shim-signed*.deb shim-signed
echo $rel
echo -----
find . -name shimx64.efi.signed.latest -exec objdump -j .sbat -s {} \; | tail -n +5 | xxd -r
popd >/dev/null || exit
done
popd >/dev/null
focal
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.7-0ubuntu1,https://www.ubuntu.com/
jammy
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,3,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.7-0ubuntu1,https://www.ubuntu.com/
noble
-----
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
shim,4,UEFI shim,shim,1,https://github.com/rhboot/shim
shim.ubuntu,1,Ubuntu,shim,15.8-0ubuntu1,https://www.ubuntu.com/
only noble has a new-enough shim in the security/release pocket - both focal and jammy have the older one - but the new 4th generation shim is currently undergoing testing in the -proposed pocket and will be released next week
until then, if affected, need to disable secure boot in BIOS then can either wait until the new shim is released OR just reboot twice in this mode and shim will automoatically reset the SBAT policy to the previous version, allowing the older shim to still be used
then can re-enable Secure Boot in BIOS
Once new shim is released it will reinstall the new SBAT policy to revoke its older version
One other thing, this also means the old ISOs won’t boot either
This week we take a deep dive behind-the-scenes look into how the team handled a
recent report from Snyk’s Security Lab of a local privilege escalation
vulnerability in wpa_supplicant
plus we cover security updates in Prometheus
Alertmanager, OpenSSL, Exim, snapd, Gross, curl and more.
185 unique CVEs addressed
SSL_free_buffers
API - requires an application to directly
call this function - across the entire Ubuntu package ecosystem there
doesn’t appear to be any packages that do this so highly unlikely to be an
issue in practiceSSL_select_next_proto
- if called
with an empty buffer list would read other private memory - ie OOB read -
and potentially then either crash or return private data
SSL_OP_NO_TICKET
option would possibly get into a state where
the session cache would not be flushed and so would grow unbounded - memory
based DoS/usr/share/applications
which is
world-readable - so if the symlink pointed to /etc/shadow
then you would get
a copy of this written out as world-readable - so an unprivileged user on
the system could then possibly escalate their privilegesstrncat()
during logging
wpa_supplicant
to load an attacker controlled shared object into memorywpa_supplicant
(16:10)wpa_supplicant
to allow various methods to be called by users in the netdev
group
wpa_supplicant
via its dbus interfaceCreateInterface
ConfigFile
which specifies the path to a configuration file using the format of wpa_supplicant.confopensc_engine_path
or similarly PKCS11 engine and module pathswpa_supplicant
wpa_supplicant
runs as rootwpa_supplicant
DBus interface - none appear to make use of the netdev
groupwpa_supplicant
to check that the specified module was
owned by root - this should then stop an unprivileged user from creating
their own module and specifying it as it wouldn’t be owned by root
root
link inside the
proc filesystem - which points to the actual root directory of that
process - and since the FUSE fs lies about the UID it looks like root
ownedrealpath
works
(which should block the ability to read it via the proc symlink)
/usr/lib
- since
anything installed from the archive would live here - in this case we simply
call realpath()
directly on the provided path name and if it doesn’t start
with /usr/lib then deny loading of the module/opt
would now fail BUT if you
can write to /opt
then you can write to somewhere in /usr/lib
- so is easy
to fix as wellThis week we take a look at the recent Crowdstrike outage and what we can learn from it compared to the testing and release process for security updates in Ubuntu, plus we cover details of vulnerabilities in poppler, phpCAS, EDK II, Python, OpenJDK and one package with over 300 CVE fixes in a single update.
462 unique CVEs addressed
This week we deep-dive into one of the best vulnerabilities we’ve seen in a long time regreSSHion - an unauthenticated, remote, root code-execution vulnerability in OpenSSH. Plus we cover updates for Plasma Workspace, Ruby, Netplan, FontForge, OpenVPN and a whole lot more.
39 unique CVEs addressed
user@host:port
combination - so would possibly then use a different hostname than the one the
user expectedungetbyte()/ungetc()
to push-back characters on an IO
stream - would possibly read beyond the end of the buffer - OOB readsystem()
system-call - which spawns a shell -
so if a filename contained any shell metacharacters, could then just easily
get arbitrary code executionmalloc()/free()
syslog()
when trying to which is one of those unsafe functions
syslog()
will potentially call malloc()/free()
which as we
mentioned earlier is not async safe
malloc() / free()
and then SIGALARM
signal is delivered (since
malloc()/free()
calls brk (2) system call under the hood and so a
pending signal SIGALARM
may be delivered on return from brk()
)malloc()
at the same time - corrupting the global state of the heap
etcsyslog()
during the SIGALARM
signal handlersyslog()
within OpenSSH so that syslog()
gets
called early on in the use of OpenSSH and so then when it gets called in the
SIGALARM signal handler it doesn’t do the same memory allocation and hence
can’t be used to corrupt memory and get code executionA look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif, Roundcube, the Linux kernel and more.
175 unique CVEs addressed
tower_callback
(nowadays is called aap_callback
-
Ansible Automation Platform) parameter appropriatelyunsafe
- in that they may come from an external,
untrusted source - won’t get evaluated/expanded when used to avoid possible
info leaks etc - various issues where ansible would fail to respect this and
essentially forget they were tagged as unsafe and end up exposing secrets as a
resultFoomaticRIPCommandLine
then can run arbitrary commands
as rootAF_PACKET
, tty, ptrace, futex and
othersThis week we bring you a special edition of the podcast, featuring an interview between Ijlal Loutfi and Karen Horovitz who deep-dive into Confidential Computing. Ranging from a high-level discussion of the need for and the features provided by confidential computing, through to the specifics of how this is implemented in Ubuntu and a look at similar future security technologies that are on the horizon.
As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.
152 unique CVEs addressed
The team is back from Madrid and this week we bring you some of our plans for the upcoming Ubuntu 24.10 release, plus we talk about Google’s kernelCTF project and Mozilla’s PDF.js sandbox when covering security updates for the Linux kernel, Firefox, Spreadsheet::ParseExcel, idna and more.
121 unique CVEs addressed
io_uring
or
nftables
since they were disabled in their target kernel configuration due to
high number of historical vulns in both subsystems
eval()
on untrusted user input - high profile,
disclosed by Mandiant - high profile since it affected Barracuda email gateway
devices and was publicly reported as being exploited against these by a
Chinese APT groupUbuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.
