Episode 115

Overview

This week we look at some details of the 90 unique CVEs addressed across the supported Ubuntu releases and more.

This week in Ubuntu Security Updates

90 unique CVEs addressed

[USN-4934-2] Exim vulnerabilities [00:41]

• 16 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
  • CVE-2021-27216
  • CVE-2020-28025
  • CVE-2020-28024
  • CVE-2020-28022
  • CVE-2020-28020
  • CVE-2020-28017
  • CVE-2020-28016
  • CVE-2020-28015
  • CVE-2020-28014
  • CVE-2020-28013
  • CVE-2020-28012
  • CVE-2020-28011
  • CVE-2020-28009
  • CVE-2020-28008
  • CVE-2020-28007
  • CVE-2020-28026
• Episode 114

[USN-4937-1] GNOME Autoar vulnerability [01:00]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-28650
• Directory traversal due to failure to properly handle symlinks (result of incomplete fix for previous CVE-2020-36241)

[USN-4936-1] Thunderbird vulnerabilities [01:47]

• 5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-29950
  • CVE-2021-23978
  • CVE-2021-23973
  • CVE-2021-23969
  • CVE-2021-23968
• 78.8.1
• If used a PGP key but then a failure occurred, TB would keep the decrypted key in memory - on Ubuntu we enable Yama ptrace restrictions (ptrace_scope) - so this means processes can only ptrace their descendents by default and hence even other user-level processes cannot dump the memory of another process to say extract this private key
• Various other CVEs inherited from Firefox

[USN-4938-1] Unbound vulnerabilities [03:21]

• 13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-28935
  • CVE-2019-25042
  • CVE-2019-25041
  • CVE-2019-25040
  • CVE-2019-25039
  • CVE-2019-25038
  • CVE-2019-25037
  • CVE-2019-25036
  • CVE-2019-25035
  • CVE-2019-25034
  • CVE-2019-25033
  • CVE-2019-25032
  • CVE-2019-25031
• Validating, recursive DNS resolver
• Remote DoS, command injection, RCE, local file overwrite etc

[USN-4939-1] WebKitGTK vulnerabilities [03:48]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-1871
  • CVE-2021-1844
  • CVE-2021-1788
• 1 logic issue, 2 memory corruption bugs - all leading to possible RCE

[USN-4940-1] PyYAML vulnerability [04:12]

• 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-14343
• RCE when processing untrusted YAML - due to incomplete fix for previous CVE-2020-1747 - that CVE not specifically patched in Ubuntu as either the versions of pyyaml were too old to be affected or were based on upstream releases that had already patched it

[USN-4941-1] Exiv2 vulnerabilities [04:35]

• 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-3482
  • CVE-2021-29470
  • CVE-2021-29458
  • CVE-2021-29457
• EXIF/IPTC/XMP metadata manipulation tool
• Heap buffer overflow or OOB read when writing metadata - so not so likely to be triggered by applications that are just extracting metadata etc
• Heap buffer overflow for handling EXIF in JPG images

[USN-4942-1] Firefox vulnerability [05:09]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-29952
• 88.0.1
• Race condition on destruction of WebRender components -> UAF? -> possible RCE

[USN-4943-1] XStream vulnerabilities [05:32]

• 14 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-21351
  • CVE-2021-21350
  • CVE-2021-21349
  • CVE-2021-21348
  • CVE-2021-21347
  • CVE-2021-21346
  • CVE-2021-21345
  • CVE-2021-21344
  • CVE-2021-21343
  • CVE-2021-21342
  • CVE-2021-21341
  • CVE-2020-26259
  • CVE-2020-26258
  • CVE-2020-26217
• Episode 102 - B+F - corresponding fixes for those 3 CVEs for G
• Also a heap of others - denial of service, arbitrary code execution, arbitrary file deletion and server-side forgery attacks

[USN-4944-1] MariaDB vulnerabilities [06:04]

• Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
• Latest upstream point releases rolling in a large number of security fixes:
  • Ubuntu 18.04 LTS has been updated to MariaDB 10.1.48.
  • Ubuntu 20.04 LTS has been updated to MariaDB 10.3.29.
  • Ubuntu 20.10 has been updated to MariaDB 10.3.29.
  • Ubuntu 21.04 has been updated to MariaDB 10.5.10.
  • Thanks to Otto Kekäläinen from the MariaDB foundation for contributing and preparing these updates

[USN-4945-1] Linux kernel vulnerabilities [06:33]

• 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-30002
  • CVE-2021-29650
  • CVE-2021-29265
  • CVE-2021-28660
  • CVE-2021-28375
  • CVE-2021-28038
  • CVE-2020-25639
• 5.4 (standard kernel for 20.04 LTS, HWE for 18.04 LTS)

[USN-4946-1] Linux kernel vulnerabilities

• 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2021-30002
  • CVE-2021-29650
  • CVE-2021-29265
  • CVE-2021-29264
  • CVE-2021-28688
  • CVE-2021-28038
  • CVE-2021-26931
  • CVE-2021-26930
  • CVE-2021-20292
• 4.15 (standard kernel for 18.04 LTS, HWE for 16.04 ESM, Azure for 14.04 ESM)

[USN-4947-1] Linux kernel (OEM) vulnerabilities

• 5 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-30002
  • CVE-2021-29650
  • CVE-2021-29646
  • CVE-2021-28375
  • CVE-2020-35519
• 5.6 (OEM for 20.04 LTS)

[USN-4948-1] Linux kernel (OEM) vulnerabilities

• 21 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-3483
  • CVE-2021-31916
  • CVE-2021-29657
  • CVE-2021-29650
  • CVE-2021-29649
  • CVE-2021-29647
  • CVE-2021-29646
  • CVE-2021-29266
  • CVE-2021-29264
  • CVE-2021-28972
  • CVE-2021-28971
  • CVE-2021-28964
  • CVE-2021-28952
  • CVE-2021-28951
  • CVE-2021-28688
  • CVE-2020-25672
  • CVE-2020-25671
  • CVE-2020-25670
  • CVE-2021-3491
  • CVE-2021-3490
  • CVE-2021-3489
• 5.10 (OEM for 20.04 LTS)
• 3 Pwn2Own vulnerabilities
  • Ryota Shiga - eBPF ring buffer
  • Manfred Paul - eBPF bounds tracking on bitwise operations
  • Billy Jheng Bing-Jhong - io_uring
    • All OOB writes + info leaks -> local priv esc + code execution as root

[USN-4949-1] Linux kernel vulnerabilities

• 12 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-29650
  • CVE-2021-29646
  • CVE-2021-29266
  • CVE-2021-29265
  • CVE-2021-29264
  • CVE-2021-28375
  • CVE-2021-26931
  • CVE-2021-26930
  • CVE-2020-25639
  • CVE-2021-3491
  • CVE-2021-3490
  • CVE-2021-3489
• 5.8 (standard kernel for 20.10, HWE for 20.04 ESM, Azure for 14.04 ESM)

[USN-4950-1] Linux kernel vulnerabilities

• 3 CVEs addressed in Hirsute (21.04)
  • CVE-2021-3491
  • CVE-2021-3490
  • CVE-2021-3489
• 5.11
• Plus CAN ISOTP race condition - discovered by a Norbert Slusarek (high school student in Germany) - local privilege escalation
  • Introduced via recent broadcast mode support (normally a CAN socket registers a particular CAN ID to receive and only gets those frames - was only in 5.11 kernel so only affected hirsute) - this support has been removed from the hirsute kernel until a proper fix comes from upstream

[USN-4951-1] Flatpak vulnerability [10:16]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-21381
• File forwarding issue which could allow an attacker to get access to files that are not normally provided by the permissions granted to an app
• Use special tokens in the Exec line of the desktop file for an app could trick flatpak runtime into providing access to a file as though this had been explicitly granted by the user
  • snapd generates desktop files so less likely to be affected by this sort of issue - less untrusted input in general (but perhaps also less flexible)

Goings on in Ubuntu Security Community

Hiring [11:47]

Linux Cryptography and Security Engineer

• https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

• https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter