Overview
Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at
security updates for the Linux kernel, RSyslog, ClamAV, Apport and more.
This week in Ubuntu Security Updates
57 unique CVEs addressed
[USN-5413-1] Linux kernel vulnerabilities [01:06]
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 - 16.04 ESM GA + 14.04 ESM
- UAF in nouveau driver when device is removed - external NVIDIA GPU? or
local user unbinding the driver?
- UAF due to race condition in network packet scheduler
- OOB write in NFS - user who had access to an NFS mount could possibly
exploit this
- Buffer overflow in ST Micro NFC driver - failed to validate parameters
from NFC device - physically approximate attacker could possibly exploit
this but would need custom hw/sw
- Similarly, Xilinx USB2 gadget driver failed to validate USB endpoints
- ESM CAN/USB double-free
[USN-5415-1] Linux kernel vulnerabilities [02:27]
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 - 20.04 LTS GA + 18.04 LTS HWE + clouds
- Above vulns plus:
- AMD specific issue around insufficient mitigations for Spectre v2
attacks
- OOB read -> info leak through mishandling of MMC/SD read errors
[USN-5417-1] Linux kernel vulnerabilities [03:07]
- 8 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- 5.13 - 21.10, 20.04 LTS HWE + some clouds
- ~ same as above
[USN-5418-1] Linux kernel vulnerabilities [03:19]
- 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 - 18.04 LTS GA, 16.04 ESM HWE + clouds + OEM, 14.04 ESM azure
- ~ same as above
[USN-5416-1] Linux kernel (OEM) vulnerabilities [03:26]
- 5 CVEs addressed in Focal (20.04 LTS)
- 5.14 - 20.04 LTS OEM
- KVM mishandled guest page table updates -> guest VM crash host OS
- 2 similar issues in CAN bus drivers - 8 Devices USB2CAN and Microchip CAN
Bus analyzer both had double-free on error paths - local attacker could
crash -> DoS
- Plus ESM CAN/USB issue from above
[USN-5419-1] Rsyslog vulnerabilities [04:26]
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
- 2 issues in handling of various message types (AIX + Cisco log messages
failed to properly validate contents and so could result in heap buffer overflow)
- 1 in handling of plain TCP socket comms - but this module is not enabled
in the default rsyslog configuration for Ubuntu
[USN-5420-1] Vorbis vulnerabilities [05:01]
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
- heap buffer overflow, OOB read + stack buffer overflow via crafted input
files - DoS / RCE
[USN-5421-1] LibTIFF vulnerabilities [05:16]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Similar types of issues in libtiff - OOB reads / writes
[USN-5422-1] libxml2 vulnerabilities [05:32]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- UAF plus possible integer overflows -> unspec impact (but requires victim
to process a multiGB XML file)
[USN-5311-2] containerd regression [06:03]
- 1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- Episode 152 - subsequent update to containerd by different team reverted
the CVE fix accidentally - reinstated it
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- 0.103.6
- Various infinite loops in different parsers (CPU-based DoS), memory leaks
plus a couple OOB writes
[USN-5424-1] OpenLDAP vulnerability [06:53]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- SQL injection in the sql backend of slapd via an SQL statement within a LDAP query
[USN-5425-1] PCRE vulnerabilities [07:09]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- OOB read -> info leak
- integer overflow -> buffer overflow? -> crash / code execution
[USN-5426-1] needrestart vulnerability [07:20]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- detects daemons that need to be restarted after libraries are upgraded
- uses various regex’s to detect scripting languages - but since these were
not specific enough, it could allow a user to get their own script
executed in the context of the user which is running needrestart - which
could be root
[USN-5427-1] Apport vulnerabilities [08:08]
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Gerrit Venema reported a heap of issues in Apport - thanks to Marc
Deslauriers on our team for working on these
- Crash handler in Ubuntu - is invoked by the kernel when an application
crashes to collect various data to then upload to Ubuntu developers
- Runs as root but can be invoked as a regular user so has been a target
for privesc vulns in the past
- Has various code to drop privileges etc but these were found to be
incomplete
- Impacts of these issues range from DoS by crashing Apport through to
local privesc to root
[USN-5428-1] libXrandr vulnerabilities [09:14]
- 2 CVEs addressed in Xenial ESM (16.04 ESM)
- Integer overflows -> OOB write plus another different OOB write - all
able to be triggered by a malicious remote X server
Goings on in Ubuntu Security Community
Ubuntu in Pwn2Own Vancouver 2022 [09:39]
Get in contact