61 unique CVEs addressed
--no-absolute-filenames
CLI argumentLESSOPEN
environment variable - failed
to properly quote newlines embedded in a filename - could then allow for
arbitrary code execution if ran less
on some untrusted fileLESSOPEN
is automatically set in Debian/Ubuntu via lesspipe
- allows to run
less on say a gz compressed log file or even on a tar.gz tarball to list the
files etc__Host-
and __Secure-
) have specific
meanings which in general should be allowed to be specified by the network but
only by the browser itself - so can be used to bypass usual restrictions
(apparently this issue was reported upstream by the original reported of the
2022 vuln but it got ignored by upstream till now…)password_verify()
function would sometimes return true for wrong passwords -
ie if the actual password started with a NUL byte and the specified a password
was the empty string would verify as true (unlikely to be an issue in practice)PHP_CLI_SERVER_WORKERS
env var value -
integer overflow -> wraparound -> allocate small amount of memory for a large
number of values -> buffer overflow (low priority since would need to be able
to set this env var first)__proto__
key and hence would allow the ability to set arbitrary keys etc
within the returned object -> RCEKernel type | 22.04 | 20.04 | 18.04 |
---|---|---|---|
aws | 103.3 | 103.3 | — |
aws-5.15 | — | 103.3 | — |
aws-5.4 | — | — | 103.3 |
aws-6.5 | 103.1 | — | — |
azure | 103.3 | 103.3 | — |
azure-5.4 | — | — | 103.3 |
azure-6.5 | 103.1 | — | — |
gcp | 103.3 | 103.3 | — |
gcp-5.15 | — | 103.3 | — |
gcp-5.4 | — | — | 103.3 |
gcp-6.5 | 103.1 | — | — |
generic-5.15 | — | 103.3 | — |
generic-5.4 | — | 103.3 | 103.3 |
gke | 103.3 | 103.3 | — |
hwe-6.5 | 103.1 | — | — |
ibm | 103.3 | — | — |
ibm-5.15 | — | 103.3 | — |
linux | 103.3 | — | — |
lowlatency-5.15 | — | 103.3 | — |
lowlatency-5.4 | — | 103.3 | 103.3 |
canonical-livepatch status
John and Georgia are at the Linux Security Summit presenting on some long awaited developments in AppArmor and we give you all the details in a sneak peek preview as well as some of the other talks to look out for, plus we cover security updates for NSS, Squid, Apache, libvirt and more and we put out a call for testing of a pending AppArmor security fix too.
86 unique CVEs addressed
g_new0()
from
glib which expects an unsigned value -> tries to allocate an extremely large
amount of memory -> crashpledge()
and unveil()
from OpenBSD
kill
along with the associated signal to deliverpledge()
This week we cover the recent reports of a new local privilege escalation exploit against the Linux kernel, follow-up on the xz-utils backdoor from last week and it’s the beta release of Ubuntu 24.04 LTS - plus we talk security vulnerabilities in the X Server, Django, util-linux and more.
76 unique CVEs addressed
Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | 102.1 | 102.1 | 102.1 | 102.1 | — |
aws-5.15 | — | 102.1 | — | — | — |
aws-5.4 | — | — | 102.1 | — | — |
aws-6.5 | 102.1 | — | — | — | — |
aws-hwe | — | — | — | 102.1 | — |
azure | 102.1 | 102.1 | — | 102.1 | — |
azure-4.15 | — | — | 102.1 | — | — |
azure-5.4 | — | — | 102.1 | — | — |
azure-6.5 | 102.1 | — | — | — | — |
gcp | 102.1 | 102.1 | — | 102.1 | — |
gcp-4.15 | — | — | 102.1 | — | — |
gcp-5.15 | — | 102.1 | — | — | — |
gcp-5.4 | — | — | 102.1 | — | — |
gcp-6.5 | 102.1 | — | — | — | — |
generic-4.15 | — | — | 102.1 | 102.1 | — |
generic-4.4 | — | — | — | 102.1 | 102.1 |
generic-5.15 | — | 102.1 | — | — | — |
generic-5.4 | — | 102.1 | 102.1 | — | — |
gke | 102.1 | 102.1 | — | — | — |
gke-5.15 | — | 102.1 | — | — | — |
gkeop | — | 102.1 | — | — | — |
hwe-6.5 | 102.1 | — | — | — | — |
ibm | 102.1 | 102.1 | — | — | — |
ibm-5.15 | — | 102.1 | — | — | — |
linux | 102.1 | — | — | — | — |
lowlatency | 102.1 | — | — | — | — |
lowlatency-4.15 | — | — | 102.1 | 102.1 | — |
lowlatency-4.4 | — | — | — | 102.1 | 102.1 |
lowlatency-5.15 | — | 102.1 | — | — | — |
lowlatency-5.4 | — | 102.1 | 102.1 | — | — |
canonical-livepatch status
CAP_SYS_ADMIN
) - but then
firefox correctly detects this and falls back to the correct behaviourn_gsm
driver in the 6.4 and and 6.5 kernelsjmpeax
(Jammes) - who wanted to purchase the exploitdiff -w <(curl https://raw.githubusercontent.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/main/main.c) <(curl https://raw.githubusercontent.com/YuriiCrimson/ExploitGSM/main/ExploitGSM_6_5/main.c)
n_gsm
/sys/kernel/notes
which leaks the symbol of the xen_startup
function and
allows to break KASLR
The executable payloads were embedded as binary blobs in the test files. This was a blatant violation of the Debian Free Software Guidelines.
On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback.
The maintainer who added the backdoor has disappeared.
Backdoors are bad for security.
It’s been an absolutely manic week in the Linux security community as the news and reaction to the recent announcement of a backdoor in the xz-utils project was announced late last week, so we dive deep into this issue and discuss how it impacts Ubuntu and give some insights for what this means for the open source and Linux communities in the future.
20 unique CVEs addressed
strings
on it and get any real sensible output)This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2Own Vancouver 2024, plus news of malicious themes in the KDE Store and we cover security updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash and more.
61 unique CVEs addressed
We cover recent Linux malware from the Magnet Goblin threat actor, plus the news of Ubuntu 23.10 as a target in Pwn2Own Vancouver 2024 and we detail vulnerabilities in Puma, AccountsService, Open vSwitch, OVN, and more.
