Episode 194

Overview

The team are back from Prague and bring with them a new segment, drilling into recent academic research in the cybersecurity space - for this inaugural segment new team member Andrei looks at modelling of attacks against network intrusion detections systems, plus we cover the week in security updates looking at vulnerabilities in Django, Ruby, Linux kernel, Erlang, OpenStack and more.

This week in Ubuntu Security Updates

57 unique CVEs addressed

[USN-6054-1] Django vulnerability (00:55)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-31047
• Django supports file uploading via various form constructs - it then performs validation on the file
• Was possible to upload multiple files via the form by attacking more than one HTML attribute to the form - in this case though only the last file would be validated - and so other files would escape validation
• Fixed to have Django raise an error in the case that an application tries to use these forms for multiple files and adds a new option to restore the old behaviour if really desired - AND it adds support for validating all files in this case.

[USN-6055-1] Ruby vulnerabilities (02:11)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-28756
  • CVE-2023-28755
• Two ReDoS issues - ability to cause a CPU-based DoS through crafted input that is then validated by a regex which takes an inordinate amount of time to run
  • one in URI parsing and the other in Time parsing

[USN-6055-2] Ruby regression (03:11)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-28755
• The URI parser regex fix caused a regression and so was reverted - is still under investigation and hope to fix it again in a future update

[USN-6056-1] Linux kernel (OEM) vulnerability (03:13)

• 1 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-1859
• UAF in Xen Plan 9 file system protocol -> DoS / info leak

[USN-6057-1] Linux kernel (Intel IoTG) vulnerabilities (03:31)

• 10 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-26545
  • CVE-2023-1652
  • CVE-2023-1074
  • CVE-2023-1073
  • CVE-2023-0394
  • CVE-2022-4842
  • CVE-2022-47929
  • CVE-2022-4129
  • CVE-2023-0386
  • CVE-2023-1281
• OverlayFS is a union file-system, allowing one FS to be stacked on top of another - often used for things like schroots where you want to have the pristine source and then a working session chroot where you can make changes and then finally dispose of the whole thing back to the original
  • Interaction with setuid binaries and the nosuid mount option - nosuid means the suid bit is ignored - in this case, if had setup an overlay with the base file-system mounted nosuid, then in some cases it would be possible to copy up an suid binary as an unprivileged user and have it retain the suid bit - and then the user could just execute it to gain root privileges
• UAF in Traffic-Control Index (TCINDEX) filter - found in March this year

[USN-6058-1] Linux kernel vulnerability (05:45)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2023-1829
• Another UAF in Traffic-Control Index (TCINDEX) filter from April this year - seems upstream is sick of these UAFs in TCINDEX so their fix simply removes this classifier from the kernel and hence so does ours - in general we try not to introduce breaking changes but in this case prefer to stay consistent with upstream - also upstream say this does not have many known users anyway

[USN-6059-1] Erlang vulnerability (06:23)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2022-37026
• Failed to properly maintain state during TLS handshake when validating client certificate - basically a malicious client could send the certificate and then simply omit the TLS handshake message which tells the server to validate the cert and the server state would then show the cert had been validated
• Note only affects Erlang applications that use client certificates for authentication (ie. the '{verify, verify_peer}' SSL option)
• Still planning to try and update erlang in bionic (18.04 LTS) but backport is more complicated

[USN-6060-1, USN-6060-2] MySQL vulnerabilities (07:40)

• 20 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-21982
  • CVE-2023-21980
  • CVE-2023-21977
  • CVE-2023-21976
  • CVE-2023-21972
  • CVE-2023-21966
  • CVE-2023-21962
  • CVE-2023-21955
  • CVE-2023-21953
  • CVE-2023-21947
  • CVE-2023-21946
  • CVE-2023-21945
  • CVE-2023-21940
  • CVE-2023-21935
  • CVE-2023-21933
  • CVE-2023-21929
  • CVE-2023-21920
  • CVE-2023-21919
  • CVE-2023-21912
  • CVE-2023-21911
• 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-21980
  • CVE-2023-21912
• Latest upstream releases
  • 8.0.33 for 20.04 LTS, 22.04 LTS, 22.10, and Lunar (23.04)
  • 5.7.42 for 16.04 ESM and 18.04 LTS
• As is the latest upstream point release, also includes bug fixes and possibly new features / incompatible changes - full list of details from upstream:
  • https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-42.html
  • https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-33.html

