Overview
We’re back after a few weeks off to cover the launch of the Ubuntu Security
Guide for DISA-STIG, plus we detail the latest vulnerabilities and updates
for lxml, PolicyKit, the Linux Kernel, systemd, Samba and more.
This week in Ubuntu Security Updates
100 unique CVEs addressed
[USN-5225-1] lxml vulnerability [00:57]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Python bindings for venerable libxml2 + libxslt - used by many other
python packages for parsing XML etc
- HTML cleaner module - designed to clean up HTML by removing embedded
scripts, special tags, CSS style annotations and more.
- Would allow crafted scripts to bypass the filter - same for SVG which
could embed scripts via data URIs - code execution as a result -> RCE
[USN-5210-2] Linux kernel regression [02:03]
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Episode 136 - [USN-5210-1] - caused boot failure on machines that had AMD
Secure Encrypted Virtualisation enabled
[USN-5223-1] Apache Log4j 1.2 vulnerability [02:21]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- JMS Appender module in Log4j 1.2 - requires the attacker to be able to
first modify the Log4j config - but can then get code execution - similar
to the original Log4Shell CVE-2021-44228 but not as severe
[USN-5224-2] Ghostscript vulnerabilities [02:57]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Various DoS / possible RCE via crafted image files
[USN-5229-1] Firefox vulnerabilities [03:27]
- 13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 96.0
- Usual mix of web issues with standard consequences -> DoS / spoof browser
UI, bypass security / content restrictions, info leak, RCE
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- OOB read when using the
CL_SCAN_GENERAL_COLLECT_METADATA
option and
handling OOXML files - remote attacker could supply an input file which
could trigger this -> crash
[USN-5235-1] Ruby vulnerabilities [04:24]
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
[USN-5234-1] Byobu vulnerability [04:25]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Apport hook for Byobu would upload the local
.screenrc
file which could
possibly contain private info
[USN-5240-1] Linux kernel vulnerability [05:09]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Integer underflow -> OOB write when parsing file system properties -
possible code execution -> requires root privileges to trigger BUT can
also be done from a user namespace - ie where a local user can masquerade
as root
[LSN-0084-1] Linux kernel vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Livepatch for the above issue
[USN-5242-1] Open vSwitch vulnerability [06:16]
- 1 CVEs addressed in Impish (21.10)
- Memory leak when handling fragmented packets - only affects most recent
versions of Open vSwitch so LTS releases etc not affected
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Advanced Intrusion Detection Environment
- checks integrity of files - common security tool
- Heap buffer overflow when performing various base64 operations, as done
when handling XFS extended attributes or tmpfs ACLs - local privesc
[USN-5246-1] Thunderbird vulnerabilities [07:21]
- 26 CVEs addressed in Impish (21.10)
- 91.5
- Usual web framework issues plus some TB specific ones
- JS interpreter was enabled in composition window - so if an attacker
could exploit some other vuln to then be able to inject content into
the composition window could get code execution
- Buffer overflow in Matrix chat client lib
- Mishandling of PGP/MIME - would only look at signature on inner signed
message even if was contained in another signed message - so would show
whole message as valid
[USN-5248-1] Thunderbird vulnerabilities
- 45 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5249-1] USBView vulnerability [08:52]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Failed to properly configure policykit to enforce proper restrictions -
could allow a local user to execute arbitrary code by causing USBView to
load other modules
- Future versions of USBView won’t run as root
[USN-5250-1] strongSwan vulnerability [09:59]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Mishandling of argv in pkexec
- Normally, when an application runs, gets given argv + argc - argv[0] is
the name of the application and arguments follow that - BUT this is only
a convention - can fork/exec another binary and specify NULL argv
- pkexec in that case would then try and parse arguments outside of the
valid argv array - generally env follows argv - so would process env as
argv
- since pkexec is setuid root glibc sanitises env - BUT pkexec modifies
it’s own argv when processing arguments - so ends up modifying env - with
a crafted env input can trick pkexec to modify it’s own env to then
inject say a malicious
LD_PRELOAD
value to cause arbitrary code to be
executed as root
- Great find by Qualys
[USN-5226-1] systemd vulnerability [13:50]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Uncontrolled recursion in systemd-tmpfiles - local user could create a
deeply nested directory structure, cause systemd-tmpfiles to overflow
it’s own stack by recursively calling the same function over and over
again -> crash -> DoS
[USN-5193-2] X.Org X Server vulnerabilities [14:58]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Episode 142
[USN-5247-1] Vim vulnerabilities [15:07]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Various memory corruption vulns when handling different files - DoS /
code execution
- All found by fuzzing vim with ASan - participates in bug bounty - want some bug cash?
[USN-5254-1] shadow vulnerabilities [15:54]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5255-1] WebKitGTK vulnerabilities [16:03]
- 7 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
[USN-5257-1] ldns vulnerabilities [16:18]
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5260-1, USN-5260-2] Samba vulnerabilities [16:19]
- 3 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- 1 CVEs addressed in Bionic (18.04 LTS)
- Most interesting vuln:
- Heap OOB read/write in VFS fruit module - codeexec
- Used to provide enhanced compatibility with Apple SMB clients and others
- Not enabled by default but likely enabled in a bunch of different envs
- Occurs when parsing extattr metadata - requires a user to be able to
modify a files xattrs but this is common in lots of envs
[USN-5259-1] Cron vulnerabilities [17:01]
- 4 CVEs addressed in Xenial ESM (16.04 ESM)
Goings on in Ubuntu Security Community
Ubuntu Security Guide tooling released for DISA-STIG compliance [17:11]
-
DISA-STIG is a U.S. Department of Defense security configuration standard
consisting of configuration guidelines for hardening systems to improve a
system’s security posture.
-
It can be seen as a checklist for securing protocols, services, or
servers to improve the overall security by reducing the attack
surface.
-
The Ubuntu Security Guide (USG) brings simplicity by integrating the
experience of several teams working on compliance. It enables the audit,
fixing, and customisation of a system while enabling a system-wide
configuration for compliance, making management by diverse people in a
DevOps team significantly easier.
-
The DISA-STIG automated configuration tooling for Ubuntu 20.04 LTS is
available with Ubuntu Advantage subscriptions and Ubuntu Pro, alongside
additional open source security and support services.
-
https://ubuntu.com/blog/ubuntu-introduces-the-ubuntu-security-guide-to-ease-disa-stig-compliance
-
https://ubuntu.com/advantage
Get in contact