Overview
Ubuntu Pro beta is announced and we cover all the details with Lech Sandecki and
Eduardo Barretto, plus we cover security updates for DHCP, kitty, Thunderbird,
LibreOffice, the Linux kernel, .NET 6 and more.
This week in Ubuntu Security Updates
49 unique CVEs addressed
[USN-5658-1] DHCP vulnerabilities [00:53]
-
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
-
2 different DoS against ISC DHCP server
- a client could send a lease query to the server
which would fail to properly decrement a reference count and hence eventually
could overflow the reference counter -> abort -> DoS
- memory leak could be triggered by a client sending a crafted DHCP packet
with a FQDN label longer than 64 bytes - eventually would run out of memory
-> crash -> DoS
[USN-5659-1] kitty vulnerabilities [01:45]
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Cross-platform, fast, feature-rich, GPU based terminal
- Includes support for image display, but if it failed to read an image file
then would display an error message containing the file name - as such, could
craft the name of the filename to then inject terminal control characters and
hence arbitrary input into the shell itself and hence execute arbitrary
code
- Also supports showing desktop notifications via OSC escape codes - ie. a shell
script or even a file could output these and kitty would interpret that to
show a desktop notification. Also includes support for actions on
notifications through a named notification id. However, would also fail to
sanitize these ids, again allowing terminal control characters to be injected
and hence arbitrary code to be executed if the user were to then click on a
notification popup
- requires an attacker can get the user to display arbitrary content, and then
for the user to click the notification
[USN-5657-1] Graphite2 vulnerability [03:16]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- NULL pointer deref via crafted ttf
[USN-5663-1] Thunderbird vulnerabilities [03:27]
- 12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- 102.2.2
- DoS against the inbuilt Matrix client
- 2 different methods to cause TB to make a network request when an email was
opened - both via html within an iframe - allows sender to track whether the
email was opened etc
- Various web framework issues via rendering untrusted content - DoS, mount
pointer and addressbar spoofing, RCE etc
[USN-5371-3] nginx vulnerability [04:22]
[USN-5666-1] OpenSSH vulnerability [04:35]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Failed to properly drop permissions when executing helper commands for
AuthorizedKeysCommand
and AuthorizedPrincipalsCommand
and so would run these
with group membership of the sshd process itself (even if configured to run as
a different user)
- As such is a form of privilege escalation - low impact since is a non-default
configuration
[USN-5665-1] PCRE vulnerabilities [05:19]
- 2 CVEs addressed in Xenial ESM (16.04 ESM)
- 2 different OOB read via crafted regexs -> DoS
[USN-5661-1] LibreOffice vulnerabilities [05:31]
- 3 CVEs addressed in Focal (20.04 LTS)
- Document macros have been a common attack vector for Microsoft Office
- To mitigate this, can configure to only execute macros which have a trusted
signature
- Failed to properly validate these (would only verify that the certificate for
the signature had the same serial number and issuer string of the trusted
certificate) - instead has to actually compare the hash of the certificate
itself as well
- Also has its own password database for storing authentication info for various
web connections
- A couple issues existing when encrypting the master key which result in it
being much easier to crack the encryption via a brute force attack than should
otherwise be - a local attacker with access to a user’s LibreOffice config
(and hence PW DB) could potentially get access to their credentials as used by
LO
[USN-5660-1] Linux kernel (GCP) vulnerabilities [07:02]
- 6 CVEs addressed in Bionic (18.04 LTS)
- 5.4 GCP on Ubuntu 18.04 LTS
- Most of these have seen in previous weeks - framebuffer driver OOB when
changing font/screen sizes -> DoS/codeexec, perf race-condition -> UAF ->
DoS/codeexec, netfilter remote DoS via crafted packet causing truncation below
packet header size, lack of good enough IP source port randomisation allows a
malicious TCP server to identify a host by the chosen source port, dm-verity
DoS/code execution by bypassing LoadPin restrictions to load untrusted kernel
modules / firmware (but requires root privileges in the first place)
x*** [USN-5667-1] Linux kernel vulnerabilities [08:01]
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 22.04 GA / 20.04 HWE - generic/clouds/lowlatency/raspi etc
- race condition -> UAF in internal pipe impl -> DoS/codeexec
- speculative execution vuln - Enhanced Indirect Branch Restricted Speculation
(eIBRS) on some processors did not properly handle RET instructions in some
cases - local attacker could read sensitive info as a result
io_uring
UAF
- netlink xfrm ref counting bug -> underflow -> OOPS -> DoS
- Unpriv guest user can compromise guest kernel since KVM failed to properly
handle TLB flushing in some cases
[USN-5668-1] Linux kernel vulnerabilities [09:07]
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 20.04 GA / 18.04 HWE
- More of the same
[USN-5669-1, USN-5669-2] Linux kernel vulnerabilities [09:18]
- 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 18.04 GA / 16.04 ESM HWE
[USN-5670-1] .NET 6 vulnerability [09:27]
- 1 CVEs addressed in Jammy (22.04 LTS)
- Patch Tuesday!
- EoP via NuGet Client to allow a local attacker to get code execution
[USN-5671-1] AdvanceCOMP vulnerabilities [09:44]
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- recompression utils
- NULL ptr deref + heap buffer overflow could be triggered by opening a crafted
files
Goings on in Ubuntu Security Community
Ubuntu Pro Beta overview with Lech Sandecki and Eduardo Barretto [10:08]
Get in contact