102 unique CVEs addressed
Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | 101.1 | 101.1 | 101.1 | 101.1 | — |
aws-5.15 | — | 101.1 | — | — | — |
aws-5.4 | — | — | 101.1 | — | — |
aws-6.5 | 101.1 | — | — | — | — |
aws-hwe | — | — | — | 101.1 | — |
azure | 101.1 | 101.1 | — | 101.1 | — |
azure-4.15 | — | — | 101.1 | — | — |
azure-5.4 | — | — | 101.1 | — | — |
azure-6.5 | 101.1 | — | — | — | — |
gcp | 101.1 | 101.1 | — | 101.1 | — |
gcp-4.15 | — | — | 101.1 | — | — |
gcp-5.15 | — | 101.1 | — | — | — |
gcp-5.4 | — | — | 101.1 | — | — |
gcp-6.5 | 101.1 | — | — | — | — |
generic-4.15 | — | — | 101.1 | 101.1 | — |
generic-4.4 | — | — | — | 101.1 | 101.1 |
generic-5.15 | — | 101.2 | — | — | — |
generic-5.4 | — | 101.1 | 101.1 | — | — |
gke | 101.1 | — | — | — | — |
gke-5.15 | — | 101.1 | — | — | — |
gkeop | — | 101.1 | — | — | — |
hwe-6.5 | 101.1 | — | — | — | — |
ibm | 101.1 | 101.1 | — | — | — |
ibm-5.15 | — | 101.1 | — | — | — |
linux | 101.2 | — | — | — | — |
lowlatency-4.15 | — | — | 101.1 | 101.1 | — |
lowlatency-4.4 | — | — | — | 101.1 | 101.1 |
lowlatency-5.15 | — | 101.2 | — | — | — |
lowlatency-5.4 | — | 101.1 | 101.1 | — | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
/proc/<pid>/cmdline
- very low risk since the
process only exists for a very small time AND it is encrypted already - so
instead now invokes chpasswd
and specifies the new encrypted password over
standard input - would then need to be able to ptrace to see it which with
YAMA ptrace_scope
enabled in Ubuntu means you need to be root (or a parent
process of accountsservice, which is started by dbus for the current user) -
so then an attacker would have to be able to cause the existing accountservice
to stop and then start their own to see the new encrypted password/dashboard/
endpoint - likely to try and hide its network traffic in plain-sight (rather
than the raw TCP sockets with custom encrypted protocol employed by
NerbianRAT)Andrei is back to discuss recent academic research into malware within the Python/PyPI ecosystem and whether it is possible to effectively combat it with open source tooling, plus we cover security updates for Unbound, libuv, node.js, the Linux kernel, libgit2 and more.
56 unique CVEs addressed
getaddrinfo()
- but
would then fail to NUL-terminate the string - as such, getaddrinfo()
would
read past the end of the buffer and the address that got resolved may not be
the intended one - so then a remote attacker who could influence this could
end up causing the application to contact a different address than expected
and so perhaps access internal services etc<<<<<<....
then would cause exponential performance
degredationsend()
rather than public_send()
which allowed access to
private methods to directly execute system calls@
git_index_add
/erc/resolv.conf
/etc/hosts
, /etc/nsswitch.conf
or anything specifed via the
HOSTALIASES
environment variable - if has an embedded NUL as the first
character in a new line, would then attempt to read memory prior to the start
of the buffer and hence an OOB read -> crashHey, Alex!
We will continue our journey today beyond the scope of the previous episodes. We’ve delved into the realms of network security, federated infrastructures, and vulnerability detection and assessment.
Last year, the Ubuntu Security Team participated in the Linux Security Summit in Bilbao. At that time, I managed to have a discussion with Zach, who hosted a presentation at the Supply Chain Security Con entitled “Will Large-Scale Automated Scanning Stop Malware on OSS Repositories?”. I later discovered that his talk was backed by a paper that he and his colleagues from Chainguard had published.
With this in mind, today we will be examining “Bad Snakes: Understanding and Improving Python Package Index Malware Scanning”, which was published last year in ACM’s International Conference on Software Engineering.
The aim of the paper is to highlight the current state of the Python and PyPi ecosystems from a malware detection standpoint, identify the requirements for a mature malware scanner that can be integrated into PyPi, and ascertain whether the existing open-source tools meet these objectives.
With this in mind, let’s start by understanding the context.
Applications can be distributed through repositories. This means that the applications are packaged into a generic format and published in either managed or unmanaged repositories. Users can then install the application by querying the repositories, downloading the application in a format that they can unpack through a client, and subsequently run on their hosts.
There are numerous repositories out there. Some target specific operating systems, as is the case with Debian repositories, the Snap Store, Google Play, or the Microsoft Store. Others are designed to store packages for a specific programming language, such as PyPi, npm, and RubyGems. Firefox Add-ons and the Chrome extension store target a specific platform, namely the browser.
Another relevant characteristic when discussing repositories is the level of curation. The Ubuntu Archive is considered a curated repository of software packages because there are several trustworthy contributors able to publish software within the repository. Conversely, npm is unmanaged because any member of the open-source community can publish anything in it.
We will discuss the Python Package Index extensively, which is the de facto unmanaged repository for the Python programming language. As of the 7th of March 2024, there were 5.4 million releases for 520 thousand projects and nearly 800 thousand users. It is governed by a non-profit organisation and run by volunteers worldwide.
Software repositories foster the dependencies of software on other pieces of software, controlled by different parties. As seen in campaigns such as the SolarWinds SUNBURST attack, this can go awry. Attackers can gain control over software in a company’s supply chain, gain initial access to their infrastructure, and exploit this advantage.
Multiple attack vectors are possible. Accounts can be hijacked. Attackers may publish packages with similar names (in a tactic known as typosquatting). They can also leverage shrink-wrapped clones, which are duplicates of existing packages, where malicious code is injected after gaining users’ trust. While covering all attack vectors is beyond the scope of this podcast episode, you can find a comprehensive taxonomy in a paper called “Taxonomy of Attacks on Open-Source Software Supply Chains”, which lists over 100 unique attack vectors.
From 2017 to 2022, the number of unique projects removed from PyPi increased rapidly: 38 in the first year, followed by 130, 60, 500, 27 thousands, and finally 12 thousands in the last year. Despite the fact that most of these were reported as malware, it’s worth noting that the impact of some of them is limited due to the lack of organic usage.
These attacks can be mitigated by implementing techniques such as multi-factor authentication, software signing, update frameworks, or reproducible builds, but the most widespread method is malware analysis.
Some engines check for anomalies via static and dynamic heuristics, while others rely on signatures due to their simplicity. Once a piece of software is detected as malicious, its hash is added to a deny list that is embedded in the anti-malware engine. Each file is then hashed and the result is checked against the deny list. If the heuristics or the hash comparison identifies the file as malicious, it is either reported, blocked, or deleted depending on the strategy implemented by the anti-malware engine.
