Overview
This week we take a look at the recent announcement of .NET 6 for Ubuntu
22.04 LTS, plus we cover security updates for the Linux kernel, Booth,
WebKitGTK, Unbound and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-5562-1] Linux kernel vulnerabilities [00:49]
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 20.04 LTS GA etc + 18.04 HWE etc
- 3 high priority CVEs
- 2 of these covered in last week’s episode 1 in netfilter and 1 in
network packet scheduler
- New this week is a second CVE in the netfilter subsystem - affects
kernels since 4.1 - type confusion bug leading to a buffer overflow ->
code execution within the kernel and hence privilege escalation -
requires an attacker to gain
CAP_NET_ADMIN
which is privileged, but
with unprivileged user-namespaces this is trivial - so can mitigate
this by disabling unpriv userns - but this may then affect applications
like Google Chrome and others which use this to setup their sandboxes
etc
sudo sysctl kernel.unprivileged_userns_clone=0
[USN-5564-1] Linux kernel (Intel IoTG) vulnerabilities [02:32]
- 15 CVEs addressed in Jammy (22.04 LTS)
- 5.15 Intel IOTG
- Similar to above, but also includes a 4th high priority CVE in the POSIX
timers subsystem - UAF which could be triggered by an unpriv user ->
priv esc - since kernel 5.7 only
[USN-5566-1] Linux kernel vulnerabilities [03:08]
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 public cloud optimised kernels (IBM, GCP, AWS, GKE, Azure, Oracle) +
KVM and Raspi
- All 4 high priority CVEs mentioned above
[USN-5565-1] Linux kernel vulnerabilities [03:34]
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 22.04 LTS GA + 20.04 LTS HWE
- POSIX timers, netfilter and network scheduler UAFs
[USN-5567-1] Linux kernel (OEM) vulnerabilities [03:48]
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.17 OEM 22.04 LTS, 5.14 OEM 20.04 LTS
- POSIX timers, netfilter and network scheduler UAFs
[USN-5563-1] http-parser vulnerability [04:00]
- 1 CVEs addressed in Bionic (18.04 LTS)
- HTTP parsing library written in C by Joyent (not actively maintained
anymore either) - parses requests & responses without making any
syscalls, memory allocations or buffering of data
- Request smuggling vuln - would allow two copies of a particular header
within a HTTP message - ie. 2
Transfer-Encoding
- but would only process
the first - could then allow the second to be misinterpreted by other
proxies etc which could then be used for a request smuggling attack
[USN-5556-1] Booth vulnerability [05:20]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Ignored the
authfile
directive in its config file, allowing sites / nodes
which did not have the correct auth key to communicate with nodes that
did - oops… - upstream refactored code previously which introduced this
vuln - reverted the refactor to fix this
[USN-5568-1] WebKitGTK vulnerabilities [05:57]
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Heap buffer overflow in WebRTC, UI spoofing and OOB write - all able to
be triggered by a malicious website -> RCE or other
[USN-5569-1] Unbound vulnerabilities [06:22]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Failed to properly handle delegation caching - an attacker could query
unbound just at the time when the cached delegation info is about to
expire - unbound then queries the upstream nameserver which could then
delay its response until the cache expires in unbound - when receiving
the response unbound would overwrite the now expired one - and so the
attacker can continue to do this and hence keep the rogue delegation
information in the unbound cache
[USN-5526-2] PyJWT regression [07:10]
- Affecting Jammy (22.04 LTS)
- [USN-5526-1] PyJWT vulnerability [08:58] - upstream patch bumped the
package version to 2.4.0 and so when including this, the internal package
version got bumped even though the deb package version didn’t - so would
get files installed as say 2.4.0 even though the deb is 2.3.0 which could
possibly cause a regression due to a change in path - fixed to revert
this internal package version bump
Goings on in Ubuntu Security Community
.NET 6 now available in Ubuntu 22.04 LTS [07:45]
- https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
dotnet6
package in Ubuntu contains the .NET 6 SDK - so can do .NET
development on Ubuntu
- In the future, Microsoft will share CVE info ahead of public releases
with Ubuntu so that we can release updates for the package in Ubuntu as
they become publicly known
- Also includes new ‘chiseled’ containers - ultra-slimmed down docker
containers to provide just the minimum needed - think of it as the
Canonical version of distroless containers.
- results in a 100MB saving in container size whilst still providing
everything that is needed
- Similar in size to Alpine containers (Chiseled Ubuntu 22.04
aspnet
104MB
cf. apsnet:6.0-alpine
100MB
)
- Alpine has traditionally been praised for their minimal size, but use a
different libc (
musl
) and has other differences too
- So can now get the benefit of a familiar Ubuntu container environment
that you know and love along with the benefits of a super small
container image (including things like decreased attack surface etc)
- Also includes the benefit of a secure supply chain from Canonical direct
to Microsoft so that the provenance of Ubuntu-based .NET images is
known - instead of previously where these were pulled from Dockerhub
- And in the future will include signed images as well so that consumers
of these images can also verify them too
Get in contact