Overview
It’s the Linux Security Summit in Bilbao this week and we bring you some
highlights from our favourite talks, plus we cover the 25 most stubborn software
weaknesses, and we look at security updates for Open VM Tools, libwebp, Django,
binutils, Indent, the Linux kernel and more.
This week in Ubuntu Security Updates
88 unique CVEs addressed
[USN-6365-1] Open VM Tools vulnerability (00:45)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Failed to properly validate SAML tokens - uses the xmlsec library but when
verifying the signature on a SAML document, failed to configure the library to
only use the X509 certificate for validation - since presumably an attacker
could intercept the SAML token, and replace the X509 cert with a different
type of signature which would then be trusted by the xmlsec library and allow
the attacker to gain access
[USN-6366-1] PostgreSQL vulnerability (01:34)
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Fixed for other releases in [USN-6296-1] PostgreSQL vulnerabilities in Episode
206 - one issue, which allowed an attacker to escalate their privileges
(from
CREATE
to being able to execute arbitrary code as a bootstrap superuser)
also affected PostgreSQL 9.5 in Ubuntu 16.04
[USN-6364-1] Ghostscript vulnerabilities (01:59)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Divide by zero and buffer overflow in handling of PDFs -> DoS / RCE?
[USN-6369-1] libwebp vulnerability (02:19)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- heap buffer overflow -> OOB write -> RCE
- originally reported as a vuln in Chrome on 12 September - full impact that
this was actually a bug in libwebp became clear a few days later
- Solar Designer has a good thread on the details on oss-security
[USN-6367-1] Firefox vulnerability (03:55)
- 1 CVEs addressed in Focal (20.04 LTS)
- 117.0.1 for the libwebp fix above
[USN-6368-1] Thunderbird vulnerabilities (04:04)
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- 102.15.1 - libwebp issue above plus various other issues - various UAFs,
missing
.xll
files from standard blocklist that warns users when downloading
executables - more of a windows issue but these are Excel add-in files -
ie. plugins for Excel, “memory safety bugs”
[USN-6370-1] ModSecurity vulnerabilities (04:42)
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- CPU-based DoS when parsing excessively nested JSON objects (needs to be
tens-of-thousands deep)
- Mishandling of NUL byte in file uploads - would parse the filename as a string
but if it contained an embedded NUL byte then filename would be truncated and
hence could result in a buffer overread or the ability to bypass the web
application firewall for rules which read from the
FILES_TMP_CONTENT
variable
- Mishandling of HTTP multipart requests could also allow to bypass WAF
[USN-6371-1] libssh2 vulnerability (06:07)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- OOB read - low impact since requires to connect to a malicious server to
trigger - and outcome is likely a DoS
[USN-6372-1] DBus vulnerability (06:26)
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Ability to crash the dbus daemon by an unprivileged user - BUT only if there
is a privileged user using the in-built monitoring interface of dbus to
monitor the traffic - so low chance of being able to trigger this and the
outcome is just a DoS anyway - and will be restarted by systemd anyway
[USN-6373-1] gawk vulnerability (07:02)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Heap OOB read - DoS
[USN-6374-1] Mutt vulnerabilities (07:16)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- 2 different NULL ptr deref
- viewing crafted email
- composing from a specially crafted draft email
- DoS only
[USN-6375-1] atftp vulnerability (07:38)
- Affecting Jammy (22.04 LTS), Lunar (23.04)
- Could crash
atftpd
if requesting a non-existant file - turns out to be a
buffer overflow so could possibly be used for code execution
[USN-6376-1] c-ares vulnerability (7:50)
- 1 CVEs addressed in Focal (20.04 LTS)
- OOB read when parsing a crafted Start of Authority (SOA) reply
[USN-6377-1] LibRaw vulnerability (7:56)
- 1 CVEs addressed in Focal (20.04 LTS)
- Failed to reject images with invalid pixel aspect ratio - leading to an OOB
read -> crash
[USN-6378-1] Django vulnerability (08:08)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- DoS via handling of URIs with a very large number of unicode characters -
algorithm would parse from start of string forwards for every invalid unicode
character - instead of just using the remainder of the string
[USN-6379-1] vsftpd vulnerability (08:47)
- 1 CVEs addressed in Focal (20.04 LTS)