These solutions are already implemented in software repositories. In the case of PyPi, malware scanning was introduced in February 2022 with the assistance of a malware check feature in Warehouse, the application serving PyPi. However, it was disabled by the administrators two years later and ultimately removed in May 2023 due to an overload of alerts.
In addition to this technical solution, PyPi also capitalises on a form of social symbiosis. Software security companies and individuals conduct security research, reporting any discovered malware to the PyPi administrators via email. The administrators typically allocate 20 minutes per week to review these malware reports and remove any packages that can be verified as true positives. Ultimately, the reporting companies and individuals gain reputation or attention for their brands, products, and services.
In addition to information about software repositories, supply chain attacks, malware analysis, and PyPi, the researchers also interviewed administrators from PyPi to understand their requirements for a malware analysis tool that could assist them. The three interviews, each lasting one hour, were conducted in July and August 2022 and involved only three individuals. This limited number of interviews is due to the focus on the PyPi ecosystem, where only ten people are directly involved in malware scanning activities.
When discussing requirements, the administrators desired tools with a binary outcome, which could be determined by checking if a numerical score exceeds a threshold or not. The decision should also be supported by arguments. While administrators can tolerate false negatives, they aim to reduce the rate of false positives to zero. The tool should also operate on limited resources and be easy to adopt, use and maintain.
But do the current solutions tick these boxes?
The researchers selected tools based on a set of criteria: analysing the code of the packages, having public detection techniques, and detection rules. Upon examining the available solutions, they found that only three could be used for evaluation in the context of their research: PyPi’s malware checks, Bandit4Mal, and OSSGadget’s OSS Detect Backdoor.
Regarding the former, it should be noted that the researchers did not match the YARA rules only against the setup files, but also against all files in the Python package. The second, Bandit4Mal, is an open-source version of Bandit that has been adapted to include multiple rules for detecting malicious patterns in the AST generated from a program’s codebase. The last, OSSGadget’s OSS Detect Backdoor, is a tool developed by Microsoft in June 2020 to perform rule-based malware detection on each file in a package.
These tools were tested against both malicious and benign Python packages. The researchers used two datasets containing 168 manually-selected malicious packages. For the benign packages, they selected 1,400 popular packages and one thousand randomly-selected benign Python packages.
For the evaluation process, they considered an alert in a malicious package to be a true positive and an alert in a benign package to be a false positive.
The true positive rate was 85% for the PyPi checks, the same for OSS Detect Backdoor and 90% for Bandit4Mal. The false positive rates ranged from 15% for the PyPi checks over the random packages, to 80% for Bandit4Mal on popular packages.
The tools ran in a time-effective manner, with a median time of around two seconds per package across all datasets. The maximum runtime was recorded for Ansible’s package, which was scanned in 26 minutes.
Despite their efficient run times, we can infer from these results that the tools are not accurate enough to meet the demands of PyPi’s administrators. The analysts may be overwhelmed by alerts for benign packages, which could interfere with their other operations.
And with this, we can conclude the episode of the Ubuntu Security Podcast, which details the paper “Bad Snakes: Understanding and Improving Python Package Index Malware Scanning”. We have discussed software repositories, malware analysis, and malware-related operations within PyPi. We’ve also explored the requirements that would make a new open-source Python malware scanner suitable for the PyPi administrators and evaluated how the current solutions perform.
If you come across any interesting topics that you believe should be discussed, please email us at [email protected].
Over to you, Alex!
The Linux kernel.org CNA has assigned their first CVEs so we revisit this topic to assess the initial impact on Ubuntu and the CVE ecosystem, plus we cover security updates for Roundcube Webmail, less, GNU binutils and the Linux kernel itself.
64 unique CVEs addressed
/etc/modprobe.d/blacklist-rare-network.conf
# appletalk
alias net-pf-5 off
[1]
and linkify them to the
source - if an attacker used a form like [<script>evil</script>]
this would be
included in the generated HTML without escaping and so could get arbitrary XSSREFRESH MATERIALIZED VIEW CONCURRENTLY
commands - should drop privileges so that the SQL is executed as
the owner of the materialized view - as such, if an attacker could get a user
or automated system to run such a command they could possibly execute
arbitrary SQL as the user rather than as the owner of the view as expectedLESSCLOSE
- could then get arbitrary
shell commands - env var that tells less to invoke a particular command as an
input post-processor (this is used in conjunction with LESSOPEN
to
pre-processor the file before it is displayed by less - for instance, if you
wanted to use less to page through a HTML file you might perhaps use this to
run it via html2text
first - then use LESSCLOSE
to do any cleanup)CVE-2023-52433: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
Fri 01 Mar 2024 04:04:26 UTC
have assigned 288 CVEs
This week the Linux kernel project announced they will be assigning their own CVEs so we discuss the possible implications and fallout from such a shift, plus we cover vulnerabilities in the kernel, Glance_store, WebKitGTK, Bind and more.
64 unique CVEs addressed
Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | 100.1 | 100.1 | 100.1 | 100.1 | — |
aws-5.15 | — | 100.1 | — | — | — |
aws-5.4 | — | — | 100.1 | — | — |
aws-6.2 | 100.1 | — | — | — | — |
aws-hwe | — | — | — | 100.1 | — |
azure | 100.1 | 100.1 | — | 100.1 | — |
azure-4.15 | — | — | 100.1 | — | — |
azure-5.4 | — | — | 100.1 | — | — |
azure-6.2 | 100.1 | — | — | — | — |
gcp | 100.1 | 100.1 | — | 100.1 | — |
gcp-4.15 | — | — | 100.1 | — | — |
gcp-5.15 | — | 100.1 | — | — | — |
gcp-5.4 | — | — | 100.1 | — | — |
gcp-6.2 | 100.1 | — | — | — | — |
generic-4.15 | — | — | 100.1 | 100.1 | — |
generic-4.4 | — | — | — | 100.1 | 100.1 |
generic-5.15 | — | 100.1 | — | — | — |
generic-5.4 | — | 100.1 | 100.1 | — | — |
gke | 100.1 | 100.1 | — | — | — |
gke-5.15 | — | 100.1 | — | — | — |
gkeop | — | 100.1 | — | — | — |
hwe-6.2 | 100.1 | — | — | — | — |
ibm | 100.1 | 100.1 | — | — | — |
ibm-5.15 | — | 100.1 | — | — | — |
linux | 100.1 | — | — | — | — |
lowlatency-4.15 | — | — | 100.1 | 100.1 | — |
lowlatency-4.4 | — | — | — | 100.1 | 100.1 |
lowlatency-5.15 | — | 100.1 | — | — | — |
lowlatency-5.4 | — | 100.1 | 100.1 | — | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
access_key
if logging configured at DEBUG level - any
user then able to read the logs could see the access key and hence potentially
get access to the S3 bucket (would also need the secret key too and this was
never logged so impact minimal)Earlier this week, Greg Kroah-Hartman (one of the more famous Linux kernel developers - responsible for the various stable kernel trees / releases plus various subsystems within the kernel - also wrote one of the most popular books on Linux Kernel Driver development - even if it is woefully outdated nowadays) announced that the Linux kernel project itself has been accepted as a CNA by MITRE and would start issues CVEs for the vulnerabilities found within the kernel itself
Historically the upstream kernel developers and Greg himself have been quite disparaging of the CVE process / ecosystem and essentially saying that CVEs for the kernel are meaningless since that all bugs are potentially security issues and there are so many fixes that go into the kernel of which the security impact is not clear, that the only way to stay secure is to track one of the supported upstream stable kernel trees - otherwise CVEs would be issued for basically every commit that goes into one of the stable trees
It was not then surprising to see that in the initial announcement there was a statement that:
Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assign CVE numbers to any bugfix that they identify.
