Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 197

24 min • 2 juni 2023

Overview

The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we look at Till Kamppeter’s excellent guide on how to set up your GitHub projects to receive private vulnerability reports, and we cover the week in security updates including PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lot more.

This week in Ubuntu Security Updates

56 unique CVEs addressed

[USN-6104-1] PostgreSQL vulnerabilities (00:55)

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Two issues, both requiring to be an authenticated user. One in mishandling of CREATE privileges - could then allow an auth user to execute arbitrary code as a the bootstrap supervisor - the other in row security properties which could allow to bypass policies and get read/write contrary to security policy.

[USN-6105-1] ca-certificates update (01:32)

  • Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Updates to the latest upstream 2.60 release from Mozilla, adds a bunch of new CAs plus removes some that had either expired or that were now not used anymore

[USN-6106-1] calamares-settings-ubuntu vulnerability (02:08)

  • Affecting Jammy (22.04 LTS)
  • When installing Lubuntu, it would allow to create the first user with an empty password. Lubuntu uses it’s own installer called Calamares - so this issue only affects Lubuntu, not regular Ubuntu or other Ubuntu flavors.

[USN-6100-1] HTML::StripScripts vulnerability (02:58)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • REDoS when parsing HTML with “certain style attributes”

[USN-6108-1] Jhead vulnerabilities (03:18)

[USN-6110-1] Jhead vulnerabilities

  • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Stack buffer overflow, heap buffer overflow and OOB read - DoS / code exec

[USN-6113-1] Jhead vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • Heap buffer OOB read -> DoS

[USN-6054-2] Django vulnerability (04:17)

[USN-6109-1, USN-6118-1] Linux kernel (Raspberry Pi + Oracle) vulnerabilities (04:29)

[USN-6122-1] Linux kernel (OEM) vulnerabilities (04:49)

  • 2 CVEs addressed in Jammy (22.04 LTS)
  • 6.1 OEM 22.04 LTS
  • Race condition in netfilter able to be triggered by a local user -> UAF
    • requires CAP_NET_ADMIN but can get this in an unprivileged user namespace ∴ can be triggered OOTB by an unpriv user on Ubuntu
    • PoC was published for this last week - caused a bunch of folks to get anxious but since can be mitigated by disabling unprivileged user namespaces perhaps it was not worth all the hype? Also kernel updates take a while to prepare and test etc so it is not easy to just drop everything and crank a new kernel - so in general this would only occur for remotely exploitable issues

[USN-6123-1] Linux kernel (OEM) vulnerabilities (06:48)

[USN-6124-1] Linux kernel (OEM) vulnerabilities (07:10)

[USN-6097-1] Linux PTP vulnerability (07:20)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Precision time protocol implementation - allows to synchronise time between servers to sub-microsecond accuracy - more accurate than NTP - uses a leader/follower architecture - leader would be synchronised with high accuracy via say a GPS then distributes this to other machines via PTP
  • Failed to check length of received packet properly (but only for forwarded packets) - results in a OOB R/W - so could either be an info leak or possible RCE

[USN-6005-2] Sudo vulnerabilities (08:49)

[USN-6111-1] Flask vulnerability (09:02)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Possibly sends a response intended for one client to a different client due to mishandling of the Vary:Cookie header - requires the use of a caching proxy and other conditions though so may not be a widespread issue

[USN-6112-1] Perl vulnerability (09:35)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • Failed to properly validate TLS certs when using CPAN with <:Tiny> to download modules over HTTPS - failed to set ssl_Verify - parameter to <:Tiny>
  • Seems the upstream HTTP::Tiny dev’s thinks it would be discriminatory to enable SSL verification by default as that would make applications etc that use self-signed certs or community-driven CAs like CAcert.org fail - but this seems pretty outdated since with Let’s Encrypt etc nowadays there is easy access to trusted certs for anyone - and so this just does a disservice to all applications that use <:Tiny> making them potentially insecure out-of-the-box
  • Won’t be surprised to see other similar vulns in the future as a result of this foot-gun

[USN-6114-1] nth-check vulnerability (11:32)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Node.js module for parsing and compiling CSS nth-checks (used in CSS 3 nth-child() and nth-last-of-type() functions) - can pass it a string and it will compile that to an optimised function for calling by other code
  • REDoS

[USN-6116-1] hawk vulnerability (12:11)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Node.js HTTP Holder-of-key authentication scheme - a HTTP authentication scheme that is similar to the regular HTTP Digest scheme - developed by Mozilla
  • REDoS

[USN-6115-1] TeX Live vulnerability (12:47)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Shell command execution in luatex if run against an untrusted document since could access the io stream used by the underlying lua engine and inject contents into it which would then be executed

[USN-6119-1] OpenSSL vulnerabilities (13:20)

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CPU-based DoS when processing crafted ASN.1 object identifiers - requires to have an object ID which itself is tens to hundreds of KBs - OpenSSL 3 has a limit of 100KB on the peer cert chain which limits the ability to craft such long IDs and have them be processed by OpenSSL
  • An aarch64 specific issue - AES-XTS decryption algorithm would possibly read past the end of the input buffer -> OOB read -> possible DoS but only if the ciphertext is a certain size relative to the block size

[USN-6120-1] SpiderMonkey vulnerabilities (14:25)

[USN-6121-1] Nanopb vulnerabilities (14:45)

  • 2 CVEs addressed in Focal (20.04 LTS)
  • Implementation of Protocol Buffers but with small code size - designed for embedded systems etc
  • Memory leak on parsing of crafted messages plus an invalid free() or realloc() on crafted messages - both only really an issue if parsing untrusted content

[USN-6117-1] Apache Batik vulnerabilities (15:16)

[USN-6125-1] snapd vulnerability (15:48)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Very similar to a recent issue (CVE-2023-28100) in flatpak - seccomp sandbox failed to block the TIOCLINUX ioctl() request - could allow a snap to inject contents into the controlling terminal when run on a virtual console - this would then be executed when the snap finished running -> code exec outside the snap sandbox
  • Now simply blocks TIOCLINUX as it already did for TIOCSTI in the past
  • Very similar to historic TIOCSTI CVEs such as CVE-2016-9016 in firejail, CVE-2016-10124 in lxc, CVE-2017-5226 in bubblewrap, CVE-2019-10063 in flatpak

[USN-6126-1] libvirt vulnerabilities (17:44)

  • 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • race condition within the nwfilter driver - allows a local unprivileged user to race against the driver and corrupt the list of network filters and trigger a crash in the libvirt daemon
  • memory leak when reading SR-IOV PCI device capabilities

Goings on in Ubuntu Security Community

Ubuntu 18.04 has now entered ESM (18:21)

OpenPrinting tutorial on handling security bugs via GitHub (19:40)

Get in contact

Kategorier
Förekommer på
00:00 -00:00