Overview
Ubuntu One opens up two-factor authentication for all, plus we cover
security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.
This week in Ubuntu Security Updates
73 unique CVEs addressed
[USN-4989-2] BlueZ vulnerabilities [00:57]
- 2 CVEs addressed in Xenial ESM (16.04 ESM)
- Episode 120 - bluetooth spec issue around pairing takeover plus a
possible double-free in gattool that is likely quite hard to exploit due
to time window race between the two free() calls
[USN-4990-1] Nettle vulnerabilities [01:27]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Low level crypto library used by lots of packages - chrony, dnsmasq,
lighttpd, qemu, squid, supertuxkart
- Last covered just a few weeks ago in Episode 112 - is someone taking a
closer look at this library?
- Bleichenbacher type side-channel base on a padding oracle attack in
endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a
process on the same physical core as the victim - but could then allow
the plaintext to be extracted
- RSA algo possible crash which is able to be triggered on decryption of
manipulated ciphertext
- Changes required for both of these are too intrusive to backport for the
older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu
release if you are using nettle on these older releases and are concerned
about possible attacks
[USN-4991-1] libxml2 vulnerabilities [03:08]
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Crafted XML could possibly trigger crash -> DoS or RCE
[USN-4992-1] GRUB 2 vulnerabilities [03:33]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Episode 106 - BootHole 2021 updates published to the security pocket
- Vulns included the ability to load ACPI tables, UAF in rmmod, buffer
overflow in command-line parser, cutmem command boot locking bypass, heap
buffer overflow in option parser and menu rendering OOB write -> RCE —>@@
all could lead to a bypass of secure boot protections
- Includes one grub - ie. same grub efi binary used across all recent
Ubuntu releases
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
[USN-4993-1] Dovecot vulnerabilities [05:13]
- 2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- STARTTLS plaintext command injection vuln via SMTP, plus if a local
attacker could write files to the disk, they could supply their own keys
to validate their own supplied JSON Web Token and hence login as any
other user and then access their emails if using OAUTH2
[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Various DoS issues where under certain configurations an attacker could
issue particular requests and trigger various crashes in Apache
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Usual mix of issues for a library which is written in memory unsafe
language and handling complex image formats etc
- Courtesy of OSS-Fuzz
[USN-4995-1] Thunderbird vulnerabilities [06:48]
- 20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 78.11.0 - usual mix of untrusted content/web framework issues inherited
from Firefox, plus fixes for OpenPGP key handling, message signature
TOCTTOU-type condition due to writing out signatures to disk that then
could be replaced before being verified, UX issue in display of inline
signed/encrypted messages with additional unprotected parts
[USN-4997-1] Linux kernel vulnerabilities [08:22]
- 17 CVEs addressed in Hirsute (21.04)
- 5.11
- Basically the same set of fixes for all kernels, including a couple quite
interesting ones:
- eBPF verifier bypass provides OOB write primitive, could allow a local
attacker to perform code execution in the kernel -> privesc
- Race condition in CAN BCM networking protocol -> various UAFs -> code
execution as well
- Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP
race condition -> UAF etc
[USN-4999-1] Linux kernel vulnerabilities [09:51]
- 17 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- 5.8 (groovy, focal hwe)
[USN-5000-1] Linux kernel vulnerabilities [10:08]
- 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 (focal, bionic hwe)
[USN-5001-1] Linux kernel (OEM) vulnerabilities
- 15 CVEs addressed in Focal (20.04 LTS)
- 5.10
[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]
- 1 CVEs addressed in Bionic (18.04 LTS)
- 5.3
- CAN BCM
[USN-5003-1] Linux kernel vulnerabilities [10:35]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 (bionic, xenial esm hwe, trusty esm azure)
- CAN BCM and eBPF verifier OOB write
Goings on in Ubuntu Security Community
2FA coming to Ubuntu One [11:04]
- https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one
- Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums,
publishers on the Snap Store etc
- Allows to use a phone / desktop TOTP app as second factor, or Yubikey
TOTP etc
- Has actually been supported since 2014 but only available to a beta
testing group plus for all Canonical employees, due to challenges in
account recovery
- Since Ubuntu One purposefully doesn’t store any real identifying
information (name, email, username) we can’t easily verify account
holders if they lose the 2FA device
- The intent is to be robust even in the event that a users email address
is compromised
- Now have a comprehensive code recovery experience including printable
backup codes and mechanisms in place to encourage users to exercise
backup codes so that users can feel confident in using these if they need
to (ie where did I put my backup codes again..?)
Get in contact