This led many (including us) to fear that the kernel CNA would be issuing an extremely high volume of CVEs which would effectively overwhelm the CVE process and make it unworkable - for instance, LWN calculated that for the 6.1 stable kernel has had over 12,000 fixes applied to it over the past year. So this leaves a huge scope for many CVEs to be possibly assigned - and as a comparison in total across all software / hardware devices etc in 2023 there was 29,000 CVEs assigned. So that could mean the kernel itself would possibly become responsible for at least a quarter of all CVEs in the future.
Greg has some prior form in this space as well since in 2019 he gave a talk where he suggested one way the kernel community could help fix the issue of CVEs being erroneously assigned against the kernel would be to start doing exactly this and assigning a CVE for every fix applied to the kernel and hence overwhelm the CVE ecosystem to (in his words) “burn it down”.
Also the GSD project (Global Security Database - set up as an alternate / competitor to CVE) was doing exactly this - tracking a huge number of fixes for the stable trees and assigning them GSD IDs - as per https://osv.dev/list?ecosystem=Linux it tracks 13573 issues
Thankfully though, this plan seems to have moderated over the past few days - after Greg posted a patch set to the LKML documenting the process, he clarified in a follow-up email that this would not be the case, and instead that CVEs will only be assigned for commits which appear to have a security relevant impact. How they actually do that remains to be seen, and his comment that “we (will) know it when we see it” doesn’t exactly put me at ease (since it is very easy to miss the security implications of any particular commit) at least this helps allay the fears that there would be a tidal wave of CVEs being assigned.
One outstanding issue which I directly asked Greg about is how they are actually tracking fixes for CVEs - since in their model, a CVE is equivalent to the commit which fixes the issue - however for lots of existing kernel CVEs that get assigned by other CNAs like Canonical or Red Hat etc, the fix comprises multiple commits
Greg says the whole process is quite complex and whilst their existing scripts want a one-to-one mapping from CVEs to commits they do plan to fix this in the future.
So will be interesting to see what things they will end up assigning CVEs. Also will be interesting to see how the interaction with security researchers plays out. Since their process is heavily skewed to the CVE corresponding to the fix commit AND they state that this must be in one of the stable trees for a CVE to be assigned, it doesn’t leave a lot of room for responsible disclosure. They do say they can assign a CVE for an issue before it is resolved with a commit to one of the stable trees, but ideally these details would get disclosed to distros and others ahead of the CVE details being released to the public. I also asked Greg about this but am awaiting a response.
AppArmor unprivileged user namespace restrictions are back on the agenda this week as we survey the latest improvements to this hardening feature in the upcoming Ubuntu 24.04 LTS, plus we discuss SMTP smuggling in Postfix, runC container escapes and Qualys’ recent disclosure of a privilege escalation exploit for GNU libc and more.
39 unique CVEs addressed
<CR><LF>.<CR><LF>
gets interpreted loosely so that it is possible to include
extra SMTP commands within the message data which would then go on to be
interpreted as an additional SMTP commands to be executed by the receiving
server and to cause it to receive two emails when only one was sent in the
first place, and where the usual SPF checks get bypassed for this second
email - so can bypass SPF/DMARC policies to spoof emails from various
domainssyslog()
system callargv[0]
in a call to snprintf() into a fixed size buffer
allocated on the stack - snprintf() won’t overflow this but will return a
value larger than the fixed size buffer - as a result a heap buffer to then
contain this string would only get allocated with a size of 1 byte but then
the full expected data would get copied into it - and since the attacker
controls this value they can write arbitrary data to the heap by just using
a crafted program name (which is easy to do via the the exec
command built
in to bash etc)/usr/bin/su
call syslog()
internally and so can
be abused in this wayintcomma
templateCAP_NET_ADMIN
within that namespace and so create firewall rules etc that only
affect applications within that namespace and not the host system
CAP_NET_ADMIN
etc as mentioned before) this is then deniedapparmor
package in noble-proposed pocket
For the first episode of 2024 we take a look at the case of a raft of bogus FOSS CVEs reported on full-disclosure as well as AppSec tools in Ubuntu and the EOL announcement for 23.04, plus we cover vulnerabilities in the Linux kernel, Puma, Paramiko and more.
81 unique CVEs addressed
CAP_NET_ADMIN
to be able to
exploit (ie to create a netfilter chain etc) but this can easily be obtained
in an unprivileged user namespace -> privesc for unprivileged local userEXT_INFO
message which is sent during the handshake to negotiate various
protocol extensions in a way that neither the client or server will notice
(since they can just send an empty ignored packet with the same sequence
number). This can be done quite easily by an attacker since during this stage
of the connection there is no encryption in place. End result is the attacker
can cause either a loss of integrity (since this won’t be detected by the
other party) or potentially to compromise the key exchange itself and hence
cause a loss of confidentiality as wellFor the final episode of 2023 we discuss creating PoCs for vulns in tar and the looming EOL for Ubuntu 23.04, plus we look into security updates for curl, BlueZ, Netatalk, GNOME Settings and a heap more.
