Episode 160

Overview

Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at security updates for the Linux kernel, RSyslog, ClamAV, Apport and more.

This week in Ubuntu Security Updates

57 unique CVEs addressed

[USN-5413-1] Linux kernel vulnerabilities [01:06]

• 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2022-28390
  • CVE-2022-27223
  • CVE-2022-26490
  • CVE-2021-4157
  • CVE-2021-39713
  • CVE-2020-27820
• 4.4 - 16.04 ESM GA + 14.04 ESM
• UAF in nouveau driver when device is removed - external NVIDIA GPU? or local user unbinding the driver?
• UAF due to race condition in network packet scheduler
• OOB write in NFS - user who had access to an NFS mount could possibly exploit this
• Buffer overflow in ST Micro NFC driver - failed to validate parameters from NFC device - physically approximate attacker could possibly exploit this but would need custom hw/sw
• Similarly, Xilinx USB2 gadget driver failed to validate USB endpoints
• ESM CAN/USB double-free

[USN-5415-1] Linux kernel vulnerabilities [02:27]

• 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-27223
  • CVE-2022-26490
  • CVE-2022-25375
  • CVE-2022-25258
  • CVE-2022-20008
  • CVE-2022-1016
  • CVE-2021-26401
  • CVE-2020-27820
• 5.4 - 20.04 LTS GA + 18.04 LTS HWE + clouds
• Above vulns plus:
  • AMD specific issue around insufficient mitigations for Spectre v2 attacks
  • OOB read -> info leak through mishandling of MMC/SD read errors

[USN-5417-1] Linux kernel vulnerabilities [03:07]

• 8 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-29156
  • CVE-2022-27223
  • CVE-2022-26966
  • CVE-2022-26490
  • CVE-2022-25375
  • CVE-2022-25258
  • CVE-2022-20008
  • CVE-2021-26401
• 5.13 - 21.10, 20.04 LTS HWE + some clouds
• ~ same as above

[USN-5418-1] Linux kernel vulnerabilities [03:19]

• 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2022-27223
  • CVE-2022-26966
  • CVE-2022-26490
  • CVE-2022-25375
  • CVE-2022-25258
  • CVE-2022-24958
  • CVE-2022-23042
  • CVE-2022-23040
  • CVE-2022-23039
  • CVE-2022-23038
  • CVE-2022-23037
  • CVE-2022-23036
  • CVE-2021-26401
• 4.15 - 18.04 LTS GA, 16.04 ESM HWE + clouds + OEM, 14.04 ESM azure
• ~ same as above

[USN-5416-1] Linux kernel (OEM) vulnerabilities [03:26]

• 5 CVEs addressed in Focal (20.04 LTS)
  • CVE-2022-28390
  • CVE-2022-28389
  • CVE-2022-28388
  • CVE-2022-1516
  • CVE-2022-1158
• 5.14 - 20.04 LTS OEM
• KVM mishandled guest page table updates -> guest VM crash host OS
• 2 similar issues in CAN bus drivers - 8 Devices USB2CAN and Microchip CAN Bus analyzer both had double-free on error paths - local attacker could crash -> DoS
• Plus ESM CAN/USB issue from above

[USN-5419-1] Rsyslog vulnerabilities [04:26]

• 3 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2019-17042
  • CVE-2019-17041
  • CVE-2018-16881
• 2 issues in handling of various message types (AIX + Cisco log messages failed to properly validate contents and so could result in heap buffer overflow)
• 1 in handling of plain TCP socket comms - but this module is not enabled in the default rsyslog configuration for Ubuntu

[USN-5420-1] Vorbis vulnerabilities [05:01]

• 3 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2018-10393
  • CVE-2018-10392
  • CVE-2017-14160
• heap buffer overflow, OOB read + stack buffer overflow via crafted input files - DoS / RCE

[USN-5421-1] LibTIFF vulnerabilities [05:16]

• 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-0865
  • CVE-2022-0891
  • CVE-2022-0562
  • CVE-2022-0561
  • CVE-2020-35522
• Similar types of issues in libtiff - OOB reads / writes

[USN-5422-1] libxml2 vulnerabilities [05:32]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-29824
  • CVE-2022-23308
• UAF plus possible integer overflows -> unspec impact (but requires victim to process a multiGB XML file)

[USN-5311-2] containerd regression [06:03]

• 1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • CVE-2022-23648
• Episode 152 - subsequent update to containerd by different team reverted the CVE fix accidentally - reinstated it

[USN-5423-1, USN-5423-2] ClamAV vulnerabilities [06:24]

• 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-20796
  • CVE-2022-20792
  • CVE-2022-20785
  • CVE-2022-20771
  • CVE-2022-20770
• 0.103.6
• Various infinite loops in different parsers (CPU-based DoS), memory leaks plus a couple OOB writes

[USN-5424-1] OpenLDAP vulnerability [06:53]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-29155
• SQL injection in the sql backend of slapd via an SQL statement within a LDAP query

[USN-5425-1] PCRE vulnerabilities [07:09]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2020-14155
  • CVE-2019-20838
• OOB read -> info leak
• integer overflow -> buffer overflow? -> crash / code execution

[USN-5426-1] needrestart vulnerability [07:20]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-30688
• detects daemons that need to be restarted after libraries are upgraded
• uses various regex’s to detect scripting languages - but since these were not specific enough, it could allow a user to get their own script executed in the context of the user which is running needrestart - which could be root

[USN-5427-1] Apport vulnerabilities [08:08]

• 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • CVE-2022-28658
  • CVE-2022-28657
  • CVE-2022-28656
  • CVE-2022-28655
  • CVE-2022-28654
  • CVE-2022-28652
  • CVE-2022-1242
  • CVE-2021-3899
• Gerrit Venema reported a heap of issues in Apport - thanks to Marc Deslauriers on our team for working on these
• Crash handler in Ubuntu - is invoked by the kernel when an application crashes to collect various data to then upload to Ubuntu developers
• Runs as root but can be invoked as a regular user so has been a target for privesc vulns in the past
• Has various code to drop privileges etc but these were found to be incomplete
• Impacts of these issues range from DoS by crashing Apport through to local privesc to root

[USN-5428-1] libXrandr vulnerabilities [09:14]

• 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2016-7948
  • CVE-2016-7947
• Integer overflows -> OOB write plus another different OOB write - all able to be triggered by a malicious remote X server

Goings on in Ubuntu Security Community

Ubuntu in Pwn2Own Vancouver 2022 [09:39]

• 15 year anniversary of Pwn2Own
• 17 teams attempting to exploit 21 targets - including Ubuntu Desktop for EoP
• https://www.zerodayinitiative.com/blog/2022/5/17/pwn2own-vancouver-2022-the-schedule
• 5 different teams targeting Ubuntu Desktop - Ubuntu 22.04 LTS fully up-to-date
• Prize of $40k USD
• 2 on day 1, 2 on day 2, 1 on day 3 (tomorrow)
• https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results
• So far all 4 have been successful:
  • Team Orca of Sea Security (not live streamed)
    • OOBW + UAF
  • Keith Yeo
    • UAF
  • Bien Pham
    • UAF
  • Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), and Xinyu Xing (@xingxinyu) of Team TUTELARY
    • UAF
• Lots of great new bugs - expect to hear more about these in the coming weeks
• Past episodes covering Ubuntu @ Pwn2Own over previous years Episode 111 and Episode 71 - in particular has a great interview with Steve and Marc from our team who cover what it is like as a vendor

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter