Bra podcast
Sveriges mest populära poddar
Overview
Ubuntu gets pwned at Pwn2Own 2023, plus we cover security updates for vulns in GitPython, object-path, amanda, url-parse and the Linux kernel - and we mention the recording of Alex’s Everything Open 2023 presentation as well.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-5968-1] GitPython vulnerability [00:46]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- RCE via a malicious URL when cloning a repo - would call git clone under the hood and pass the purported URL in without any validation
- Used as a dependency for other Python based tools etc - in particular by Bandit, Python security checking tool - used to scan python projects for security issues - would be ironic if a tool used to scan for security problems could be used to leverage an attack - so I took a quick look at the source code for bandit and it seems to only use GitPython to check if the current directory is a git repo or not - so would not be able to be exploited by this issue
[USN-5967-1] object-path vulnerabilities [02:11]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- all prototype pollution vulns - a type of injection attack that particularly applies for languages like Javascript, where an attacker can add arbitrary properties to global / default javascript objects that then get inherited by user-defined objects - and so can result in the ability to change the logic of the application or potentially even get remote code execution (depending on how those object properties are used by the application)
[USN-5942-2] Apache HTTP Server vulnerability [02:56]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- request smuggling attack against
mod_proxy
[USN-5966-1, USN-5966-2] amanda vulnerabilities [03:06]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- amanda has several suid-root binaries - each was able to be abused in a different way - one to see if a given directory existed or not (info leak), and the others to both get code execution etc - update introduced a regression which was then also fixed
[USN-5969-1] gif2apng vulnerabilities [04:00]
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5971-1] Graphviz vulnerabilities [04:12]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- 2 different NULL ptr derefs, 1 buffer overflow -> DoS / RCE
[USN-5954-2] Firefox regressions [04:40]
- 9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 111.0.1 - fixes a couple regressions on macOS and Windows apparently
[USN-5972-1] Thunderbird vulnerabilities [04:58]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- 102.9.0
[USN-5973-1] url-parse vulnerabilities [05:11]
- 8 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- nodejs module for parsing URLs - even for such a seemingly simple task as
parsing URLs, can have various vulnerabilities
- DoS, SSRF, open-redirect, or bypass various other authorisation checks
- upstream project now recommends to use the URL interface from nodejs and the various browsers for “better security and accuracy”
[USN-5974-1] GraphicsMagick vulnerabilities [06:24]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5686-4] Git vulnerability [06:37]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- [USN-5686-1] Git vulnerabilities from Episode 181
[USN-5970-1] Linux kernel vulnerabilities [06:45]
- 9 CVEs addressed in Kinetic (22.10)
[LSN-0093-1] Linux kernel vulnerability [07:15]
- 2 CVEs addressed in all the various Livepatch supported releases (LTS and 16.04 ESM) across various different kernels
- UAF in Upper Level Protocol and buffer overflow in netfilter when handling VLAN headers - both could allow a local user to DoS / code execution in kernel -> EoP
| Kernel type | 22.04 | 20.04 | 18.04 | 16.04 |
|---|---|---|---|---|
| aws | 93.1 | 93.1 | 93.1 | — |
| aws-5.15 | — | 93.1 | — | — |
| aws-5.4 | — | — | 93.1 | — |
| aws-hwe | — | — | — | 93.1 |
| azure | 93.1 | 93.1 | — | 93.1 |
| azure-4.15 | — | — | 93.1 | — |
| azure-5.4 | — | — | 93.1 | — |
| gcp | 93.2 | 93.1 | — | 93.1 |
| gcp-4.15 | — | — | 93.1 | — |
| gcp-5.15 | — | 93.2 | — | — |
| gcp-5.4 | — | — | 93.1 | — |
| generic-4.15 | — | — | 93.1 | 93.1 |
| generic-5.4 | — | 93.1 | 93.1 | — |
| gke | 93.2 | 93.1 | — | — |
| gke-4.15 | — | — | 93.1 | — |
| gke-5.15 | — | 93.2 | — | — |
| gke-5.4 | — | — | 93.1 | — |
| gkeop | — | 93.1 | — | — |
| gkeop-5.4 | — | — | 93.1 | — |
| ibm | 93.1 | 93.1 | — | — |
| linux | 93.1 | — | — | — |
| lowlatency-4.15 | — | — | 93.1 | 93.1 |
| lowlatency-5.4 | — | 93.1 | 93.1 | — |
| oem | — | — | 93.1 | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
[USN-5975-1] Linux kernel vulnerabilities
- 31 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2023-28328
- CVE-2023-26607
- CVE-2023-23559
- CVE-2023-23455
- CVE-2023-0394
- CVE-2023-0266
- CVE-2023-0045
- CVE-2022-47929
- CVE-2022-43750
- CVE-2022-42895
- CVE-2022-42329
- CVE-2022-42328
- CVE-2022-41850
- CVE-2022-41849
- CVE-2022-41218
- CVE-2022-39842
- CVE-2022-3649
- CVE-2022-3646
- CVE-2022-3640
- CVE-2022-36280
- CVE-2022-3628
- CVE-2022-3545
- CVE-2022-3521
- CVE-2022-3424
- CVE-2022-29901
- CVE-2022-29900
- CVE-2022-2663
- CVE-2022-26373
- CVE-2022-20369
- CVE-2021-3669
- CVE-2023-0461
[USN-5976-1] Linux kernel (OEM) vulnerabilities
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5977-1] Linux kernel (OEM) vulnerabilities
- 3 CVEs addressed in Jammy (22.04 LTS)
[USN-5978-1] Linux kernel (OEM) vulnerabilities
- 12 CVEs addressed in Jammy (22.04 LTS)
[USN-5979-1] Linux kernel (HWE) vulnerabilities
- 9 CVEs addressed in Jammy (22.04 LTS)
[USN-5980-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-5981-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5982-1] Linux kernel vulnerabilities
- 15 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
Goings on in Ubuntu Security Community
pwn2own 2023 [08:02]
- pwn2own - part of CanSecWest security conference in Vancouver, Canada
- originally started as an informal event, now is organised by Trend’s ZDI and is attended by many of the best offensive security research teams in the world
- compete to hack various known targets under various categories
- Runs over 3 days
- Ubuntu Desktop was a target again this year, in particular in the local user elevation of privilege category - standard unprivileged user account which can be used to escalate privileges to root - targeting the latest Ubuntu interim release 22.10 (Kinetic)
- competitors get 3 attempts, each with a time limit of 10 minutes to get their exploit to work
- From our side, we had a team of 4 engineers (Steve Beattie, John Johansen and Georgia Garcia from the Ubuntu Security team and Thadeu Cascardo from the Ubuntu Kernel team) who were on call to be shown the exploit and vulnerability and within 30 minutes would have to determine if it was already known or not
- Day 1 saw 2 attempts
- one unsuccessful, the other was a previously known (but unpatched)
- Day 2 saw 1 successful attempt (incorrect pointer scaling issue)
- Day 3 saw 3 successful attempts
- one also previously known, the other two double free and a UAF
- In total, 6 separate teams targeted Ubuntu Desktop, 5 were successful, and the
other was not able to get their exploit to work in the allotted time limit
- Details surrounding all of these vulnerabilities is embargoed for now, but will become available in the future
- Only minor details have been released publicly by ZDI at this time (ie incorrect pointer scaling, double free and UAF) but all (unsurprisingly) related to the memory unsafety of C
- Interesting to see the macOS was only targeted once (successful), and Windows 11 twice (both successful too) yet Ubuntu had 6
- Yet last year, there were 6 for WIndows 11, and 4 for Ubuntu
- Is Ubuntu seen as an easy target? Or are there more security researchers looking at Ubuntu compared to Windows nowadays?
- Does the open source nature of Linux make it easier to find vulns since the source code is easily able to be inspected?
- Pace of development of the upstream kernel is quite fast, lots of new
subsystems like
io_uringand large attack surfaces through unprivileged user namespaces perhaps make Ubuntu more of an easy target- Part of the motivation to want to restrict access to unprivileged user namespaces in the future
- More details to follow once vulns have been made public
- Thanks to Steve, JJ, Georgia and Thadeu
- Day 1 Results
- Day 2 Results
- Day 3 Results
Securing a distro and you own open source project - Everything Open 2023 [14:27]
-
Ubuntu is one of the most popular Linux distributions and is used by millions of people all over the world. It contains software from a wide array of different upstream projects and communities across a number of different language ecosystems. Ubuntu also aims to provide the best user experience for consuming all these various pieces of software, whilst being both as secure and usable as possible.
-
The Ubuntu Security team is responsible for keeping all of this software secure and patched against known vulnerabilities, as well as proactively looking for new possible security issues, and finally for ensuring the distribution as a whole is secured through proactive hardening work. They also have a huge depth of experience in working with upstream open source projects to report, manage patch and disclose security vulnerabilities. Find out both how they keep Ubuntu secure and how you can improve the security of your own open source project or the projects you contribute to.
Get in contact
00:00
-00:00