Overview
More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we
cover security vulnerabilities and updates for ca-certificates, Varnish
Cache, FFmpeg, Firefox, PHP and more.
This week in Ubuntu Security Updates
64 unique CVEs addressed
[USN-5473-1] ca-certificates update [00:41]
- Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Updates to the latest 2.50 version of the Mozilla CA bundle - in
particular this removes a bunch of expired certs plus an old (but still
valid) GeoTrust certificate and others - also adds some new CA certs from
GlobalTrust, Certum, GlobalSign too
[USN-5396-2] Ghostscript vulnerability [01:30]
[USN-5474-1] Varnish Cache vulnerabilities [01:41]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Thanks to Luís Infante da Câmara for preparing, testing and providing the
debdiff’s for these updates
- Possible HTTP/1 and HTTP/2 request smuggling attacks
- DoS via triggering an assertion failure
- Pointer of one client reused on the next if both share the same
connection - can expose info from the old client to the new one
[USN-5472-1] FFmpeg vulnerabilities [02:30]
- 35 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Thanks to Luís Infante da Câmara for preparing, testing and providing the
debdiff’s for these updates
- Updates ffmpeg to latest upstream bug-fix releases
- 4.4.2 for 21.10, 22.04 LTS
- 4.2.7 for 20.04 LTS
- 3.4.11 for 18.04 LTS
[USN-5475-1] Firefox vulnerabilities [03:04]
- 12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- 101.0.1
- Usual mix of web browser / framework issues fixed - specially crafted
website -> could exploit to cause DoS, info leak, spoof the browser UI,
conduct XSS attacks, bypass content security policy (CSP) restrictions,
or execute arbitrary code
[USN-5476-1] Liblouis vulnerabilities [03:54]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- Braille translation library + utils
- Buffer overflow -> crash -> DoS
- OOB write -> crash -> DoS / RCE
[USN-5359-2] rsync vulnerability [04:27]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Episode 156 (zlib memory corruption issue when compressing input data)
[USN-5477-1] ncurses vulnerabilities [04:54]
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Various memory corruption vulns fixed - requires to process crafted input
files (e.g. termcap - but this is usually trusted so hence negligible
rating for most of these CVEs)
[USN-5478-1] util-linux vulnerability [05:28]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Memory leak in libblkid when parsing crafted MSDOS partition table
[USN-5479-1] PHP vulnerabilities [05:40]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- both issues in handling of crafted inputs into database drivers - 1 for
postgres and 1 for mysql
- uninitialised var in pg driver -> UAF in certain error scenario -> RCE
- buffer overflow in password handler for mysqlnd (native driver) - rogue
MySQL server could trigger this to get RCE
Goings on in Ubuntu Security Community
News on latest Intel security issues [06:33]
- Hertzbleed & MMIO stale data both disclosed this week
- Hertzbleed - interesting new crypto side-channel attack demonstrated
against SIKE (Supersingular Isogeny Key Encapsulation - post-quantum key
encapsulation mechanism)
- Turns a frequency side-channel into a timing side-channel such that
code which was previously assumed to be constant time can still leak
information about the key, allowing it to be recovered by mounting a
chosen cipher-text attack from a client, observing the timing response
of the server and then inferring the secret key as a result
- Acknowledged by both Intel and AMD but likely all modern processors
which employ dynamic voltage and frequency scaling are affected
- Intel have released guidance for how to harden crypto implementations
against this attack
- No changes/fixes for this in kernel/microcode/toolchain etc - instead
will be up to individual libraries to assess if they may be affected
and then refactor accordindly
- MMIO stale-data
- Vulns in memory mapped I/O - generally only applicable to
virtualisation when untrusted guest have access to MMIO
- not transient execution attacks themselves but since these vulns
allow stale data to persist, can then be inferred by a TEA (think
Spectre etc)
- consists of a series of different issues for various microarchitectural
buffers / registers where stale data is left after being copied /
moved - then can be sampled via a TEA to infer the value
- different processor models have different microarchitectural buffers so
some may or may not be affected
- 3 separate vulns (CVEs) identified based on the microarchitectural
buffer affected and the technique used to read from it
- Fixes required in both kernel and intel-microcode packages
- Kernels will have already been released by the time you hear this
- Microcode is currently being released via the -updates pocket of the
archive - will then publish to -security once fully phased to all
users
- Likely early on Monday next week
- More details in next week’s episode
Get in contact