Overview
We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover
vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen,
containerd and more.
This week in Ubuntu Security Updates
50 unique CVEs addressed
[USN-6190-1] AccountsService vulnerability (00:47)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Mentioned in passing last week - reported to us by Kevin Backhouse from the
Github Security Lab team
- DBus service that provides APIs to add, delete or modify system accounts - ie
create a new user etc
- Originally developed by GNOME - used by gnome-control-center etc
- Also allows to configure language / locale settings etc
- In Ubuntu, we carry a custom patch which is used to synchronise the language
and locale from accountsservice to the local users
~/.pam_environment
file
which is used to configure various per-user session environment variables -
this way no matter how you log in to a Ubuntu system, the locale etc that you
configured via g-c-c etc gets used
- Turned out there was a number of cases of UAF due to logic errors in the
original patch - so an unprivileged user could trigger this and crash the
accounts-daemon which runs as root
[USN-6191-1] Linux kernel regression (02:44)
- Affecting Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Spurious warning message would be printed via the IPv6 subsystem
[USN-6192-1] Linux kernel vulnerabilities (03:10)
- 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- Off-by-one in the flower network traffic classifier - flow based traffic
control filter - allows to define a “flow” by a set of key/value pairs
(ie. src MAC address, port number or various other types) - could be leveraged
for DoS or potential code execution - PoC posted publicly but even then was
stated that it doesn’t even crash the kernel, however gdb can be used to
detect the OOB write
- Mishandling of locking in the
io_uring
subsystem - local attacker could use
this to trigger a deadlock and hence a DoS
- Possible info leak via stale page table entries - when KPTI was introduced in
the wake of Meltdown, to minimise the cost of flushing page table on every
entry/exit to/from kernel space, PCIDs are a hardware feature that was
introduced in more recent Intel processors to try and minimise this cost by
only flushing on exit back to userspace - this is done by issuing the
INVLPG
instruction - but it was found that on certain hardware platforms this did not
actually flush the global TLB contrary to expectation - and so could leak
kernel memory back to userspace
[USN-6193-1] Linux kernel vulnerabilities
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- TC flower + INVLPG
[USN-6194-1] Linux kernel (OEM) vulnerabilities (06:04)
- 3 CVEs addressed in Jammy (22.04 LTS)
io_uring
and TC flower plus OOB read in InfiniBand RDMA driver - DoS / info
leak
[USN-6195-1] Vim vulnerabilities (06:26)
- 6 CVEs addressed in Jammy (22.04 LTS)
- More vim fuzzing results - OOB read, UAF, heap buffer overflow, NULL pointer
dereference etc.
[USN-6196-1] ReportLab vulnerability (06:47)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Python library for producing PDFs - often used to convert HTML to PDF etc
- Bypass of validation originally put in place for a previous CVE-2019-17626
(see [USN-4273-1] ReportLab vulnerability in Episode 62)
- That vuln was RCE since reportlab would call the python
eval()
function
directly on value obtained from an XML document
- To fix that, introduced a complex validation scheme so they could still use
eval()
without having to remove this functionality - new update disables this
by default and instead only allows a much limited subset of colors to be
parsed
[USN-6197-1] OpenLDAP vulnerability (08:48)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- NULL pointer deref in certain circumstances if failed to allocate memory
during various string handling operations - unlikely to be able to be
triggered easily (would first need a memory leak bug or similar…)
[USN-6198-1] GNU Screen vulnerability (09:25)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- screen provides an API to allow the processes under its controlled to be say
killed from another session - but would fail to check if the specified PID was
actually owned by the calling user - so if screen was setuid, would allow a
local user to send a SIGHUP to any other process on the system
- In Ubuntu screen is not setuid so this was not a real issue
[USN-6199-1] PHP vulnerability (10:35)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- When generating a nonce for use in HTTP Digest during SOAP authentication,
wouldn’t actually check the return value from the call to generate random data
for the nonce - as such, the nonce would be whatever was previously in the
stack memory - so could leak info from the stack, or this could be say all
zeros which would defeat the purpose of the nonce
[USN-6200-1] ImageMagick vulnerabilities (11:27)
- 20 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Time for another frequent mention in the podcast - ImageMagick (seems to come
up every 10 episodes or so)
- Huge range of CVEs fixed across the various releases with some dating back to
2020
- OOB read, stack bufffer overflow, NULL ptr deref, lots of heap buffer overflows
- Since 20.04, ImageMagick is now in universe, so for 20.04 LTS this update is
available via Ubuntu Pro
[USN-6201-1] Firefox vulnerabilities (12:27)
- 13 CVEs addressed in Focal (20.04 LTS)
- 115.0
- Usual web browser issues (DoS, domain bypass, RCE etc) - but also bypass of
cookie storage protections, possible spoofing attack via fullscreen
notifications and others
[USN-6202-1] containerd vulnerabilities (13:09)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- DoS when importing an OCI image with a really large manifest or image layout
file - would try and read the whole JSON file into memory - could cause
containerd to crash by running out of memory - limited to 20MBs
[USN-6203-1] Django vulnerability (13:55)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- ReDoS in EmailValidator and URLValidator classes when parsing really long
strings - fixed by rejecting anything longer than some hardcoded constants
(2KB for URL, 320 chars for email as per RFC x3696)
Goings on in Ubuntu Security Community
AppArmor 4.0-alpha1 in progress (14:44)
- https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-alpha1
- “Bridge” between 3.0 style policy and new 4.0 policy
- New profile flags
- New mediation types
- Minor changes
- Ability to filter the output of aa-status
- Inclusion of a new utility called aa-load which can load pre-compiled /
cached binary policies without the use of
apparmor_parser
- Ability to run and compile policies as an unprivileged user (still need to
be root to actually load the policy into the kernel)
AppArmor kernel fixes for Linux 6.5 (20:42)
Get in contact