57 unique CVEs addressed
.com
/ .org
but also .co.uk
etc - since there is no good algorithmic way of determining the highest level
at which a domain may be registered for a particular TLD as each registrar is
different
domain=co.UK
with a URL of say curl.co.uk
and
this would then get sent to every other .co.uk
domain contrary to the
expectations of the PSL which lists .co.uk
as a PSL domainvmware-user-suid
wrapper - a
local user with non-root privileges that is able to hijack the /dev/uinput
file descriptor may be able to simulate user inputsClassicBondedOnly=true
- this may
break some legacy input devices like PS3 controller - in which case, should
edit /etc/bluetooth/input.conf
and set this back to false
but then beware that
you may be vulnerable to attack from anyone within bluetooth range when your
machines is discoverable - ie. bluetooth settings panel is opengetaddrinfo()
-
possible to still trigger1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
Stack buffer overflow on parsing a tar archive with an extremely large
extended attribute name/value - PAX
archive format allows to store extended
attributes - on the kernel’s VFS layer these are limited to 255 bytes for the
name and 64kB for the value - but in a tar these can be basically arbitrary
When processing the archive, tar would allocate space for these on the stack - BUT the stack is limited to a maximum size of 8MB normally - so if can specify an xattr name of more than 8MB can overflow the entire stack memory region - then into guard pages or even beyond, triggering a segfault or at worst a heap corruption and hence possible RCE -> but in Ubuntu we have enabled stack clash protection since 19.10 - which turns this into a DoS only
$ hardening-check $(which tar)
/usr/bin/tar:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: yes
Control flow integrity: yes
Speaking from experience, it is not easy to create such an archive - either through a real xattr on disk or through specifying one on the command-line (since you can specify arbitrary attributes be stored for files when adding them to an archive but then you hit the maximum limit of command-line arguments) BUT it is possible - in my case I did this though using sed to replace the contents of a xattr name in an existing archive with a crafted one and then doing a bunch of other hacks to fixup all the metadata of the tar archive to match - helpfully, all these attributes in the archive are stored as NUL-terminated strings, so can simply used sed to fix them all up assuming you can calculate the correct values
Fixed by instead allocating these on the heap which does not have the same arbitrary limitation as the stack
objdump
etcos.path.normpath()
it would get truncated at the NUL byte -
fixed to remove this behaviourMark Esler is our special guest on the podcast this week to discuss the OpenSSF’s Compiler Options Hardening Guide for C/C++ plus we cover vulnerabilities and updates for GIMP, FreeRDP, GStreamer, HAProxy and more.
65 unique CVEs addressed
index.html#.png
to a static server (since usually is configured
to route .png
to a static server, but in this case the request is really for
index.html
)This week we take a deep dive into the Reptar vuln in Intel processors plus we look into some relic vulnerabilities in Squid and OpenZFS and finally we detail new hardening measures in tracker-miners to keep your desktop safer.
115 unique CVEs addressed
Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | 99.2 | 99.1 | 99.1 | 99.1 | — |
aws-5.15 | — | 99.2 | — | — | — |
aws-5.4 | — | — | 99.1 | — | — |
aws-6.2 | 99.2 | — | — | — | — |
aws-hwe | — | — | — | 99.1 | — |
azure | 99.2 | 99.1 | — | 99.1 | — |
azure-4.15 | — | — | 99.1 | — | — |
azure-5.4 | — | — | 99.1 | — | — |
azure-6.2 | 99.2 | — | — | — | — |
gcp | 99.2 | 99.1 | — | 99.1 | — |
gcp-4.15 | — | — | 99.1 | — | — |
gcp-5.15 | — | 99.2 | — | — | — |
gcp-5.4 | — | — | 99.1 | — | — |
gcp-6.2 | 99.2 | — | — | — | — |
generic-4.15 | — | — | 99.1 | 99.1 | — |
generic-4.4 | — | — | — | 99.1 | 99.1 |
generic-5.15 | — | 99.2 | — | — | — |
generic-5.4 | — | 99.1 | 99.1 | — | — |
gke | 99.2 | 99.1 | — | — | — |
gke-5.15 | — | 99.2 | — | — | — |
gkeop | — | 99.1 | — | — | — |
hwe-6.2 | 99.2 | — | — | — | — |
ibm | 99.2 | 99.1 | — | — | — |
ibm-5.15 | — | 99.2 | — | — | — |
ibm-5.4 | — | — | 99.1 | — | — |
linux | 99.2 | — | — | — | — |
lowlatency-4.15 | — | — | 99.1 | 99.1 | — |
lowlatency-4.4 | — | — | — | 99.1 | 99.1 |
lowlatency-5.15 | — | 99.2 | — | — | — |
lowlatency-5.4 | — | 99.1 | 99.1 | — | — |
canonical-livepatch status
As we ease back into regular programming, we cover the various activities the team got up to over the past few weeks whilst away in Riga for the Ubuntu Summit and Ubuntu Engineering Sprint.
With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.
91 unique CVEs addressed
p
parameter) value (over 10,000 bits)p
value
and hence take an excessive amount of time - fixed by checking this earlier
and erroring out in that caseq
parameter could also be abused in the same way -
since the size of this has to be less than p
was fixed by just checking it
against thisinfotocap
After a well-deserved break, we’re is back looking at the recent Ubuntu 23.10 release and the significant security technologies it introduces along with a call for testing of unprivileged user namespace restrictions, plus the details of security updates for curl, Samba, iperf3, CUE and more.
26 unique CVEs addressed
curl_easy_duphandle()
function%U
directive in smb.conf - if specified a path to be shared
like /home/%U/FILES
the %U
would seemingly be ignored and not replaced with
the username as expected - and hence the share would fail - this same issue
actually occurred previously in January this year - have now added a
regression test specifically to try and ensure we do not introduce this same
issue in the future againMAX_UINT
adding 1 then wraps the integer
around back to zero - and so no memory gets allocated - and when copying into
the subsequent memory get a buffer overflowThe hope is to get this enabled by default in 24.04 LTS - but we need as much testing as we can get to find anything else which is not working as expected beforehand - easy to do via a new sysctl
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
/etc/sysctl.d
, e.g.:
create a file /etc/sysctl.d/60-apparmor.conf
with the following contents:kernel.apparmor_restrict_unprivileged_userns = 1
Then if you do find something which is not working as expected, you can create a simple AppArmor profile which will allow it to use unprivileged user namespaces without any additional restrictions, e.g:
abi <abi/4.0>,
include <tunables/global>
/opt/google/chrome/chrome flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/opt.google.chrome.chrome>
}
aa-exec
‘ing themselves via that profile - so then also need
to enable the kernel.apparmor_restrict_unprivileged_unconfined = 1
sysctl tooubuntu-bug apparmor
or visit
https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebugIt’s the Linux Security Summit in Bilbao this week and we bring you some highlights from our favourite talks, plus we cover the 25 most stubborn software weaknesses, and we look at security updates for Open VM Tools, libwebp, Django, binutils, Indent, the Linux kernel and more.
