Overview
This week we look at the recent Zenbleed vulnerability affecting some AMD
processors, plus we cover security updates for the Linux kernel, a high
profile OpenSSH vulnerability and finally Andrei is back with a deep dive into
recent academic research around how to safeguard machine learning systems when
used across distributed deployments.
This fortnight in Ubuntu Security Updates
123 unique CVEs addressed
[USN-6238-1] Samba vulnerabilities [01:15]
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Possible attacker-in-the-middle attack when configured to do SMB2 packet
signing (as it was not properly enforced), couple issues in the Spotlight
protocol implementation (used to enable MacOS clients to search the Samba
share via Finder) - DoS via a possible infinite loop when processing RPC
packets which specified 0 elements in an array-like structure, plus info leak
where full server-side path of resources would be returned in results
- 3 CVEs addressed in Jammy (22.04 LTS)
[USN-6239-1] ECDSA Util vulnerability [02:13]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Very similar to “Psychic Signatures” vuln in Java (OpenJDK) -
[USN-5546-1, USN-5546-2] OpenJDK vulnerabilities
from Episode 172 - basically would fail to first check if the provided
exponents in the signature were zero - since if they are, then an all-zero
signature would be considered as valid - so could easily forge a signature
[USN-6232-1] wkhtmltopdf vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6241-1] OpenStack vulnerability
- 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- 1 CVEs addressed in Lunar (23.04)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Result of an incomplete fix for historical vulnerability CVE-2016-10009 in
PKCS#11 module in ssh-agent
- Vuln is hence very similar to that, ie. if you chose to forward the ssh-agent
socket to a remote machine, then the remote machine could cause your local
ssh-agent to execute arbitrary code - it does this by causing the PKCS#11
module in ssh-agent to load an attacker controlled library from
/usr/lib
on
your local machine
- On the surface, it would appear that it would require a malicious library to
be on your machine in this privileged location - BUT there are a bunch of
seemingly innocuous libraries in say standard Ubuntu that can be abused to
cause malicious actions and get arbitrary code execution. This is exactly
what Qualys did to demonstrate the impact of this vuln -
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
- very clever use of various pieces of surprising behaviour from various
libraries (such as the ability to make the stack executable or register
signal handlers just by dlopen()‘ing a module) - chain these together to
then get code execution
- It does though require you to use ssh-agent forwarding - this is generally
discouraged, and instead you should probably use an jump host - this is even
mentioned in the man page for
ssh
- Fixed by making module loading more defensive (ie that they contain the
expected symbols and if not abort etc)
[USN-6243-1] Graphite-Web vulnerabilities
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6203-2] Django vulnerability
- 1 CVEs addressed in Bionic ESM (18.04 ESM)
[USN-6129-2] Avahi vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
[USN-6244-1] AMD Microcode vulnerability [05:57]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Zenbleed - Tavis Ormandy (GPZ) discovered new hardware vuln via fuzzing of the
ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
- Only specific to AMD’s Zen2 family of processors and is related to speculative
execution - but unlike Spectre etc, speculative execution is not used as the
attack primitive - instead for Zenbleed, the processor fails to properly clean
up state after speculatively executing a particular vector register
instruction - which then allows an attacker thread / process to read this data
from the vector register - all comes about because these registers are not
like the normal physical registers in the CPU, but instead are shared as a
“Register File” - this sharing means that when one instruction gets
speculatively executed, but which turns out to not actually be needed, it
fails to properly clean up - and then leaks this data via the shared register
file which can be read by another process which is executing at the same time
- Tavis also released a handy PoC - requires the use of specific assembly
language intructions and so it is not clear if this could be exploited
remotely say via JS running a web-browser - but it definitely can be exploited
by local users to spy on all other processes in the system (that use vector
registers), including root / VMs etc
- What kinds of things use these vector registers? Turns out is is many, since
glibc implements functions like strlen() using them - and this is a very
common operation in all kinds of code
- So basically anyone with local unprivileged code-access on an affected system
could snoop on passwords etc
- AMD released a microcode update to fix this - but only for server-oriented
EPYC line of processors (code named “Rome”) - so in that case all you need to
do is install this microcode update and reboot and you are good.
