Overview
Finer grained control for unprivileged user namespaces is on the horizon for
Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS,
Squid and more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-5626-2] Bind vulnerabilities [00:40]
[USN-5627-1] PCRE vulnerabilities [01:01]
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 2 OOB read with crafted regexes - possible info leak
[USN-5628-1] etcd vulnerabilities [01:19]
- 4 CVEs addressed in Focal (20.04 LTS)
- distributed key/value store used by kubernetes
- all these vulns come from a security audit conducted by Trail of Bits in January of 2020.
- performed both manual and automated review -> go-sec, errcheck, ineffassign etc
- also fuzzed the WAL file handling (write-ahead logging - used to record
transactions that have been committed but not yet applied to the main
database)
- 2 issues in WAL file handling (crash), plus one in handling of directory
permissions for a directory that may already exist (info leak) and one in
setup of endpoints that could allow a DoS
[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 Raspi + GKE/GCP + Oracle + GCP (20.04)
[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]
- 1 CVEs addressed in Jammy (22.04 LTS)
- 5.17 OEM
- netfilter remote DoS via crafted packet with a very short payload
[USN-5632-1] OAuthLib vulnerability [03:40]
- 1 CVEs addressed in Jammy (22.04 LTS)
- OAuth implementation for Python3 - used by various other applications like
keystone, django, duplicity
- DoS via a malicious redirect URL specifying an IPv6 address - could trigger an
exception -> application crash -> DoS
[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Various issues in handling of crafted JPEG/PPM files - stack buffer overflow,
heap buffer overflow, NULL pointer dereference, resource consumption based DoS
in
cjpeg
utility - crafted file with a valid Targa header but incomplete
data - would keep trying pixel after reaching EOF - internally used getc()
which returns the special value EOF
when the end of file is reached - this is
actually -1
but requires the caller to check for this special value - if not,
would interpret this as pixel data (all bits set -> 255,255,255 -> white)
resulting in JPEG file that was possibly thousands of times bigger than the
input file - fixed to use existing input routines to read the data which
already check for EOF
condition
[USN-5629-1] Python vulnerability [05:54]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Open redirect in
http.server
through a URI which has multiple /
at the
beginning - a URI such as //path
gets treated as an absolute URI rather than a
path - could then end up sending a 301
location header with a misleading target
- Upstream dispute this - state that it should not be used in production as it
only implements basic security checks
[USN-5636-1] SoS vulnerability [06:39]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
sosreport
- used to gather details of a system etc for debug/analysis
- Redacts passwords - previously used a hardcoded list of possible things that
could contain passwords - instead now looks for anything with the name
password and redacts that
[USN-5637-1] libvpx vulnerability [07:45]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- OOB read -> info leak / crash
[USN-5638-1] Expat vulnerability [07:55]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- UAF with crafted XML content -> crash / RCE
[USN-5641-1] Squid vulnerabilities [08:06]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Failed to properly handle ACLs for cache manager, allowing a trusted client to
read other client ids / credentials and internal network structure
- Integer overflow -> buffer overread when using SSPI/SMB authentication helpers
for NTLM authentication - since this is in handling of credentials, could
allow an attacker to read decrypted user credentials or other memory regions
from Squid
[USN-5642-1] WebKitGTK vulnerabilities [08:57]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Buffer overflow when handling malicious web content -> RCE
[USN-5643-1] Ghostscript vulnerabilities [09:18]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- 2 issues in PDF file handling
- NULL pointer dereference -> DoS
- heap buffer overflow -> DoS / RCE
Goings on in Ubuntu Security Community
Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]
Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]
- Often has been a source of increased attack surface for the kernel
- Disabling of unpriv userns has often been recommended to mitigate various
kernel vulns
- This is done via sysctl in Ubuntu:
sudo sysctl kernel.unprivileged_userns_clone=0
- Big hammer - either on or off
- Various applications have legitimate uses of unpriv userns
- flatpak / bubblewrap etc
- some of these ship a helper application which is setuid root so they can
still use user namespaces but this then creates another attack surface - the
setuid-root binary
- instead it would be better to have a way to only allow particular
applications to use unprivileged user namespaces and then deny it to others
- would provide much finer grained control to this potentially risky feature
- AppArmor developers have added support for just this
- all unconfined applications would be denied and only confined applications
which have the userns permission would be allowed
- For now, it is planned to have this disabled by default for 22.10
- AppArmor will have a sysctl to enable it so can be tested
- Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle
- With any luck, 23.04 will ship with this enabled along with AppArmor
confinement for things like bubblewrap etc that require this capability
- Snaps will get it for free since they are confined by AppArmor out of the box
- John Johansen is working with the kernel team to land this in the kernel for 22.10
- Georgia Garcia is working on the userspace side to add support for creating
policy that specifies the userns permission in
apparmor
package too
- Hopefully can all land both via the FeatureFreezeException (FFe) process
Ubuntu Security Podcast on break for 1 week
Get in contact