Overview
Finally, Ubuntu 22.04.1 LTS is released and we look at how best to upgrade,
plus we cover security updates for NVIDIA graphics drivers, OpenJDK,
Django, libxml, the Linux kernel and more.
This week in Ubuntu Security Updates
52 unique CVEs addressed
[USN-5547-1] NVIDIA graphics drivers vulnerabilities [00:43]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Local priv-esc by user with basic capabilities (?) - likely memory
corruption since apparently could also DoS, perform data tampering and
info leaks
- Also NULL ptr deref in kernel driver able to be triggered from “local
user with basic capabilities” -> DoS
- Also shipped a DBus configuration for the Dynamic Boost component - this
is a system wide power controller which manages CPU and GPU power basd on
overall system workload to get best system performance per watt -
according to upstream documentation. Is only active when on AC power.
- Is not enabled by default but shipped a DBus policy file that allowed
any process to communicate with the nvidia-powerd server and hence to
perform privileged actions through it
- 10 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- openjdk-8,11,17 for Ubuntu 18.04, 20.04 & 22.04 LTS
- openjdk-8 for Ubuntu 16.04 ESM
- Most interesting is “Psychic Signatures” bug - described even in the
upstream advisory as an “easily exploitable vuln”, where an attacker
could forge certain SSL certificates (ie ones using ECDSA signatures) and
hence allow them to intercept or modify communications without being
detected.
- When adding support for validating ECDSA signatures, failed to check the
provided signature values were not zero - a signature consists of two
values,
r
and s
and these are used to then perform a bunch of
calculations to check it is valid - this involves comparing r
against r
multiplied by a value derived from s
- so if r
and s
are both zero you
effectively check 0 = 0
- Affects anything which uses ECDSA signatures - including signed JWTs,
SAML assertions, WedAuthn messages etc
- This only affected openjdk 15 though 18 since this code was rewritten in
native Java (previously was C++ which was not vulnerable) for Java 15 -
so for Ubuntu this is openjdk-17 only which is not the default JRE
(openjdk-11 is)
[USN-5549-1] Django vulnerability [06:16]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Possible “Reflected File Download” attack - attack type first detailed at
BH Euroe in 2014 - causes a web application to “virtually” download a file from a
trusted domain - which then can get executed since is trusted
- Usually involves the application failing to validate input such that an
attacker can craft header content to get reflected into the response
body - this is then the contents for a file, as well as get some content
injected in the resulting filename - and then cause the response to be
downloaded which will
- In this case, if a Django application was setting the
Content-Disposition
header of a FileResponse
object based on a filename which is derived from
user input - fixed to escape the filename so can’t then inject content
into the Content-Disposition
header
[USN-5550-1] GnuTLS vulnerabilities [07:55]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- NULL pointer deref and double-free during verification of pkcs7
signatures -> DoS / RCE
[USN-5551-1] mod-wsgi vulnerability [08:10]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Would pass through the
X-Client-IP
header to WSGI
applications, even when
it came from an untrusted proxy and hence could allow unintended access
to services
[USN-5548-1] libxml2 vulnerability [08:32]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Possible HTML/code injection -> XSS since would fail to properly handle
escape server-side includes
- Reported back in 2016 to GNOME project, was seemingly ignored until the
offending commit which introduced the vuln was reverted ~2 years ago
- Later versions not affected then
- CVE only assigned a few weeks ago
- Interestingly the discussion in 2018 included a pointer to three
different CVEs in other XML/HTML parsing and sanitization libraries for
the same type of issue - but in this case was ignored and no CVE assigned
until now
[USN-5552-1] phpLiteAdmin vulnerability [11:29]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- XSS through failure to validate the
newRows
parameter
[USN-5553-1] libjpeg-turbo vulnerabilities [11:42]
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Various memory corruption issues -> heap and stack buffer overflows
- Logic issue and a failure to limit overall memory consumption during
decompression leading to very large memory usage -> DoS
[USN-5554-1] GDK-PixBuf vulnerability [12:06]
- 1 CVEs addressed in Focal (20.04 LTS)
- Heap buffer overflow for crafted animated GIFs -> code execution
particularly on 32-bit platforms
[USN-5555-1] GStreamer Good Plugins vulnerabilities [12:29]
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Various integer overflows etc leading to heap buffer overflows in various
video codec handlers -> DoS / RCE
[USN-5558-1] libcdio vulnerabilities [13:00]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Audio CD read/control library
- 2 different memory management issues when handling crafted ISO files -
heap buffer over-read and NULL pointer dereference -> DoS
[USN-5557-1] Linux kernel vulnerabilities [13:44]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4
- UAF in Network package scheduler - could create a route filter which when
removed would still be referred to by other data structures and then
allow a user to trigger access to this -> DoS / RCE
- Similarly in netfilter, could have one nft object be referred to by an
nft set in another table -> UAF
[USN-5560-1, USN-5560-2] Linux kernel vulnerabilities [14:37]
- 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 GA for 18.04 LTS, HWE etc for 16.04 ESM, Azure for 14.04 ESM
- Various vulns plus the 2 network related UAFs above
[USN-5561-1] GNOME Web vulnerabilities [14:58]
- 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Epiphany web browser
- 3 different XSS issues, 1 buffer overflow via a very long page title ->
gets ellipsised but UTF-8 length of ellipsis is not properly counted so
then overflows bounds -> DoS/RCE
[USN-5559-1] Moment.js vulnerabilities [15:40]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Date handling library for nodejs applications
- Path traversal vuln since could end up using a user provided locale
string to switch the locale which would then result in reading arbitrary
local files
- Quadratic complexity algorithm due to use of regexps to parse strings to
dates - in particular rfc2822 formats which are tried by default - ReDoS
-> very large input could result in significant CPU-based DoS
Goings on in Ubuntu Security Community
Ubuntu 22.04.1 LTS released [16:43]
- https://lists.ubuntu.com/archives/ubuntu-announce/2022-August/000282.html
- https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668
- https://www.youtube.com/watch?v=REdxblQpsDE
- Includes all the various bug and security fixes that have gone into the
22.04 LTS release so far - if you are already running 22.04 LTS you don’t
have to do anything to get this- just make sure you have been installing
updates 😉
- The full list of changes targeted for this release can be found at
https://discourse.ubuntu.com/t/jammy-jellyfish-point-release-changes/29835
- Now is when users of 20.04 LTS desktop will start being prompted to
upgrade to 22.04 - I definitely recommend to upgrade, and to make the
process as smooth as possible, do it from a virtual terminal
- This is the standard interface used for Ubuntu Server - full-screen
terminal running directly on a console - no graphical environment
- as such, has a lot less processes and infrastructure running and so
there is less chance that something may crash during the upgrade
process - since libraries get swapped out from underneath various
running processes etc
- Log out of your graphical session, then when at the GDM Greeter / user
chooser log in screen hit
CTRL + ALT + F2
- You will then be presented with a console prompt - log in with your
username and password, then you can start the upgrade process by running
- This is the same way this is done for Ubuntu Server
Get in contact