- But that still leaves a lot of other platforms without an official fix -
according to their advisory they will release BIOS firmware updates for other
affected processors later in the year
- You can however set a so-called “chicken bit” in the processor which (as far
as I can tell) instructs it to not execute this particular instruction
out-of-order (ie not speculatively execute it) - AMD haven’t actually said
what this does but that is the assumption. As such, this does have an effect
on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
- Kernel developers have then developed a patch to automatically enable this
chicken-bit if the associated microcode update is not present - for Ubuntu we
plan to include this fix in the next round of kernel security updates, due on
21st August
[LSN-0096-1] Linux kernel vulnerability [11:47]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- OOB write in netfilter -> crash / code-exec - plus a UAF in netfilter as
well - both require
CAP_NET_ADMIN
to exploit - but can get this in an
unprivileged user namespace -> privesc
- Plus a bunch of vulns covered in previous episodes
- OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
- KVM mishandling of control registers for nested guest VMs
- OOB write in network queuing scheduler - also able to be triggered though an
unprivileged user namespace
Kernel type |
22.04 |
20.04 |
18.04 |
16.04 |
14.04 |
aws |
— |
96.2 |
— |
96.2 |
— |
aws-hwe |
— |
— |
— |
96.2 |
— |
azure |
96.3 |
96.2 |
— |
96.2 |
— |
azure-5.4 |
— |
— |
96.2 |
— |
— |
gcp |
96.3 |
96.2 |
— |
96.2 |
— |
gcp-4.15 |
— |
— |
96.2 |
— |
— |
gcp-5.15 |
— |
96.3 |
— |
— |
— |
gcp-5.4 |
— |
— |
96.2 |
— |
— |
generic-4.15 |
— |
— |
96.2 |
96.2 |
— |
generic-4.4 |
— |
— |
— |
96.2 |
96.2 |
generic-5.15 |
— |
96.3 |
— |
— |
— |
generic-5.4 |
— |
96.2 |
96.2 |
— |
— |
gke |
96.3 |
96.2 |
— |
— |
— |
gke-5.15 |
— |
96.3 |
— |
— |
— |
gke-5.4 |
— |
— |
96.2 |
— |
— |
gkeop |
— |
96.2 |
— |
— |
— |
gkeop-5.4 |
— |
— |
96.2 |
— |
— |
ibm |
96.3 |
96.2 |
— |
— |
— |
ibm-5.4 |
— |
— |
96.2 |
— |
— |
linux |
96.3 |
— |
— |
— |
— |
lowlatency-4.15 |
— |
— |
96.2 |
96.2 |
— |
lowlatency-4.4 |
— |
— |
— |
96.2 |
96.2 |
lowlatency-5.15 |
— |
96.3 |
— |
— |
— |
lowlatency-5.4 |
— |
96.2 |
96.2 |
— |
— |
[USN-6246-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6247-1] Linux kernel (OEM) vulnerabilities
- 6 CVEs addressed in Jammy (22.04 LTS)
[USN-6248-1] Linux kernel (OEM) vulnerabilities
- 7 CVEs addressed in Jammy (22.04 LTS)
[USN-6249-1] Linux kernel (OEM) vulnerabilities
- 2 CVEs addressed in Jammy (22.04 LTS)
[USN-6250-1] Linux kernel vulnerabilities
- 8 CVEs addressed in Lunar (23.04)
[USN-6251-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6252-1] Linux kernel vulnerabilities
- 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
[USN-6254-1] Linux kernel vulnerabilities
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities
- 6 CVEs addressed in Focal (20.04 LTS)
[USN-6256-1] Linux kernel (IoT) vulnerabilities
- 32 CVEs addressed in Focal (20.04 LTS)
[USN-6260-1] Linux kernel vulnerabilities
- 9 CVEs addressed in Jammy (22.04 LTS)
[USN-6261-1] Linux kernel (IoT) vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-6245-1] Trove vulnerabilities
- Affecting Jammy (22.04 LTS)
[USN-5807-3] libXpm vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-6253-1] libvirt vulnerability
- 1 CVEs addressed in Lunar (23.04)
[USN-6257-1] Open VM Tools vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
[USN-6258-1] LLVM Toolchain vulnerabilities
- 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
[USN-5193-3] X.Org X Server vulnerabilities
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6259-1] Open-iSCSI vulnerabilities
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6262-1] Wireshark vulnerabilities
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6265-1] RabbitMQ vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6264-1] WebKitGTK vulnerabilities
- 6 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
[USN-6263-1] OpenJDK vulnerabilities
- 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
[USN-6266-1] librsvg vulnerability [13:55]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Directory traversal vuln - arbitrary file read by using a specially crafted
include
element that specifies say <xi:include href=”.?../../../../../../../../../../etc/passwd”/>
- simple PoC provided by
the upstream reporter
[USN-6267-1] Firefox vulnerabilities [14:47]
- 12 CVEs addressed in Focal (20.04 LTS)
- 116.0
Goings on in Ubuntu Security Community
Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]
Get in contact