88 unique CVEs addressed
CREATE
to being able to execute arbitrary code as a bootstrap superuser)
also affected PostgreSQL 9.5 in Ubuntu 16.04.xll
files from standard blocklist that warns users when downloading
executables - more of a windows issue but these are Excel add-in files -
ie. plugins for Excel, “memory safety bugs”FILES_TMP_CONTENT
variableatftpd
if requesting a non-existant file - turns out to be a
buffer overflow so could possibly be used for code executionCWE-ID | Description | 2023 Rank |
---|---|---|
CWE-787 | Out-of-bounds Write | 1 |
CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 2 |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 3 |
CWE-416 | Use After Free | 4 |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 5 |
CWE-20 | Improper Input Validation | 6 |
CWE-125 | Out-of-bounds Read | 7 |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 8 |
CWE-352 | Cross-Site Request Forgery (CSRF) | 9 |
CWE-476 | NULL Pointer Dereference | 12 |
CWE-287 | Improper Authentication | 13 |
CWE-190 | Integer Overflow or Wraparound | 14 |
CWE-502 | Deserialization of Untrusted Data | 15 |
CWE-119 | Improper Restriction of Operations within Bounds of a Memory Buffer | 17 |
CWE-798 | Use of Hard-coded Credentials | 18 |
Andrei is back this week with a deep dive into recent research around CVSS scoring inconsistencies, plus we look at a recent Ubuntu blog post on the internals of package updates and the repositories, and we cover security updates in Apache Shiro, GRUB2, CUPS, RedCloth, curl and more.
77 unique CVEs addressed
CUPS-Get-Document
operation - could allow other users to fetch print documents
without authentication“Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities” - to appear in IEEE Symposium on Security & Privacy (aka S&P) in 2024
This week we detail the recently announced and long-awaited feature of TPM-backed full-disk encryption for the upcoming Ubuntu 23.10 release, plus we cover security updates for elfutils, GitPython, atftp, BusyBox, Docker Registry and more.
93 unique CVEs addressed
git clone
and doesn’t completely
validate the options and so leads to shell-command injection - thanks to
Sylvain Beucler from Debian LTS team for noticing this and pointing it out to
the upstream project/etc/group
on the server but likely this is not
deterministic and would be whatever else was on the heapfree()
on malformed gzip data - on error, sets bit 1 of a pointer to
indicate that an error occurred - would then go and pass this pointer to
free()
but now the pointer is 1-byte past where it should be - so need to
unset this bit firstsnap recovery --show-keys
emergency.service
unit is still enabled which
allows the usual boot checks to be bypassedThis week we cover reports of “fake” CVEs and their impact on the FOSS security ecosystem, plus we look at security updates for PHP, Fast DDS, JOSE for C/C++, the Linux kernel, AMD Microcode and more.
83 unique CVEs addressed
clearcpuid=avx
on the kernel
command-line (but this will have a decent performance impact)--retry-delay
command-line option - where
if you specify a really large value of seconds, cURL will multiply this by
1000 to convert it to ms and hence overflow
This week we talk about HTTP Content-Length handling, intricacies of group management in container environments and making sure you check your return codes while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call out for input on using open source tools to secure your SDLC.
69 unique CVEs addressed
Content-Length
headers even when there was
content in the request (which violates
RFC 9110 - HTTP Semantics) - this
RFC explicitly says:If the message is forwarded by a downstream intermediary, a Content-Length field value that is inconsistent with the received message framing might cause a security failure due to request smuggling or response splitting. As a result, a sender MUST NOT forward a message with a Content-Length header field value that is known to be incorrect.
ubuntu@ubuntu:~$ groups
ubuntu sudo
pdftops
binarysetuid()=/=setgid()
system calls
used in ftpd/rshd/rlogin etc
We’re back after unexpectedly going AWOL last week to bring you the latest in Ubuntu Security including the recently announced Downfall and GameOver(lay) vulnerabilities, plus we look at security updates for OpenSSH and GStreamer and we detail plans for using AppArmor to restrict the use of unprivileged user namespaces as an attack vector in future Ubuntu releases.
143 unique CVEs addressed
14 CVEs addressed in Jammy (22.04 LTS)
6.1 kernel
8 different high priority vulns - most mentioned previously - does include “GameOver(lay)” which we haven’t covered yet - reported by WizResearch and is specific to Ubuntu kernels
OverlayFS is a union filesystem which allows multiple filesystems to be mounted at the same time, and presents a single unified view of the filesystems. In 2018 we introduced some changes to OverlayFS as SAUCE patches to handle extended attributes in overlayfs. Then in 2020 we backported commits to fix CVE-2021-3493 - in the process this also added support for extended attributes in OverlayFS so now there were two code paths, each using different implementations for extended attributes. One was protected against the vuln in CVE-2021-3493 whilst the other was not.
This vulnerability is exploiting that same vulnerability in the unprotected implementation.
In this case, the vulnerability is in the handling of extended attributes in OverlayFS - the vulnerability is that it is possible to create a file with extended attributes which are not visible to the user, and then mount that file in a way which allows the extended attributes to be visible to the user
nosuid
option, and thenremounting it with suid
option. This allows the user to then execute arbitrary
code as root. NOTE: requires the user to have the ability to have
CAP_SYS_ADMIN
but this is easy with unprivileged user namespaces.
Even more reason to keep pursuing the effort to restrict the use of unprivileged user namespaces in upcoming Ubuntu 23.10
gather_data_sampling=off
- this is useful for those who want to avoid the
performance hit, and are willing to accept the risk of the vulnerability.This week we look at the recent Zenbleed vulnerability affecting some AMD processors, plus we cover security updates for the Linux kernel, a high profile OpenSSH vulnerability and finally Andrei is back with a deep dive into recent academic research around how to safeguard machine learning systems when used across distributed deployments.
