Start / Ubuntu Security Podcast / Episode 173

Episode 173

12 min • 19 augusti 2022

Overview

This week we take a look at the recent announcement of .NET 6 for Ubuntu 22.04 LTS, plus we cover security updates for the Linux kernel, Booth, WebKitGTK, Unbound and more.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5562-1] Linux kernel vulnerabilities [00:49]

11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 20.04 LTS GA etc + 18.04 HWE etc
3 high priority CVEs
- 2 of these covered in last week’s episode 1 in netfilter and 1 in network packet scheduler
- New this week is a second CVE in the netfilter subsystem - affects kernels since 4.1 - type confusion bug leading to a buffer overflow -> code execution within the kernel and hence privilege escalation - requires an attacker to gain CAP_NET_ADMIN which is privileged, but with unprivileged user-namespaces this is trivial - so can mitigate this by disabling unpriv userns - but this may then affect applications like Google Chrome and others which use this to setup their sandboxes etc

sudo sysctl kernel.unprivileged_userns_clone=0

[USN-5564-1] Linux kernel (Intel IoTG) vulnerabilities [02:32]

15 CVEs addressed in Jammy (22.04 LTS)
5.15 Intel IOTG
- https://ubuntu.com/download/iot/intel-iotg
- Atom x6000E, Pentium, Celeron N and J series processors
Similar to above, but also includes a 4th high priority CVE in the POSIX timers subsystem - UAF which could be triggered by an unpriv user -> priv esc - since kernel 5.7 only

[USN-5566-1] Linux kernel vulnerabilities [03:08]

9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
5.15 public cloud optimised kernels (IBM, GCP, AWS, GKE, Azure, Oracle) + KVM and Raspi
All 4 high priority CVEs mentioned above

[USN-5565-1] Linux kernel vulnerabilities [03:34]

5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
5.15 22.04 LTS GA + 20.04 LTS HWE
POSIX timers, netfilter and network scheduler UAFs

[USN-5567-1] Linux kernel (OEM) vulnerabilities [03:48]

3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
5.17 OEM 22.04 LTS, 5.14 OEM 20.04 LTS
POSIX timers, netfilter and network scheduler UAFs

[USN-5563-1] http-parser vulnerability [04:00]

1 CVEs addressed in Bionic (18.04 LTS)
- CVE-2020-8287
HTTP parsing library written in C by Joyent (not actively maintained anymore either) - parses requests & responses without making any syscalls, memory allocations or buffering of data
Request smuggling vuln - would allow two copies of a particular header within a HTTP message - ie. 2 Transfer-Encoding - but would only process the first - could then allow the second to be misinterpreted by other proxies etc which could then be used for a request smuggling attack

[USN-5556-1] Booth vulnerability [05:20]

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-2553
Ignored the authfile directive in its config file, allowing sites / nodes which did not have the correct auth key to communicate with nodes that did - oops… - upstream refactored code previously which introduced this vuln - reverted the refactor to fix this

[USN-5568-1] WebKitGTK vulnerabilities [05:57]

3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
Heap buffer overflow in WebRTC, UI spoofing and OOB write - all able to be triggered by a malicious website -> RCE or other

[USN-5569-1] Unbound vulnerabilities [06:22]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-30699
- CVE-2022-30698
Failed to properly handle delegation caching - an attacker could query unbound just at the time when the cached delegation info is about to expire - unbound then queries the upstream nameserver which could then delay its response until the cache expires in unbound - when receiving the response unbound would overwrite the now expired one - and so the attacker can continue to do this and hence keep the rogue delegation information in the unbound cache

[USN-5526-2] PyJWT regression [07:10]

Affecting Jammy (22.04 LTS)
[USN-5526-1] PyJWT vulnerability [08:58] - upstream patch bumped the package version to 2.4.0 and so when including this, the internal package version got bumped even though the deb package version didn’t - so would get files installed as say 2.4.0 even though the deb is 2.3.0 which could possibly cause a regression due to a change in path - fixed to revert this internal package version bump

Goings on in Ubuntu Security Community

.NET 6 now available in Ubuntu 22.04 LTS [07:45]

https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
dotnet6 package in Ubuntu contains the .NET 6 SDK - so can do .NET development on Ubuntu
In the future, Microsoft will share CVE info ahead of public releases with Ubuntu so that we can release updates for the package in Ubuntu as they become publicly known
Also includes new ‘chiseled’ containers - ultra-slimmed down docker containers to provide just the minimum needed - think of it as the Canonical version of distroless containers.
results in a 100MB saving in container size whilst still providing everything that is needed
- Similar in size to Alpine containers (Chiseled Ubuntu 22.04 aspnet 104MB cf. apsnet:6.0-alpine 100MB)
- Alpine has traditionally been praised for their minimal size, but use a different libc (musl) and has other differences too
- So can now get the benefit of a familiar Ubuntu container environment that you know and love along with the benefits of a super small container image (including things like decreased attack surface etc)
Also includes the benefit of a secure supply chain from Canonical direct to Microsoft so that the provenance of Ubuntu-based .NET images is known - instead of previously where these were pulled from Dockerhub
- And in the future will include signed images as well so that consumers of these images can also verify them too

Get in contact

Kategorier

Poddar Teknologi

Förekommer på

Teknik

00:00 -00:00