Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 129

17 min • 3 september 2021

Overview

This week we look at a malware campaign associated with the popular Krita painting application, plus we cover security updates for MongoDB, libssh, Squashfs-Tools, Thunderbird and more.

This week in Ubuntu Security Updates

17 unique CVEs addressed

[USN-5037-2] Firefox regression [00:47]

  • Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
  • 91.0.2 - upstream bug where as part of their advanced privacy protection, would purge cookies associated with ad trackers etc - but this would then clear authentication data as well and so would lose your master password for Lockwise - and hence prompt the re-enter it seemingly randomly.

[USN-5052-1] MongoDB vulnerability [01:31]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Failed to invalidate existing sessions of users who are logged in and their account is then deleted - so if the account is recreated before they perform some action, the session gets reassociated with the new account of the same name which may have higher privileges.

[USN-5051-2, USN-5051-3] OpenSSL vulnerability [02:14]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • Episode 128 - ASN.1 string handling vuln

[USN-5053-1] libssh vulnerability [02:42]

  • 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
  • Small SSH lib - used by libcurl, remmina and others
  • Heap buffer overflow when re-keying - so a malicious client / server could cause crash / RCE on other side

[USN-5055-1] GNOME grilo vulnerability [03:22]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
  • GNOME media discovery framework
  • Failed to enable TLS certificate verification - so when connecting to a remote media source, an attacker could replace the TLS cert with their own self-signed one or similar and hence be able to intercept all encrypted comms - simple change to specify to the underlying network request library (libsoup) to check TLS certificate when making the connection

[USN-5056-1] APR vulnerability [04:18]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Hirsute (21.04)
  • abstraction layer library across platform specific services / APIs
  • used by apache2, subversion and others
  • OOB read in time handling functions - would fail to validate parameters were within expected range (ie only 12 months in a year but uses a signed int to represent this)

[USN-5054-1] uWSGI vulnerability [05:38]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Buffer overflow in handling of large HTTP request headers - protocol represents header name/values and overall length in a uint16_t = so can only handle up to 16K headers so if more than that would cause an integer overflow and hence a buffer overread where it would read other memory instead of the actual request body

[USN-5057-1] Squashfs-Tools vulnerability [06:34]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
  • Failed to reject filenames in squashfs image containing relative path components - using a crafted mksquashfs could create such an image and then unsquashfs would happy create that file, outside of the extracted directory - path traversal vuln

[USN-5058-1] Thunderbird vulnerabilities [08:14]

[USN-5060-1, USN-5060-2] NTFS-3G vulnerabilities [09:51]

  • Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
  • A heap of vulns - 21 in total - integer overflows, buffer overflows etc - code execution, DoS etc - unlike say EXT4 and other drivers, this is FUSE so impact is limited to only user-level code execution, not root / in-kernel

Goings on in Ubuntu Security Community

Krita Ransomware Email Campaign [11:17]

  • Emails sent to popular youtubers / facebook / instagrammers purportedly from Krita asking to collaborate on a paid advertising and a link to download some media pack - proposed videos to show on your youtube channel etc
  • The link is to krita.app or perhaps krita.io - not the official “krita.org” domain - looks the same as the real krita.org but is only just the homepage, other pages have redirects to the real krita.org
  • Download contains an encrypted zip file (alarm bell**)
  • Video part has 3 seeming videos - 2 .mp4.scr files and one actual mp4 - (second alarm bell**) .scr is really an exe - and a few vendors on VT already detects these as malicious - but a lot don’t
  • Interesting to see an open source app being used to target content creators - seems both krita.app / krita.io now redirect to krita.org and the mediabank.zip is now longer up either
  • https://krita.org/en/item/warning-scam-mails-about-krita-and-youtube-coming-from-krita-io/

Hiring [15:50]

Linux Cryptography and Security Engineer

Security Engineer - Ubuntu

Get in contact

Kategorier
Förekommer på
00:00 -00:00