123 unique CVEs addressed
/usr/lib
on
your local machine
ssh
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
CAP_NET_ADMIN
to exploit - but can get this in an
unprivileged user namespace -> privescKernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
---|---|---|---|---|---|
aws | — | 96.2 | — | 96.2 | — |
aws-hwe | — | — | — | 96.2 | — |
azure | 96.3 | 96.2 | — | 96.2 | — |
azure-5.4 | — | — | 96.2 | — | — |
gcp | 96.3 | 96.2 | — | 96.2 | — |
gcp-4.15 | — | — | 96.2 | — | — |
gcp-5.15 | — | 96.3 | — | — | — |
gcp-5.4 | — | — | 96.2 | — | — |
generic-4.15 | — | — | 96.2 | 96.2 | — |
generic-4.4 | — | — | — | 96.2 | 96.2 |
generic-5.15 | — | 96.3 | — | — | — |
generic-5.4 | — | 96.2 | 96.2 | — | — |
gke | 96.3 | 96.2 | — | — | — |
gke-5.15 | — | 96.3 | — | — | — |
gke-5.4 | — | — | 96.2 | — | — |
gkeop | — | 96.2 | — | — | — |
gkeop-5.4 | — | — | 96.2 | — | — |
ibm | 96.3 | 96.2 | — | — | — |
ibm-5.4 | — | — | 96.2 | — | — |
linux | 96.3 | — | — | — | — |
lowlatency-4.15 | — | — | 96.2 | 96.2 | — |
lowlatency-4.4 | — | — | — | 96.2 | 96.2 |
lowlatency-5.15 | — | 96.3 | — | — | — |
lowlatency-5.4 | — | 96.2 | 96.2 | — | — |
include
element that specifies say <xi:include href=”.?../../../../../../../../../../etc/passwd”/>
- simple PoC provided by
the upstream reporterThis week we talk about the dual use purposes of eBPF - both for security and for exploitation, and how you can keep your systems safe, plus we cover security updates for the Linux kernel, Ruby, SciPy, YAJL, ConnMan, curl and more.
80 unique CVEs addressed
io_uring
x*
as punycode names always start with xn--
/sys/kernel/debug/tracing/uprobe_events
but once done, allows to then
have a BPF program executed every time the specified function within a
specified library / binary is executed - so by hooking libpam can then log the
credentials used by any user when logging in / authenticating for sudo etc.LD_PRELOAD
to hook into
the functions - but this requires that binaries get executed with this
environment set so is harder to achieve.text
section) to look for breakpoint opcode (0xCC
) or
it could look for the special memory mapping [uprobes]
in /proc/self/maps
/sys/kernel/debug/tracing/uprobe_events
-
which lists all the uretprobes currently in use on the systemWe take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen, containerd and more.
50 unique CVEs addressed
~/.pam_environment
file
which is used to configure various per-user session environment variables -
this way no matter how you log in to a Ubuntu system, the locale etc that you
configured via g-c-c etc gets usedio_uring
subsystem - local attacker could use
this to trigger a deadlock and hence a DoSINVLPG
instruction - but it was found that on certain hardware platforms this did not
actually flush the global TLB contrary to expectation - and so could leak
kernel memory back to userspaceio_uring
and TC flower plus OOB read in InfiniBand RDMA driver - DoS / info
leakeval()
function
directly on value obtained from an XML documenteval()
without having to remove this functionality - new update disables this
by default and instead only allows a much limited subset of colors to be
parsedapparmor_parser
This week we look at the top 25 most dangerous vulnerability types, as well as the announcement of the program for LSS EU, and we cover security updates for Bind, the Linux kernel, CUPS, etcd and more.
36 unique CVEs addressed
warn
or higher -
could then either cause a crash (SEGV etc) or could potentially end up logging
sensitive info if that was then present in that memory locationRank | ID | Name | Score | CVEs in KEV |
---|---|---|---|---|
1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.54 | 4 |
3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 34.27 | 6 |
4 | CWE-416 | Use After Free | 16.71 | 44 |
5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 15.65 | 23 |
6 | CWE-20 | Improper Input Validation | 15.50 | 35 |
7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 |
8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.11 | 16 |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 |
10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 |
11 | CWE-862 | Missing Authorization | 6.90 | 0 |
12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 |
13 | CWE-287 | Improper Authentication | 6.39 | 10 |
14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 |
15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 |
16 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 4.95 | 4 |
17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 |
18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 |
19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 |
20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 |
21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.53 | 8 |
22 | CWE-269 | Improper Privilege Management | 3.31 | 5 |
23 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.30 | 6 |
24 | CWE-863 | Incorrect Authorization | 3.16 | 0 |
25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 |
For our 200th episode, we discuss the impact of Red Hat’s decision to stop publicly releasing the RHEL source code, plus we cover security updates for libX11, GNU SASL, QEMU, VLC, pngcheck, the Linux kernel and a whole lot more.
73 unique CVEs addressed
PTcrop
utility which could be abused to execute arbitrary code etcapt upgrade
or use
unattended-upgrades
to install security updates as this will upgrade all
installed binary packages to all the newer versions, and not say just apt install sssd
which would only pull in some of the binary packagespodman play kube
to create containers / pods / volumes based on a
k8s yaml, it would always pull in the k8s.gcr.io/pause
image - this is not
necessary and it not necessarily maintained and so could present a security
issue as a result7 CVEs addressed in Jammy (22.04 LTS)
6.1 OEM
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
your machine to be able to trigger (shout out to USBGuard)
OOB write in network queuing scheduler
Kernel type | 22.04 | 20.04 | 18.04 |
---|---|---|---|
aws | 95.4 | 95.4 | — |
aws-5.15 | — | 95.4 | — |
aws-5.4 | — | — | 95.4 |
azure | 95.4 | 95.4 | — |
azure-5.4 | — | — | 95.4 |
gcp | 95.4 | 95.4 | — |
gcp-5.15 | — | 95.4 | — |
gcp-5.4 | — | — | 95.4 |
generic-5.4 | — | 95.4 | 95.4 |
gke | 95.4 | 95.4 | — |
gke-5.15 | — | 95.4 | — |
gke-5.4 | — | — | 95.4 |
gkeop | — | 95.4 | — |
gkeop-5.4 | — | — | 95.4 |
ibm | 95.4 | 95.4 | — |
ibm-5.4 | — | — | 95.4 |
linux | 95.4 | — | — |
lowlatency | 95.1 | — | — |
lowlatency-5.4 | — | 95.4 | 95.4 |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
For our 199th episode Andrei looks at Fuzzing Configurations of Program Options
plus we discuss Google’s findings on the io_uring
kernel subsystem and we look
at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib
and more.
53 unique CVEs addressed
Subject DN
field - this
would then be used directly in the query and would be interpreted as
parameters in the LDAP query - could then allow a malicious client to provide
a crafted certificate which performs arbitrary LDAP queries etc - such that
when used in conjunction with FreeIPA they could elevate their privileges