Overview
The road to Ubuntu 22.04 LTS begins so we look at some of its planned
features plus we cover security updates for the Linux kernel, Mailman,
Apport, PHP, Bind and more.
This week in Ubuntu Security Updates
92 unique CVEs addressed
[USN-5114-1] Linux kernel vulnerabilities [01:15]
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 + HWE on ESM
- Race in ath9k -> could fail to properly encrypt traffic -> info leak
- KVM shadow pages perms -> local user DoS
- ext4 race in xattr handling - local DoS / priv-esc
- 6pack driver validation failure -> DoS / code-exec
[USN-5115-1] Linux kernel (OEM) vulnerabilities [02:19]
- 16 CVEs addressed in Focal (20.04 LTS)
- 5.10 OEM
- As above plus various BPF hardening fixes against spectre-like attacks,
fixes for security issues in tracing subsystem, overlayfs, btrfs,
Qualcomm IPC router, Xilinx ethernet driver info leak
[USN-5116-1, USN-5116-2] Linux kernel vulnerabilities [02:55]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 + KVM + bionic HWE + clouds (AWS, Azure, GCP, GKE, IBM, Oracle + RPi)
- Race in ath9k -> could fail to properly encrypt traffic -> info leak
- KVM shadow pages perms -> local user DoS
- ext4 race in xattr handling - local DoS / priv-esc
- 6pack driver validation failure -> DoS / code-exec
- overlayfs + xilinx
[USN-5117-1] Linux kernel (OEM) vulnerabilities [03:29]
- 4 CVEs addressed in Focal (20.04 LTS)
- 5.13 OEM
- btrfs, qualcomm IPC, VT IOCTL handling, memory leak in IPC object
handling
[USN-5120-1] Linux kernel (Azure) vulnerabilities [03:40]
- 9 CVEs addressed in Focal (20.04 LTS)
- 5.8 Azure
[USN-5119-1] libcaca vulnerabilities [03:53]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),
Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- text mode graphics handling library
- 2 buffer overflows -> crash / code exec in handling of TGA images and
when exporting to troff format
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), 5 CVEs
addressed in Focal (20.04 LTS)
- 2 different CSRF attacks against mailman - in first, failed to properly
associate CSRF tokens with accounts - could be used to take over
another account
- In second, CSRF tokens which are generated are derived from the admin
password - could then allow a remote attacker to use this to help brute
force guess admin pw
- In both cases need to already be an existing list member and be logged
in to mount attacks
- For focal also included a couple medium priority vulns (don’t affect
older versions):
- Possible arbitrary content injection in 2 different ways which allow
content to be provided by an attacker as POST parameters to form
handling scripts which will then be incorporated into the page shown
to a user
- So could allow an attacker to say inject a URL to be displayed on a
legitimate mailman admin page instance which an unsuspecting user
may then follow thinking this is trusted etc.
- Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Could trick Apport into writing core files into arbitrary directories -
then these could say be interpreted by other root-level applications to
escalate privileges
- Changed Apport to write core files to known location
/var/lib/apport/coredump
[USN-5124-1] GNU binutils vulnerabilities [06:53]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 2 issues in libbfd (binary file descriptor) - can be triggered by crafted
files
- UAF in when using hash table impl
- cause large memory allocation - crash
[USN-5009-2] libslirp vulnerabilities [07:30]
[USN-5125-1] PHP vulnerability [07:41]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),
Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Root code exec in PHP-FPM - uses a privileged root level process and
unpriv child worker processes but child could access shared memory with
parent and cause it to do OOB R/W -> code execution in parent -> priv-esc
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),
Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Possible cache poisoning could lead to DoS via excessive entries in the
cache causing slow lookup performance
[USN-5127-1] WebKitGTK vulnerabilities [08:55]
- 3 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Usual web engine vulns - plus one in the bubblewrap launcher which allows
a limited sandbox bypass - could trick host processors into believing a
sandboxed process was not and hence could potentially escalate privs
[USN-5128-1] Ceph vulnerabilities [09:35]
- 5 CVEs addressed in Bionic (18.04 LTS), Hirsute (21.04)
Goings on in Ubuntu Security Community
22.04 LTS development cycle begins [09:46]
- Will include all the features from the various interim releases since the
last 20.04 LTS plus some more
- Since is an LTS, this cycle is mostly to be spent making things as solid
and stable as possible, but a few new features are planned:
- nftables supported
- firewalling on Linux has 2 components - kernel-space mechanism and
userspace tooling to control that
- traditionally kernel supported iptables (aka xtables - ip,ip6,arp,eb -tables)
- nftables as introduced into the kernel in 3.13 as a new mechanism to
implement network packet classification and handling - aka firewalling
etc
- kernel has 2 mechanisms then - xtables and nftables
- userspace then has 2 primary tools for handling these - iptables for
xtables and nftables (nft) for nftables
- iptables userspace added a nft backend so existing iptables rules and
users would be switched to that automatically - was already switched to
use nft backend in Ubuntu 21.04
- now want to support the nftables userspace package for handling
nftables as a first class system
- also look at implementing a
nftables
backend in ufw
so it can drive
nftables
directly rather than iptables
- Improvements to OVAL data
- Improved information around ESM products etc
- Improved handling of
pivot_root
in AppArmor
- Upstream issue https://gitlab.com/apparmor/apparmor/-/issues/113
- once a
pivot_root
occurs, AppArmor loses track of the original paths so
if a root level process is granted pivot_root
permission, can move
around inside it’s own mount namespace to be able to escape outside the
AppArmor policy
- AppArmor needs to track root before and after and allow to specify
policy both pre-and-post
Hiring [14:46]
Security - Product Manager
- HOME BASED - EMEA (Europe, Middle East, Africa)
- Role includes:
- guiding the evolution of security offerings from Canonical and Ubuntu
- driving compliance and certification of Ubuntu
- engaging with the open source security community
- telling the story of Canonical’s work to deliver secure platforms
- https://canonical.com/careers/2278145/security-product-manager-remote
Get in contact