Overview
The team are back from Prague and bring with them a new segment, drilling into
recent academic research in the cybersecurity space - for this inaugural segment
new team member Andrei looks at modelling of attacks against network intrusion
detections systems, plus we cover the week in security updates looking at
vulnerabilities in Django, Ruby, Linux kernel, Erlang, OpenStack and more.
This week in Ubuntu Security Updates
57 unique CVEs addressed
[USN-6054-1] Django vulnerability (00:55)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Django supports file uploading via various form constructs - it then performs
validation on the file
- Was possible to upload multiple files via the form by attacking more than one
HTML attribute to the form - in this case though only the last file would be
validated - and so other files would escape validation
- Fixed to have Django raise an error in the case that an application tries to
use these forms for multiple files and adds a new option to restore the old
behaviour if really desired - AND it adds support for validating all files in
this case.
[USN-6055-1] Ruby vulnerabilities (02:11)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- Two ReDoS issues - ability to cause a CPU-based DoS through crafted input that
is then validated by a regex which takes an inordinate amount of time to run
- one in URI parsing and the other in Time parsing
[USN-6055-2] Ruby regression (03:11)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- The URI parser regex fix caused a regression and so was reverted - is still
under investigation and hope to fix it again in a future update
[USN-6056-1] Linux kernel (OEM) vulnerability (03:13)
- 1 CVEs addressed in Jammy (22.04 LTS)
- UAF in Xen Plan 9 file system protocol -> DoS / info leak
[USN-6057-1] Linux kernel (Intel IoTG) vulnerabilities (03:31)
- 10 CVEs addressed in Jammy (22.04 LTS)
- OverlayFS is a union file-system, allowing one FS to be stacked on top of
another - often used for things like schroots where you want to have the
pristine source and then a working session chroot where you can make changes
and then finally dispose of the whole thing back to the original
- Interaction with setuid binaries and the nosuid mount option - nosuid means
the suid bit is ignored - in this case, if had setup an overlay with the
base file-system mounted nosuid, then in some cases it would be possible to
copy up an suid binary as an unprivileged user and have it retain the suid
bit - and then the user could just execute it to gain root privileges
- UAF in Traffic-Control Index (TCINDEX) filter - found in March this year
[USN-6058-1] Linux kernel vulnerability (05:45)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Another UAF in Traffic-Control Index (TCINDEX) filter from April this year -
seems upstream is sick of these UAFs in TCINDEX so their fix simply removes
this classifier from the kernel and hence so does ours - in general we try not
to introduce breaking changes but in this case prefer to stay consistent with
upstream - also upstream say this does not have many known users anyway
[USN-6059-1] Erlang vulnerability (06:23)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Failed to properly maintain state during TLS handshake when validating client
certificate - basically a malicious client could send the certificate and then
simply omit the TLS handshake message which tells the server to validate the
cert and the server state would then show the cert had been validated
- Note only affects Erlang applications that use client certificates for
authentication (ie. the
'{verify, verify_peer}'
SSL option)
- Still planning to try and update erlang in bionic (18.04 LTS) but backport is
more complicated
- 20 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- 2 CVEs addressed in Xenial ESM (16.04 ESM)
- Latest upstream releases
- 8.0.33 for 20.04 LTS, 22.04 LTS, 22.10, and Lunar (23.04)
- 5.7.42 for 16.04 ESM and 18.04 LTS
- As is the latest upstream point release, also includes bug fixes and possibly
new features / incompatible changes - full list of details from upstream:
[USN-6061-1] WebKitGTK vulnerabilities (08:14)
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Various UAFs plus ability to track users across origins or bypass same origin
policy
[USN-6062-1] FreeType vulnerability (08:38)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Integer overflow when parsing a malformed font - DoS / RCE (particurly with
the advent of web fonts)
[USN-6063-1] Ceph vulnerabilities (09:03)
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- backport of:
- 17.2.5 for 22.10, 22.04 LTS
- 15.2.17 for 20.04 LTS
- 12.2.13 for 18.04 LTS
[USN-6066-1] OpenStack Heat vulnerability (09:29)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Orchestration Service for OpenStack - info leak via API
[USN-6067-1] OpenStack Neutron vulnerabilities (09:39)
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Virtual Network Service
[USN-6068-1] Open vSwitch vulnerability (09:45)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- Failed to properly handle IP packets which specified a protocol of 0 (used in
IPv6 to specify hop-by-hop options) - if a packet with protocol 0 was
encountered, OVS would install a dataflow path for both kernel and userspace
which would match on ALL IP protocols for this flow - so this would then
possibly match against other IP packets and so cause them to be handled
incorrectly (possibly allowing when should have been denied etc)
[USN-6065-1] css-what vulnerabilities (10:43)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- CSS selector parser for NodeJS
- Two ReDoS issues
[USN-6064-1] SQL parse vulnerability (11:00)
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Another ReDoS
Goings on in Ubuntu Security Community
Ubuntu 23.10 release cycle opens (11:41)
- The Ubuntu Security is back from Prague (Engineering Sprint) - spent the week
diving deep into various aspects like what kinds of tooling and processes we
want to try and improve across the team, talking about the culture and history
of the team to make sure we maintain our great culture as the team grows.
- Even discussing mundane stuff like how to refer to and name security updates
which go into Ubuntu Pro vs the regular Ubuntu Archive - making sure it is
clear to consumers of our USNs etc what is where, plus the various policies
around updated for Ubuntu Pro
- Sessions devoted to snaps and how to do appropriate security reviews for them
plus how to coordinate better with the snapd team
- Even looking at tech debt within our team and our tooling and how we can try
and tackle some of that
- As for more concrete plans for the security team during 23.10
- continue the work to use AppArmor to enable tighter controls over
unprivileged user namespaces within Ubuntu
- various improvements to our OVAL feeds to make them more useful to users and
customers alike
- utilising the Canonical Hardware Certifications Lab for testing of security
updates for packages that require particular hardware (think things like
intel-microcode
, nvme-cli
, various graphics drivers etc)
- Improvements to AppArmor for more fine-grained network mediation and
io_uring
- More work on supporting various confidential computing use-cases (for an
introduction to these types of topics see
https://ubuntu.com/engage/introduction-to-confidential-computing-webinar)
- Usual work on FIPS / CIS / DISA-STIG updates plus usual security maintenance
Academic paper review with Andrei Iosif (14:40)
- New segment to dig into the details of various interesting cybersecurity
research papers
- Andrei joined the team just over 1 month ago - previously was Tech Lead at a
SecOps startup developing open source tools for automating various
cybersecurity solutions - brings a wide range of great experience to our team
- Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems
- Looks at what the study was about (developing a model for attacks against
Network Intrusion Detection Systems, with a particular focus on IDSs that are
based on AI/ML approaches)
Get in contact