Episode 131

14 min • 17 september 2021

Overview

OWASP Top 10 gets updated for 2021 and we look at security vulnerabilities in the Linux kernel, Ghostscript, Git, curl and more.

26 unique CVEs addressed

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
2 different AMD specific issue in KVM subsystem with nested virtualisation - 1 mentioned last week in Episode 130 - would fail to validate particular operations which could be performed by a guest VM - in this case would allow a guest to enable the Advanced Virtual Interrupt Controller for a nested VM (ie L2 VM) - this would then allow the L2 VM to write to host memory -> code execution on the host
The other - L1 guest could disable interception of both VMLOAD/VMSAVE calls for a L2 guest - L2 guest could then read/write portions of host physical memory - code-exec on host

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
(Episode 124) seq_file vuln - this virt file-system contained an unsigned integer conversion error - would result in a local user being able to cause an OOB write and hence possible code-exec in the kernel -> privesc
(Episode 127) netfilter setsockopt() - OOB write
AMD nested virtualisation issues above

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
Memory safety bugs -> possible memory corruption, possible bypass in mixed content blocking (ie http content on a https page)

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- CVE-2021-3781
Trivial bypass of sandbox - exploit was apparently known about since March and publicly available since end of August but only reported to GS upstream on 8th August - fix available since 9th, updates for Ubuntu published on 10th (rare Friday publication)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2021-40330
Possible cross-protocol requests by embedding a newline in the URL when cloning

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- CVE-2021-3710
- CVE-2021-3709
Arbitrary file reads in apport crash handling - reads certain file when apps crash, can be tricked to read other files and include these in the crash report which can then be seen by the user, uploaded to errors.ubuntu.com etc

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- CVE-2021-41072
Similar to Episode 129 - symlink and file of same name - when unsquash, write out symlink, then write out file traversing the symlink -> arbitrary file overwrite

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
- CVE-2021-22947
- CVE-2021-22946
- CVE-2021-22945 (non-ESM only)
MQTT OOB write (malicious MQTT server) (non-ESM)
Possible to cause to not upgrade to TLS even when specified -> info leak
STARTTLS -> could inject responses / intercept comms etc

https://owasp.org/Top10/
Last updated in Nov 2017
Increasing complexity of web-apps means vulns are now at the edges - ie. when combining two components, misconfigure one of them -> vuln in combination due to accidential misuse by the other component

Kategorier

Förekommer på

00:00 -00:00