Episode 188

Overview

This week the common theme is vulnerabilities in setuid-root binaries and their use of environment variables, so we take a look at a great blog post from the Trail of Bits team about one such example in the venerable chfn plus we look at some security vulnerabilities in, and updates for the Linux kernel, Go Text, the X Server and more, and finally we cover the recent announcement of Ubuntu 22.04.2 LTS.

This week in Ubuntu Security Updates

75 unique CVEs addressed

[USN-5872-1] NSS vulnerabilities [00:57]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2022-34480
  • CVE-2022-22747

[USN-5874-1] Linux kernel vulnerabilities

• 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-20928
  • CVE-2022-42895
  • CVE-2022-41850
  • CVE-2022-41849
  • CVE-2022-3649
  • CVE-2022-3640
  • CVE-2022-3628

[USN-5877-1] Linux kernel (GKE) vulnerabilities [01:06]

• 28 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-0590
  • CVE-2022-47940
  • CVE-2022-4662
  • CVE-2022-45934
  • CVE-2022-43750
  • CVE-2022-42895
  • CVE-2022-41850
  • CVE-2022-41849
  • CVE-2022-4095
  • CVE-2022-40307
  • CVE-2022-39842
  • CVE-2022-39188
  • CVE-2022-3649
  • CVE-2022-3646
  • CVE-2022-3643
  • CVE-2022-3640
  • CVE-2022-3628
  • CVE-2022-3623
  • CVE-2022-3619
  • CVE-2022-3586
  • CVE-2022-3543
  • CVE-2022-3303
  • CVE-2022-3061
  • CVE-2022-2663
  • CVE-2022-20421
  • CVE-2022-0171
  • CVE-2022-42896
  • CVE-2022-4378
• UAF in L2CAP handshake implementation in bluetooth subsystem - as is in handshake likely can allow an unprivileged remote attacker within bluetooth range to crash kernel / leak contents of memory or get RCE - or even a local unprivileged user could use this to try and escalate their privileges by turning on bluetooth then attacking the machine via it
• Stack buffer overflow in handling of sysctl - need to be able to write a sysctl which is normally only available to root - but also can be used by root within a user namespace - so if have unprivileged user namespaces enabled then a local unpriv user can use this to either crash the kernel or possibly execute arbitrary code within the kernel -> EoP

[USN-5875-1] Linux kernel (GKE) vulnerabilities [03:20]

• 11 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-20928
  • CVE-2022-45934
  • CVE-2022-42895
  • CVE-2022-41850
  • CVE-2022-41849
  • CVE-2022-3649
  • CVE-2022-3643
  • CVE-2022-3640
  • CVE-2022-3628
  • CVE-2022-42896
  • CVE-2022-43945
• bluetooth UAF
• Buffer overflow in the in-kernel NFSD implementation - Episode 184

[USN-5876-1] Linux kernel vulnerabilities

• 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-0590
  • CVE-2022-47940
  • CVE-2022-42895
  • CVE-2022-41850
  • CVE-2022-41849
  • CVE-2022-3640
  • CVE-2022-3628
  • CVE-2022-3623
  • CVE-2022-3619
  • CVE-2022-3543

[USN-5878-1] Linux kernel (Azure) vulnerabilities

• 5 CVEs addressed in Kinetic (22.10)
  • CVE-2023-0590
  • CVE-2022-42895
  • CVE-2022-3640
  • CVE-2022-3628
  • CVE-2022-3619

[USN-5879-1] Linux kernel (HWE) vulnerabilities

• 9 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-0590
  • CVE-2022-45934
  • CVE-2022-42895
  • CVE-2022-3643
  • CVE-2022-3640
  • CVE-2022-3628
  • CVE-2022-3619
  • CVE-2022-42896
  • CVE-2022-4378

[USN-5873-1] Go Text vulnerabilities [03:54]

• 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2022-32149
  • CVE-2021-38561
  • CVE-2020-28852
  • CVE-2020-28851
  • CVE-2020-14040
• Go lib for text processsing, in particular for handling of Unicode
• CPU-based DoS - possible infinite loop on crafted content
• Various runtime DoS issues - crafted content could trigger a panic -> crash of application - often used for parsing of HTTP headers
• One of the few cases of a USN where we list the -dev package as the affected package - quirk of the way Go packages are packaged in Debian and hence Ubuntu - since go binaries are generally statically compiled, another package will use the -dev package to build and get statically linked against this - so the security team has to then rebuild all the other packages in the archive that use this -dev package

[USN-5880-1] Firefox vulnerabilities [07:15]

• 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-25745
  • CVE-2023-25744
  • CVE-2023-25742
  • CVE-2023-25741
  • CVE-2023-25737
  • CVE-2023-25736
  • CVE-2023-25733
  • CVE-2023-25731
  • CVE-2023-25739
  • CVE-2023-25735
  • CVE-2023-25732
  • CVE-2023-25730
  • CVE-2023-25729
  • CVE-2023-25728
  • CVE-2023-0767
• 110.0 release - various memory corruption vulns plus some logic issues allowing to bypass restrictions etc

[USN-5881-1] Chromium vulnerabilities

• 13 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2023-0704
  • CVE-2023-0703
  • CVE-2023-0701
  • CVE-2023-0700
  • CVE-2023-0474
  • CVE-2023-0705
  • CVE-2023-0702
  • CVE-2023-0699
  • CVE-2023-0698
  • CVE-2023-0696
  • CVE-2023-0473
  • CVE-2023-0472
  • CVE-2023-0471
• 110.0.5481.100 release
• also has various memory corruption vulns fixed, same original policy bypass etc

[USN-5778-2] X.Org X Server vulnerabilities [08:15]

• 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2023-0494
  • CVE-2022-46344
  • CVE-2022-46343
  • CVE-2022-46342
  • CVE-2022-46341
  • CVE-2022-46340
  • CVE-2022-4283
• Various possible attacks against the X server - UAF, stack and heap buffer overflows etc -> local user could then possibly get EoP when X server is running as root (as it is on these older releases - only on 18.04 and onwards does X run as the unprivileged user)

[USN-5807-2] libXpm vulnerabilities [09:01]

• 3 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2022-4883
  • CVE-2022-46285
  • CVE-2022-44617
• X11 pixmap handling library
• 2 CPU-based DoS (infinite loop) issues plus one in handling of compressed files - would call out to external binaries to decompress these - so if a malicious user could influence the PATH environment variable could get it to execute their binaries instead - particularly could be an issue if a setuid() binary uses libxpm - and this is mentioned in the glibc manual around tips for writing setuid programs

Goings on in Ubuntu Security Community

Readline crime: exploiting a SUID logic bug [10:06]

• Trail of Bits blog has a great writeup of a bug they discovered in chfn as implemented by the util-linux package - used the readline library for input handling by many CLI applications - as a result, able to be abused to read the contents of a root-owned SSH private key
• Great dive into the complexities and dangers of using third party libraries in privileged components
• Inspired by a previous finding from Qualys, started out looking for setuid binaries that used environment variables as part of their operation - since this often allows an unprivileged user to set that env var and then run the setuid binary which then runs as root - if it then can be influenced by the value of that env var can possibly then go further to cause other effects as root (EoP?)
• Found the chfn binary (which is used to set info about the current user in /etc/shadow) would use the readline library just to read input from the user - by default readline will parse its configuration from the INPUTRC environment variable
• When it encounters an invalid config, it will helpfully print out the lines of the configuration which are invalid
• So to get it to dump the contents of some other root-owned file, you can just set INPUTRC to point to that file and execute chfn and it will then go parse that - however, the file first has to appear close to the format which is expected - and it just so happens that SSH private keys fit this bill
• One thing to note - it only affected a Arch since on most chfn comes from the standalone passwd package, not util-linux - and the chfn from passwd didn’t use readline
• Looking for environment variable use (and setuid binaries) is one of the explicit things the security team does when auditing packages as part of the MIR security review process

Ubuntu 22.04.2 LTS released [14:55]

• Delayed by 2 weeks - is finally here!
• Includes various fixes rolled into the 22.04 LTS release - if you are already running 22.04 LTS with updates enabled you will already have it
  • Ubuntu Pro is now integrated within gnome-initial-setup - previously this was only Livepatch, but can now enable any of the Ubuntu Pro offerings as soon as you log in for the first time.
  • After logging in you can enrol the machine in Ubuntu Pro directly from the initial setup wizard and choose which elements - esm-infra / esm-apps / livepatch and even FIPS and USG (Ubuntu Security Guide for CIS and DISA-STIG compliance and auditing)
  • Uses the HWE kernel - 5.19 (22.10 - kinetic)
  • Kernel and shim etc are now signed by new signing key since old one has been deny-listed in latest shim due to having signed a version of grub2 which is now known to have various vulnerabilities that could enable a local attacker to bypass secure boot restrictions (Boot Hole v3 v4?)
  • Plus a heap of other changes
  • Complete list can be found on the Ubuntu Discourse

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter