Overview
This week the common theme is vulnerabilities in setuid-root binaries and their
use of environment variables, so we take a look at a great blog post from the
Trail of Bits team about one such example in the venerable chfn
plus we look at
some security vulnerabilities in, and updates for the Linux kernel, Go Text, the
X Server and more, and finally we cover the recent announcement of Ubuntu
22.04.2 LTS.
This week in Ubuntu Security Updates
75 unique CVEs addressed
[USN-5872-1] NSS vulnerabilities [00:57]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-5874-1] Linux kernel vulnerabilities
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5877-1] Linux kernel (GKE) vulnerabilities [01:06]
- 28 CVEs addressed in Focal (20.04 LTS)
- UAF in L2CAP handshake implementation in bluetooth subsystem - as is in
handshake likely can allow an unprivileged remote attacker within bluetooth
range to crash kernel / leak contents of memory or get RCE - or even a local
unprivileged user could use this to try and escalate their privileges by
turning on bluetooth then attacking the machine via it
- Stack buffer overflow in handling of sysctl - need to be able to write a
sysctl which is normally only available to root - but also can be used by root
within a user namespace - so if have unprivileged user namespaces enabled then
a local unpriv user can use this to either crash the kernel or possibly
execute arbitrary code within the kernel -> EoP
[USN-5875-1] Linux kernel (GKE) vulnerabilities [03:20]
- 11 CVEs addressed in Focal (20.04 LTS)
- bluetooth UAF
- Buffer overflow in the in-kernel NFSD implementation - Episode 184
[USN-5876-1] Linux kernel vulnerabilities
- 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5878-1] Linux kernel (Azure) vulnerabilities
- 5 CVEs addressed in Kinetic (22.10)
[USN-5879-1] Linux kernel (HWE) vulnerabilities
- 9 CVEs addressed in Jammy (22.04 LTS)
[USN-5873-1] Go Text vulnerabilities [03:54]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Go lib for text processsing, in particular for handling of Unicode
- CPU-based DoS - possible infinite loop on crafted content
- Various runtime DoS issues - crafted content could trigger a panic -> crash of
application - often used for parsing of HTTP headers
- One of the few cases of a USN where we list the -dev package as the affected
package - quirk of the way Go packages are packaged in Debian and hence
Ubuntu - since go binaries are generally statically compiled, another package
will use the -dev package to build and get statically linked against this - so
the security team has to then rebuild all the other packages in the archive
that use this -dev package
[USN-5880-1] Firefox vulnerabilities [07:15]
- 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 110.0 release - various memory corruption vulns plus some logic issues
allowing to bypass restrictions etc
[USN-5881-1] Chromium vulnerabilities
- 13 CVEs addressed in Bionic (18.04 LTS)
- 110.0.5481.100 release
- also has various memory corruption vulns fixed, same original policy bypass
etc
[USN-5778-2] X.Org X Server vulnerabilities [08:15]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Various possible attacks against the X server - UAF, stack and heap buffer
overflows etc -> local user could then possibly get EoP when X server is
running as root (as it is on these older releases - only on 18.04 and onwards
does X run as the unprivileged user)
[USN-5807-2] libXpm vulnerabilities [09:01]
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
- X11 pixmap handling library
- 2 CPU-based DoS (infinite loop) issues plus one in handling of compressed
files - would call out to external binaries to decompress these - so if a
malicious user could influence the
PATH
environment variable could get it to
execute their binaries instead - particularly could be an issue if a setuid()
binary uses libxpm - and this is mentioned in the glibc manual around tips for
writing setuid programs
Goings on in Ubuntu Security Community
Readline crime: exploiting a SUID logic bug [10:06]
- Trail of Bits blog has a great writeup of a bug they discovered in
chfn
as
implemented by the util-linux
package - used the readline
library for input
handling by many CLI applications - as a result, able to be abused to read the
contents of a root-owned SSH private key
- Great dive into the complexities and dangers of using third party libraries in
privileged components
- Inspired by a previous
finding
from Qualys, started out looking for setuid binaries that used environment
variables as part of their operation - since this often allows an unprivileged
user to set that env var and then run the setuid binary which then runs as
root - if it then can be influenced by the value of that env var can possibly
then go further to cause other effects as root (EoP?)
- Found the
chfn
binary (which is used to set info about the current user in
/etc/shadow
) would use the readline library just to read input from the user -
by default readline
will parse its configuration from the INPUTRC
environment
variable
- When it encounters an invalid config, it will helpfully print out the lines of the
configuration which are invalid
- So to get it to dump the contents of some other root-owned file, you can just
set
INPUTRC
to point to that file and execute chfn
and it will then go parse
that - however, the file first has to appear close to the format which is
expected - and it just so happens that SSH private keys fit this bill
- One thing to note - it only affected a Arch since on most
chfn
comes from the
standalone passwd
package, not util-linux
- and the chfn
from passwd
didn’t
use readline
- Looking for environment variable use (and setuid binaries) is one of the
explicit things the security team does when auditing packages as part of the MIR security review process
Ubuntu 22.04.2 LTS released [14:55]
- Delayed by 2 weeks - is finally here!
- Includes various fixes rolled into the 22.04 LTS release - if you are already
running 22.04 LTS with updates enabled you will already have it
- Ubuntu Pro is now integrated within
gnome-initial-setup
- previously this
was only Livepatch, but can now enable any of the Ubuntu Pro offerings as
soon as you log in for the first time.
- After logging in you can enrol the machine in Ubuntu Pro directly from the
initial setup wizard and choose which elements - esm-infra / esm-apps /
livepatch and even FIPS and USG (Ubuntu Security Guide for CIS and DISA-STIG
compliance and auditing)
- Uses the HWE kernel - 5.19 (22.10 - kinetic)
- Kernel and shim etc are now signed by new signing key since old one has been
deny-listed in latest shim due to having signed a version of grub2 which is
now known to have various vulnerabilities that could enable a local attacker
to bypass secure boot restrictions (Boot Hole v3 v4?)
- Plus a heap of other changes
- Complete list can be found on the Ubuntu Discourse
Get in contact