Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 210

21 min • 22 september 2023

Overview

It’s the Linux Security Summit in Bilbao this week and we bring you some highlights from our favourite talks, plus we cover the 25 most stubborn software weaknesses, and we look at security updates for Open VM Tools, libwebp, Django, binutils, Indent, the Linux kernel and more.

This week in Ubuntu Security Updates

88 unique CVEs addressed

[USN-6365-1] Open VM Tools vulnerability (00:45)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Failed to properly validate SAML tokens - uses the xmlsec library but when verifying the signature on a SAML document, failed to configure the library to only use the X509 certificate for validation - since presumably an attacker could intercept the SAML token, and replace the X509 cert with a different type of signature which would then be trusted by the xmlsec library and allow the attacker to gain access

[USN-6366-1] PostgreSQL vulnerability (01:34)

[USN-6364-1] Ghostscript vulnerabilities (01:59)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • Divide by zero and buffer overflow in handling of PDFs -> DoS / RCE?

[USN-6369-1] libwebp vulnerability (02:19)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • heap buffer overflow -> OOB write -> RCE
  • originally reported as a vuln in Chrome on 12 September - full impact that this was actually a bug in libwebp became clear a few days later
    • Solar Designer has a good thread on the details on oss-security

[USN-6367-1] Firefox vulnerability (03:55)

  • 1 CVEs addressed in Focal (20.04 LTS)
  • 117.0.1 for the libwebp fix above

[USN-6368-1] Thunderbird vulnerabilities (04:04)

  • 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • 102.15.1 - libwebp issue above plus various other issues - various UAFs, missing .xll files from standard blocklist that warns users when downloading executables - more of a windows issue but these are Excel add-in files - ie. plugins for Excel, “memory safety bugs”

[USN-6370-1] ModSecurity vulnerabilities (04:42)

  • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CPU-based DoS when parsing excessively nested JSON objects (needs to be tens-of-thousands deep)
  • Mishandling of NUL byte in file uploads - would parse the filename as a string but if it contained an embedded NUL byte then filename would be truncated and hence could result in a buffer overread or the ability to bypass the web application firewall for rules which read from the FILES_TMP_CONTENT variable
  • Mishandling of HTTP multipart requests could also allow to bypass WAF

[USN-6371-1] libssh2 vulnerability (06:07)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • OOB read - low impact since requires to connect to a malicious server to trigger - and outcome is likely a DoS

[USN-6372-1] DBus vulnerability (06:26)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Ability to crash the dbus daemon by an unprivileged user - BUT only if there is a privileged user using the in-built monitoring interface of dbus to monitor the traffic - so low chance of being able to trigger this and the outcome is just a DoS anyway - and will be restarted by systemd anyway

[USN-6373-1] gawk vulnerability (07:02)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Heap OOB read - DoS

[USN-6374-1] Mutt vulnerabilities (07:16)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • 2 different NULL ptr deref
    • viewing crafted email
    • composing from a specially crafted draft email
    • DoS only

[USN-6375-1] atftp vulnerability (07:38)

  • Affecting Jammy (22.04 LTS), Lunar (23.04)
  • Could crash atftpd if requesting a non-existant file - turns out to be a buffer overflow so could possibly be used for code execution

[USN-6376-1] c-ares vulnerability (7:50)

  • 1 CVEs addressed in Focal (20.04 LTS)
  • OOB read when parsing a crafted Start of Authority (SOA) reply

[USN-6377-1] LibRaw vulnerability (7:56)

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Failed to reject images with invalid pixel aspect ratio - leading to an OOB read -> crash

[USN-6378-1] Django vulnerability (08:08)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • DoS via handling of URIs with a very large number of unicode characters - algorithm would parse from start of string forwards for every invalid unicode character - instead of just using the remainder of the string

[USN-6379-1] vsftpd vulnerability (08:47)

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Possible application layer confusion attack (ALPACA) - abuses wildcard or multi-domain certificates to redirect traffic from one subdomain to another

[USN-6381-1] GNU binutils vulnerabilities (09:07)

[USN-6380-1] Node.js vulnerabilities (09:54)

  • 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • abort when sending a crafted X509 certificate -> DoS
  • 2 different HTTP request smuggling attacks
  • possible bypass of HTTP authorization since would include whitespace in HTTP headers
  • couple memory corruption issues in various operations implemented in C

[USN-6382-1] Memcached vulnerability (10:23)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • NULL ptr deref upon reception of a UDP multi-packet request

[USN-6389-1] Indent vulnerability (10:30)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • heap buffer overflow -> DoS / RCE

[USN-6339-4] Linux kernel (Intel IoTG) vulnerabilities (10:53)

[USN-6383-1] Linux kernel vulnerabilities (11:15)

  • 5 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
  • 6.2 all in 23.04, HWE in 22.04
  • speculative execution leak when performing a divide-by-zero on various AMD processors
  • possible privilege escalation in ARM64 KVM implementation -> guest VM could then write to host memory -> code execution
  • UAF in L2CAP socket handling in bluetooth - local DoS / code execution
  • UAF in various network packet classifiers - local DoS via unprivileged user namespace
  • Memory leak in netfilter - also able to be abused by an unprivileged user in a user namespace

[USN-6384-1] Linux kernel (OEM) vulnerabilities (12:23)

  • 2 CVEs addressed in Jammy (22.04 LTS)
  • 6.1
  • speculative execution leak when performing a divide-by-zero on various AMD processors
  • Memory leak in netfilter - also able to be abused by an unprivileged user in a user namespace

[USN-6385-1] Linux kernel (OEM) vulnerabilities (12:37)

[USN-6386-1] Linux kernel vulnerabilities (13:01)

[USN-6387-1] Linux kernel vulnerabilities (13:08)

[USN-6388-1] Linux kernel vulnerabilities (13:12)

Goings on in Ubuntu Security Community

Highlights from LSS EU (13:29)

Top 25 most stubborn weaknesses (17:13)

CWE-ID Description 2023 Rank
CWE-787 Out-of-bounds Write 1
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 2
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 3
CWE-416 Use After Free 4
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 5
CWE-20 Improper Input Validation 6
CWE-125 Out-of-bounds Read 7
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 8
CWE-352 Cross-Site Request Forgery (CSRF) 9
CWE-476 NULL Pointer Dereference 12
CWE-287 Improper Authentication 13
CWE-190 Integer Overflow or Wraparound 14
CWE-502 Deserialization of Untrusted Data 15
CWE-119 Improper Restriction of Operations within Bounds of a Memory Buffer 17
CWE-798 Use of Hard-coded Credentials 18
  • all fall into one of three different categories
    • errors when processing of data from untrusted sources providing an initial entry point for compromise
    • weaknesses from using languages that don’t provide strong memory safety guarantees
    • poor security architecture / design choices
  • re memory safety - MITRE note that this has been coming down - CWE-119 (“Improper Restriction of Operations within Bounds of a Memory Buffer”) was once ranked 1 5 years ago, is now 17. Related (but not directly memory safety but more correctness) CWE-190 (“Integer Overflow or Wraparound”) was ranked 5, is now 7.
  • Really shows that if you are implementing any new code, choosing a language that is memory safe will help avoid a lot of the most prevalent security issues - clearly won’t help with lack of proper input validation or poor security architecture etc - but will cut out the most dangerous and most stubborn issues (OOB W, UAF etc)

Get in contact

Kategorier
Förekommer på
00:00 -00:00