[USN-6061-1] WebKitGTK vulnerabilities (08:14)

• 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-28205
  • CVE-2023-27954
  • CVE-2023-27932
  • CVE-2023-25358
  • CVE-2022-32885
  • CVE-2022-0108
• Various UAFs plus ability to track users across origins or bypass same origin policy

[USN-6062-1] FreeType vulnerability (08:38)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-2004
• Integer overflow when parsing a malformed font - DoS / RCE (particurly with the advent of web fonts)

[USN-6063-1] Ceph vulnerabilities (09:03)

• 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2022-3854
  • CVE-2022-3650
  • CVE-2022-0670
  • CVE-2021-3979
• backport of:
  • 17.2.5 for 22.10, 22.04 LTS
  • 15.2.17 for 20.04 LTS
  • 12.2.13 for 18.04 LTS

[USN-6066-1] OpenStack Heat vulnerability (09:29)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-1625
• Orchestration Service for OpenStack - info leak via API

[USN-6067-1] OpenStack Neutron vulnerabilities (09:39)

• 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-3277
  • CVE-2021-40797
  • CVE-2021-40085
  • CVE-2021-38598
  • CVE-2021-20267
• Virtual Network Service

[USN-6068-1] Open vSwitch vulnerability (09:45)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2023-1668
• Failed to properly handle IP packets which specified a protocol of 0 (used in IPv6 to specify hop-by-hop options) - if a packet with protocol 0 was encountered, OVS would install a dataflow path for both kernel and userspace which would match on ALL IP protocols for this flow - so this would then possibly match against other IP packets and so cause them to be handled incorrectly (possibly allowing when should have been denied etc)

[USN-6065-1] css-what vulnerabilities (10:43)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-21222
  • CVE-2021-33587
• CSS selector parser for NodeJS
• Two ReDoS issues

[USN-6064-1] SQL parse vulnerability (11:00)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-30608
• Another ReDoS

Goings on in Ubuntu Security Community

Ubuntu 23.10 release cycle opens (11:41)

• The Ubuntu Security is back from Prague (Engineering Sprint) - spent the week diving deep into various aspects like what kinds of tooling and processes we want to try and improve across the team, talking about the culture and history of the team to make sure we maintain our great culture as the team grows.
• Even discussing mundane stuff like how to refer to and name security updates which go into Ubuntu Pro vs the regular Ubuntu Archive - making sure it is clear to consumers of our USNs etc what is where, plus the various policies around updated for Ubuntu Pro
• Sessions devoted to snaps and how to do appropriate security reviews for them plus how to coordinate better with the snapd team
• Even looking at tech debt within our team and our tooling and how we can try and tackle some of that
• As for more concrete plans for the security team during 23.10
  • continue the work to use AppArmor to enable tighter controls over unprivileged user namespaces within Ubuntu
  • various improvements to our OVAL feeds to make them more useful to users and customers alike
  • utilising the Canonical Hardware Certifications Lab for testing of security updates for packages that require particular hardware (think things like intel-microcode, nvme-cli, various graphics drivers etc)
  • Improvements to AppArmor for more fine-grained network mediation and io_uring
  • More work on supporting various confidential computing use-cases (for an introduction to these types of topics see https://ubuntu.com/engage/introduction-to-confidential-computing-webinar)
  • Usual work on FIPS / CIS / DISA-STIG updates plus usual security maintenance

Academic paper review with Andrei Iosif (14:40)

• New segment to dig into the details of various interesting cybersecurity research papers
• Andrei joined the team just over 1 month ago - previously was Tech Lead at a SecOps startup developing open source tools for automating various cybersecurity solutions - brings a wide range of great experience to our team
• Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems
• Looks at what the study was about (developing a model for attacks against Network Intrusion Detection Systems, with a particular focus on IDSs that are based on AI/ML approaches)

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter