Overview
It’s another week when too many security updates are never enough as we
cover 240 CVE fixes across Avahi, QEMU, the Linux kernel, containerd,
binutils and more, plus the Ubuntu 20.10 Groovy Gorilla end-of-life.
This week in Ubuntu Security Updates
240 unique CVEs addressed
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 2 DoS via local users - first via abusing the Avahi daemon’s unix socket -> hang
- second by calling asking the avahi daemon to resolve a crafted domain
name either via the DBus API or the local socket - assert() -> crash
[USN-5006-2] PHP vulnerabilities [01:12]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Episode 123
[USN-5009-1] libslirp vulnerabilities [01:31]
- 6 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- TCP/IP emulation library using by QEMU etc
- Info leaks from the host to the guest via buffer over-reads in handling
of various network packet types (UDP etc)
[USN-5010-1] QEMU vulnerabilities [02:07]
- 21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Usual mix of vulns in emulation of various devices etc - generally allows
a malicious guest to cause QEMU to crash on the host -> DoS
- MMIO, ATAPI, SCSI, ARM Generic Interrupt Controller, e1000
- Mishandling in virtio-fs shared filesystem daemon allows malicious guest
to read/write host devices
- A few others possibly result on code-exec on the host as the QEMU daemon
BUT on Ubuntu QEMU is confined via AppArmor by default so this limits the
possible impact
[LSN-0078-1] Linux kernel vulnerability [03:14]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Livepatch for CAN BCM UAF -> arbitrary code exec (Episode 121)
[USN-5014-1] Linux kernel vulnerability [03:49]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Hirsute (21.04)
- high priority respin
- seq_file vuln - this virt file-system contained an unsigned integer
conversion error - would result in a local user being able to cause an
OOB write and hence possible code-exec in the kernel -> privesc
[USN-5015-1] Linux kernel (OEM) vulnerabilities [04:28]
- 5 CVEs addressed in Focal (20.04 LTS)
- 5.10 oem
- seq_file vuln plus a couple UAF in bluetooth, NULL ptr deref in NFC, UAF
in Xen networking - guest to host crash/code-exec etc
[USN-5016-1] Linux kernel vulnerabilities [04:54]
- 5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- 5.8 - hirsute, focal hwe
- seq_file vuln plus, NFC UAF, Bluetooth UAFs, F2FS OOB read
[USN-5017-1] Linux kernel vulnerabilities [05:26]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 - focal, bionic hwe, oem, aws, azure, gcp, gke etc
- seq_file vuln plus a few bluetooth info leaks
[USN-5018-1] Linux kernel vulnerabilities [05:49]
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 - bionic, xenial hwe, trusty azure
- seq_file vuln plus various other fixes from recent kernels - eBPF
privesc, Wifi FRAGATTACKs fixes, bluetooth info leaks and UAFs and NFC
UAF
[LSN-0079-1] Linux kernel vulnerability [06:21]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- seq_file vuln plus eBPF codeexec
[USN-5019-1] NVIDIA graphics drivers vulnerabilities [06:43]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 2 DoS - one by triggering an assert(), the other by dereferencing an
untrusted pointer - kernel crash in either case
- OOB array access (OOB read) - info leak or crash -> DoS
[USN-5012-1] containerd vulnerabilities [07:23]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- When extracting a container image, would try and set the
owner/permissions on the resulting extracted files - if these files were
symlinks pointing to existing files on the host then would change perms
of those files instead - fixed to ensure it does not follow symlinks when
applying this permissions changes
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- When parsing mount paths, would allocate memory for the path on the
stack - if a local attacker can mount a file-system with a very long path
name, would overflow the entire stack memory and cause systemd to crash -
as systemd is PID1 this effectively crashes the whole system
- Remote attacker could cause sytemd DHCP client to force assign a
different address and hence could cause a networking DoS against a remote
server on the same network by making it unroutable etc
[USN-4336-2] GNU binutils vulnerabilities [09:12]
- 147 CVEs addressed in Xenial ESM (16.04 ESM)
- Most CVEs fixed in a single update?
- binutils gets a lot of CVEs which are generally low priority -
ie. objdump could crash or get code-exec if run on untrusted input - but
since is installed in a lot of common developer scenarious we often get
requests about these CVEs - even though they are unlikely to actually be
able to be exploited in most scenarios
- Thanks to Leo on our team (and Marc for the original backport of a lot of
these patches)
[USN-5020-1] Ruby vulnerabilities [10:24]
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- RCE, port scans / banner extractions, interpose on connections to bypass
TLS
[USN-5021-1] curl vulnerabilities [10:46]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Failed to initialise data when handling TELNET connections - if these
structures happened to contain sensitive info -> info leak
- Could reuse connections from the connection pool in the wrong
circumstances, leading to reusing wrong connection and sending data to
wrong host
[USN-5022-1] MySQL vulnerabilities [11:36]
- 31 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 8.0.26 (focal, hirsute)
- 5.7.35 (bionic)
[USN-5023-1] Aspell vulnerability [12:00]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Heap buffer overflow - fixed to actually validate size before using
Goings on in Ubuntu Security Community
Ubuntu 20.10 Groovy Gorilla EOL [12:25]
Get in contact