Overview
This week we look at a malware campaign associated with the popular Krita
painting application, plus we cover security updates for MongoDB, libssh,
Squashfs-Tools, Thunderbird and more.
This week in Ubuntu Security Updates
17 unique CVEs addressed
[USN-5037-2] Firefox regression [00:47]
- Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 91.0.2 - upstream bug where as part of their advanced privacy protection,
would purge cookies associated with ad trackers etc - but this would then
clear authentication data as well and so would lose your master password
for Lockwise - and hence prompt the re-enter it seemingly randomly.
[USN-5052-1] MongoDB vulnerability [01:31]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Failed to invalidate existing sessions of users who are logged in and
their account is then deleted - so if the account is recreated before
they perform some action, the session gets reassociated with the new
account of the same name which may have higher privileges.
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Episode 128 - ASN.1 string handling vuln
[USN-5053-1] libssh vulnerability [02:42]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Small SSH lib - used by libcurl, remmina and others
- Heap buffer overflow when re-keying - so a malicious client / server
could cause crash / RCE on other side
[USN-5055-1] GNOME grilo vulnerability [03:22]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- GNOME media discovery framework
- Failed to enable TLS certificate verification - so when connecting to a
remote media source, an attacker could replace the TLS cert with their
own self-signed one or similar and hence be able to intercept all
encrypted comms - simple change to specify to the underlying network
request library (libsoup) to check TLS certificate when making the
connection
[USN-5056-1] APR vulnerability [04:18]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Hirsute (21.04)
- abstraction layer library across platform specific services / APIs
- used by apache2, subversion and others
- OOB read in time handling functions - would fail to validate parameters
were within expected range (ie only 12 months in a year but uses a signed
int to represent this)
[USN-5054-1] uWSGI vulnerability [05:38]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Buffer overflow in handling of large HTTP request headers - protocol
represents header name/values and overall length in a uint16_t = so can
only handle up to 16K headers so if more than that would cause an integer
overflow and hence a buffer overread where it would read other memory
instead of the actual request body
[USN-5057-1] Squashfs-Tools vulnerability [06:34]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- Failed to reject filenames in squashfs image containing relative path
components - using a crafted mksquashfs could create such an image and
then unsquashfs would happy create that file, outside of the extracted
directory - path traversal vuln
[USN-5058-1] Thunderbird vulnerabilities [08:14]
- 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- 78.13
- STARTTLS vuln - would accept IMAP responses received before had finished
STARTTLS handshake - PiTM inject content etc - plus various vulns from
Firefox re web rendering etc
- Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- A heap of vulns - 21 in total - integer overflows, buffer overflows etc -
code execution, DoS etc - unlike say EXT4 and other drivers, this is FUSE
so impact is limited to only user-level code execution, not root /
in-kernel
Goings on in Ubuntu Security Community
Krita Ransomware Email Campaign [11:17]
- Emails sent to popular youtubers / facebook / instagrammers purportedly
from Krita asking to collaborate on a paid advertising and a link to
download some media pack - proposed videos to show on your youtube
channel etc
- The link is to krita.app or perhaps krita.io - not the official
“krita.org” domain - looks the same as the real krita.org but is only
just the homepage, other pages have redirects to the real krita.org
- Download contains an encrypted zip file (alarm bell**)
- Video part has 3 seeming videos - 2 .mp4.scr files and one actual mp4 -
(second alarm bell**) .scr is really an exe - and a few vendors on VT
already detects these as malicious - but a lot don’t
- Interesting to see an open source app being used to target content
creators - seems both krita.app / krita.io now redirect to krita.org and
the mediabank.zip is now longer up either
- https://krita.org/en/item/warning-scam-mails-about-krita-and-youtube-coming-from-krita-io/
Hiring [15:50]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Get in contact