Overview
We’re back after unexpectedly going AWOL last week to bring you the latest in
Ubuntu Security including the recently announced Downfall and GameOver(lay)
vulnerabilities, plus we look at security updates for OpenSSH and GStreamer and
we detail plans for using AppArmor to restrict the use of unprivileged user
namespaces as an attack vector in future Ubuntu releases.
This week in Ubuntu Security Updates
143 unique CVEs addressed
[USN-6268-1, USN-6269-1] GStreamer Base and Good Plugins vulnerabilities (01:07)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Both CVEs discovered by an independent security researcher and reported via
ZDI (ZDI-CAN-20775, ZDI-CAN-20994)
- Used by the built-in Videos app (aka totem) which can play streaming videos
(even has a default plugin providing integration with Apple Video Trailers and
others) - so could possibly be used for remote exploitation
- Integer overflow -> buffer overflow -> RCE in FLAC audio decoder
- Buffer overflow in PGS subtitle handler - failed to validate length before
copying -> heap buffer overflow -> RCE
[USN-6270-1] Vim vulnerabilities (02:49)
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Latest round of vim vulns - all via the bug bounty program and from just 3
researchers - would be interesting to know what kind of bounties are payed out
for these “vulns” since most require the user to run vim with a crafted set of
commands against a crafted input file - if you can get someone to do that, you
can probably just write arbitrary shell code for them to execute as well…
[USN-6271-1] MaraDNS vulnerabilities (03:55)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
[USN-6272-1] OpenJDK 20 vulnerabilities
- 7 CVEs addressed in Lunar (23.04)
- 20.0.2
[USN-5064-3] GNU cpio vulnerability (04:08)
[USN-6275-1] Cargo vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6273-1] poppler vulnerabilities
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
[USN-6274-1] XMLTooling vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6276-1] unixODBC vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
[USN-6267-2] Firefox regressions
- 12 CVEs addressed in Focal (20.04 LTS)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- 3 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
[USN-6279-1] OpenSSH update (04:53)
- Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Possible info leak during algorithm negotiation - related to CVE-2020-14145 -
which is a low priority vulnerability where it is possible for a person in the
middle to determine if a client already has knowledge of the server’s host
key. This could be used to then attack clients which do not have this
knowledge (since they then will be prompted to accept and trust the host key
which is offered on first connection) and offer them an attacker chosen host
key to cause them to authenticate to a host controlled by the attacker and
therefore intercept their connection etc
- There is a partial mitigation in the form of a client change so that if the
client does already have the server’s host key, it will still preserve the
original algorithm ordering sent to the server and so not leak this
information.
- This is not a complete fix for this issue since it only mitigates some of the
use-cases of the original vuln.
[USN-4336-3] GNU binutils vulnerabilities
- 6 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-6243-2] Graphite-Web regression
- 4 CVEs addressed in Bionic ESM (18.04 ESM)
[USN-6281-1] Velocity Engine vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6282-1] Velocity Tools vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6283-1] Linux kernel vulnerabilities (07:34)
- 13 CVEs addressed in Lunar (23.04)
[USN-6284-1] Linux kernel vulnerabilities
- 16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6285-1] Linux kernel (OEM) vulnerabilities (07:50)
-
14 CVEs addressed in Jammy (22.04 LTS)
-
6.1 kernel
-
8 different high priority vulns - most mentioned previously - does include
“GameOver(lay)” which we haven’t covered yet - reported by WizResearch and is
specific to Ubuntu kernels
-
OverlayFS is a union filesystem which allows multiple filesystems to be
mounted at the same time, and presents a single unified view of the
filesystems. In 2018 we introduced some changes to OverlayFS as SAUCE patches
to handle extended attributes in overlayfs. Then in 2020 we backported commits
to fix CVE-2021-3493 - in the process this also added support for extended
attributes in OverlayFS so now there were two code paths, each using different
implementations for extended attributes. One was protected against the vuln in
CVE-2021-3493 whilst the other was not.
-
This vulnerability is exploiting that same vulnerability in the unprotected
implementation.
-
In this case, the vulnerability is in the handling of extended attributes in
OverlayFS - the vulnerability is that it is possible to create a file with
extended attributes which are not visible to the user, and then mount that
file in a way which allows the extended attributes to be visible to the user
- this is done by mounting the file with the
nosuid
option, and then
remounting it with suid
option. This allows the user to then execute arbitrary
code as root. NOTE: requires the user to have the ability to have
CAP_SYS_ADMIN
but this is easy with unprivileged user namespaces.
-
Even more reason to keep pursuing the effort to restrict the use of
unprivileged user namespaces in upcoming Ubuntu 23.10
[USN-6286-1] Intel Microcode vulnerabilities (10:59)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Gather data sampling (aka “Downfall”) - another microarchitectural CPU
vulnerability - the last one we saw was Zenbleed from Episode 103 in AMD Zen2 CPUs
- This time in Intel hardware (6th to 11th generation) CPUs
- Presented at BlackHat just over 1 week ago -
https://www.blackhat.com/us-23/briefings/schedule/#single-instruction-multiple-data-leaks-in-cutting-edge-cpus-aka-downfall-31490
- Similar to Zenbleed in a way, since both are related to the SIMD instruction
set (single instruction, multiple data) - these instructions are used to
perform the same operation on multiple data elements simultaneously
(e.g. adding two vectors of 4 32-bit integers together) which is very useful
for things like video encoding/decoding, image processing, etc.
- As the name, Gather data sampling suggests, the fault in this case is in the
SIMD Gather instruction which is used to load data into a vector register from
a memory location specified by an index vector register. Essentially this
allows the efficient loading of data which is scattered across memory into a
single register to then perform further operations on, and is useful in many
applications. The vulnerability is that under speculative execution, the data
which is loaded could be stale and come from an address which is not
accessible to the current process, and the data could be used in further
operations which could then leak the contents of that inaccessible memory -
e.g. stealing cryptographic keys from another process.
- The fix in this case was a microcode update, which stops the CPU from
speculatively executing the Gather instruction, and instead waits for the data
to be available before executing the instruction. This results in a
performance hit, which was measured at up to 50% in a small number of
use-cases (whilst in others it is negligible).
- Perhaps the most interesting part of this vulnerability is the timeline - it
was reported to Intel on 24th August 2022 yet only fixed publicly on 8th
August 2023 - basically meaning it took a year for Intel to fix this
issue.
- Associated with the microcode update is a kernel patch - this allows the
microcode fix to be reverted at boot by a new kernel command line option:
gather_data_sampling=off
- this is useful for those who want to avoid the
performance hit, and are willing to accept the risk of the vulnerability.
- Ubuntu kernels have not yet been updated with this fix but that should arrive
within the next week (ie. week of 21st August)
[USN-6280-1] PyPDF2 vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6287-1] Go yaml vulnerabilities
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-4897-2] Pygments vulnerabilities
[USN-6288-1] MySQL vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
[USN-6289-1] WebKitGTK vulnerabilities
- 9 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
[USN-6290-1] LibTIFF vulnerabilities
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
[USN-6291-1] GStreamer vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6292-1] Ceph vulnerability
- 1 CVEs addressed in Lunar (23.04)
[USN-6293-1] OpenStack Heat vulnerability
- 1 CVEs addressed in Jammy (22.04 LTS)
Goings on in Ubuntu Security Community
Ubuntu 22.04.3 LTS Released (15:47)
Ubuntu 22.10 (Kinetic Kudu) End of Life (16:32)
Unprivileged user namespace restrictions via AppArmor in Ubuntu (17:00)
Get in contact