Overview
This week we look at how Ubuntu is faring at Pwn2Own 2021 (which still has
1 day and 2 more attempts at pwning Ubuntu 20.10 to go) plus we look at
security updates for SpamAssassin, the Linux kernel, Rack and Django, and
we cover some open positions on the Ubuntu Security team too.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-4899-1] SpamAssassin vulnerability [00:46]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Damian Lukowski - remote code execution in configuration file parser for
SpamAssassin - failed to properly sanitise certain elements of config
files so could allow an attacker to specify commands to be executed by
SpamAssassin - if not using configs from untrusted sources should be fine
[USN-4900-1] OpenEXR vulnerabilities [01:40]
- 6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Usual mix of memory corruption vulns in this image processing library -
DoS via memory consumption, integer overflow -> buffer overflow -> RCE
etc from crafted image files
[USN-4901-1] Linux kernel (Trusty HWE) vulnerabilities [02:24]
- 4 CVEs addressed in Precise ESM (12.04 ESM)
- 3.13 kernel used as the HWE kernel from 14.04 backported to 12.04 ESM
- iSCSI issues from Episode 109 plus LIO SCSI XCOPY issue from Episode 102
[USN-4561-2] Rack vulnerabilities [03:27]
- 2 CVEs addressed in Xenial (16.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Modular Ruby webserver interface
- Episode 93 - 18.04 LTS - now provided for remaining releases
[USN-4902-1] Django vulnerability [03:53]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Potential directory traversal via uploaded files - if using a custom
upload handler with the MultiPartParser from the django parsers
framework, could have been vulnerable - didn’t affect any of the built-in
upload parsers within django hence the low priority rating for this CVE
Goings on in Ubuntu Security Community
Ubuntu at Pwn2Own 2021 [04:47]
- https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
- 6th, 7th & 8th April - 23 separate entries targeting 10 different
products in the categories of Web Browsers, Virtualization, Servers,
Local Escalation of Privilege, and Enterprise
Communications (aka Zoom, MS Teams etc)
- 14 years - grows each year to include new targets / platforms - this year
included categories for both automotive (Tesla Model 3) and Enterprise
applications (MS Office, Adobe Reader) - but neither had any entrants
- 4 different teams targeted Ubuntu Desktop in local privilege escalation
category - go from a standard user to root - and pwn2own rules say this
must be via a kernel vulnerability - in this case it is an up-to-date
Ubuntu 20.10 install running inside a virtual machine
- Attempts on day 1 and 2 were both successful - Ryota Shiga of Flatt
Security and Manfred Paul both used separate OOB access bugs to escalate
from a standard user to root
- each earned $30,000 and 3 points in the competitions Master of Pwn
award
- Tomorrow (8th) will see two more attempts by Billy from STAR Labs and
Vincent Dehors of Synacktiv - this will be live-streamed too on YouTube,
Twitch, and the conference site.
- Also not just Ubuntu was exploited - so far all teams who have attempted
to exploit have been successful - Safari, MS Exchange, MS Teams, Windows
10, Parallels Desktop, Chrome, Microsoft Edge, Zoom
- only exception so far is for STAR Labs who have not managed to get
their exploits working in the allotted time
- More details to follow once the vulns and their fixes become public -
competition has a 90 day policy for fixes to be public but I suspect we
will see these sooner than that - regardless will look at remaining results of
other 2 teams next week as well
Hiring [10:03]
AppArmor Security Engineer
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact