Overview
Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security
updates for Linux kernel, nginx, Ardour and strongSwan.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-5091-3] Linux kernel (Azure) regression
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5092-3] Linux kernel (Azure) regression [00:50]
- 12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Failure to boot on large Azure instance types - caused by a patch that
got backported to the 5.14 upstream stable kernel that was purported to
head off possible future problems, but itself caused issues on say the
Standard_D48_v3
instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped
that patch to resolve the issue
[USN-5109-1] nginx vulnerability [01:44]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Buffer overflow when handling files with modification dates a long time
in the past - ie. 1969 or very far in the future - integer overflow in
the autoindex module
[USN-5110-1] Ardour vulnerability [02:22]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- UAF in handling of crafted XML files - if using attacker provided files
could DoS / RCE
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Integer overflow when replacing certs in cache - if can send many
requests with different certs can fill cache and then cause replacement
of cache entries when gets full - LRU algorithm could then cause integer
overflow and hence OOB write as a result
- Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a
self-signed CA cert sent by an initiation
[USN-5113-1] Linux kernel vulnerabilities [04:13]
- 8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- 5.11 hirsute kernel (20.04 HWE)
- overlayfs perms handling issue, race condition -> OOB read in VT
subsystem, integer overflow in hashtable implementation in BPF, ext4
xattrs race -> UAF, ath9k race condition -> info leak
Goings on in Ubuntu Security Community
Tianfu Cup 2021 [05:30]
- https://www.tianfucup.com/en
- 16-17th October - China’s own Pwn2Own
- Teams required to use original vulns to hack target platforms - 1.5m USD
total reward
- Targets
- Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04
desktop container with ssh access as root to the container running
unprivileged w/o uidmap, volume mount and default bridge network - 60k
USD price
- Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged
user to escalate to root - 40k USD
- Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu -
VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
- 3 5 minute attempts to run their exploits
- According to media reports - Ubuntu 20.04 root privesc - 4 times,
Docker-CE and qemu VM - once
- Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus
Google Chrome to get kernel privesc on Windows as well
- Also according to one media outlet “details unknown but vendors are
expected to release patches in coming weeks” - so far no contact /
details have been provided to us…
- Same has happened in previous years - no details get provided to vendors
so issues don’t get patched - in the past, exploits which have been
showcased at Tianfu have then allegedly gone on to be used in hacking
campaigns by the Chinese government
- Contrast with Pwn2Own - we are invited by organisers to watch and verify
attempts in real-time to help judge whether exploits used are actually
unique and new, and then ZDI provide details immediately regarding the
vulns along with PoCs so we can patch them ASAP
Get in contact