- Possible application layer confusion attack (ALPACA) - abuses wildcard or
multi-domain certificates to redirect traffic from one subdomain to another
[USN-6381-1] GNU binutils vulnerabilities (09:07)
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- memory leaks in nm and when disassembling microblaze instructions -> DoS
- various buffer overflows in different functions -> DoS / RCE
- failure to zero memory -> info leak
- OOB read in objdump
- heap buffer overflow in readelf
- in general, we don’t consider it safe to run binutils on untrusted inputs
[USN-6380-1] Node.js vulnerabilities (09:54)
- 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- abort when sending a crafted X509 certificate -> DoS
- 2 different HTTP request smuggling attacks
- possible bypass of HTTP authorization since would include whitespace in HTTP
headers
- couple memory corruption issues in various operations implemented in C
[USN-6382-1] Memcached vulnerability (10:23)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- NULL ptr deref upon reception of a UDP multi-packet request
[USN-6389-1] Indent vulnerability (10:30)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- heap buffer overflow -> DoS / RCE
[USN-6339-4] Linux kernel (Intel IoTG) vulnerabilities (10:53)
[USN-6383-1] Linux kernel vulnerabilities (11:15)
- 5 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- 6.2 all in 23.04, HWE in 22.04
- speculative execution leak when performing a divide-by-zero on various AMD processors
- possible privilege escalation in ARM64 KVM implementation -> guest VM could
then write to host memory -> code execution
- UAF in L2CAP socket handling in bluetooth - local DoS / code execution
- UAF in various network packet classifiers - local DoS via unprivileged user
namespace
- Memory leak in netfilter - also able to be abused by an unprivileged user in a
user namespace
[USN-6384-1] Linux kernel (OEM) vulnerabilities (12:23)
- 2 CVEs addressed in Jammy (22.04 LTS)
- 6.1
- speculative execution leak when performing a divide-by-zero on various AMD processors
- Memory leak in netfilter - also able to be abused by an unprivileged user in a
user namespace
[USN-6385-1] Linux kernel (OEM) vulnerabilities (12:37)
- 37 CVEs addressed in Jammy (22.04 LTS)
- 6.0 OEM
- All the previously mentioned vulns plus a heap more - kudos to OEM team and
Timo Aaltonen from the kernel team for the most number of CVEs fixed this week
[USN-6386-1] Linux kernel vulnerabilities (13:01)
- 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 22.04 GA. 20.04 HWE
[USN-6387-1] Linux kernel vulnerabilities (13:08)
- 3 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 20.04 GA, 18.04 HWE
[USN-6388-1] Linux kernel vulnerabilities (13:12)
- 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 16.04 GA, 14.04 HWE
Goings on in Ubuntu Security Community
Highlights from LSS EU (13:29)
Top 25 most stubborn weaknesses (17:13)
CWE-ID |
Description |
2023 Rank |
CWE-787 |
Out-of-bounds Write |
1 |
CWE-79 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
2 |
CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
3 |
CWE-416 |
Use After Free |
4 |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
5 |
CWE-20 |
Improper Input Validation |
6 |
CWE-125 |
Out-of-bounds Read |
7 |
CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
8 |
CWE-352 |
Cross-Site Request Forgery (CSRF) |
9 |
CWE-476 |
NULL Pointer Dereference |
12 |
CWE-287 |
Improper Authentication |
13 |
CWE-190 |
Integer Overflow or Wraparound |
14 |
CWE-502 |
Deserialization of Untrusted Data |
15 |
CWE-119 |
Improper Restriction of Operations within Bounds of a Memory Buffer |
17 |
CWE-798 |
Use of Hard-coded Credentials |
18 |
- all fall into one of three different categories
- errors when processing of data from untrusted sources providing an initial
entry point for compromise
- weaknesses from using languages that don’t provide strong memory safety
guarantees
- poor security architecture / design choices
- re memory safety - MITRE note that this has been coming down - CWE-119
(“Improper Restriction of Operations within Bounds of a Memory Buffer”) was
once ranked 1 5 years ago, is now 17. Related (but not directly memory safety
but more correctness) CWE-190 (“Integer Overflow or Wraparound”) was ranked 5,
is now 7.
- Really shows that if you are implementing any new code, choosing a language
that is memory safe will help avoid a lot of the most prevalent security
issues - clearly won’t help with lack of proper input validation or poor
security architecture etc - but will cut out the most dangerous and most
stubborn issues (OOB W, UAF etc)
Get in contact