Overview
With the Ubuntu Summit just around the corner, we preview a couple talks by the
Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP,
AOM, ncurses, the Linux kernel and more.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-6437-1] VIPS vulnerabilities (00:35)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Jammy (22.04 LTS)
- Image processing library / CLI tool
- NULL ptr derefs + divide by zero -> crash -> DoS
- info leak since would fail to clear memory and leak this in the generated image
[USN-6435-1] OpenSSL vulnerabilities (01:26)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CPU-based DoS via an execssively large DH modulus (
p
parameter) value (over 10,000 bits)
- OpenSSL by default will try and validate if the modulus over 10,000 bits and
raise an error - but before the error is raised it would still check other
aspects of the supplied key / parameters which in turn could use the
p
value
and hence take an excessive amount of time - fixed by checking this earlier
and erroring out in that case
- Then was found that the
q
parameter could also be abused in the same way -
since the size of this has to be less than p
was fixed by just checking it
against this
[USN-6450-1] OpenSSL vulnerabilities
- 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Two CPU-based DoS issues above plus
- Possible truncation / overrun during the initialisation of various ciphers if
the key or IV lengths differ compared to when initially established - some
ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that
an application will use a non-standard IV length during the use of the cipher
compared to when they initialise it
- The API for this was only “recently” introduced (3.x) - and in general not a
lot of applications will be affected
- Issue specific to the AES-SIV (mode of AES that provides deterministic
nonce-less key wrapping - used for key wrapping when transporting
cryptographic keys; as well as nonce-based authenticated encryption that is
resistant to nonce reuse)
- AES-SIV allows to perform authentication of data - and to do this the
relevant OpenSSL API’s should be called with an input buffer length of 0
and a NULL ptr for the output buffer - BUT if the associated data to be
authenticated was empty, in this case, OpenSSL would return success
without doing any authentication
- In practice this is unlikely to be an issue since it doesn’t not affect
non-empty data authentication which is the vast majority of use-cases
[USN-6165-2] GLib vulnerabilities (07:57)
[USN-6374-2] Mutt vulnerabilities (05:08)
- 2 CVEs addressed in Mantic (23.10)
- HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of
requests and immediately cancelling them many times over and over - exploited
in the wild recently, achieving the largest DoS attack bandwidths seen -
requires HTTP/2 implementations to essentially do heuristics over time to
track allocated streams against connections and block the connection when too
many are made or similar
- Fix for Kestrel web server in .NET
[USN-6199-2] PHP vulnerability (06:31)
[USN-6403-2] libvpx vulnerabilities (06:39)
- 2 CVEs addressed in Bionic ESM (18.04 ESM)
- WebM VP8/VP9 video en/decoder
- Heap buffer overflow -> DoS/RCE
- OOB read -> DoS
[USN-6408-2] libXpm vulnerabilities (07:00)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Infinite recursion -> stack exhaustion -> crash -> DoS
- Integer overflow -> heap buffer overflow -> RCE/DoS
- Two different OOB reads -> crash -> DoS
[USN-6448-1] Sofia-SIP vulnerability (09:01)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- SIP user agent - integer overflows and resulting heap buffer overflows due to
missing length checks in the STUN message parser -> RCE
- Also fixed a OOB read as well -> DoS
[USN-6422-2] Ring vulnerabilities (09:17)
- 20 CVEs addressed in Mantic (23.10)
- Voice / video and chat platform (now called Jami, contains embedded copy of
PJSIP - library implementing various related protocols for remote
communication like SIP, STUN, RTP, ICE and others)
- Also missed various length checks, allowing possible integer underflow -> crash / memory corruption -> RCE
- Buffer overflow when using the internal DNS resolver
[USN-6449-1] FFmpeg vulnerabilities (09:58)
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various memory leaks -> DoS, plus some integer overflows -> buffer overflows
in various parsers for different media types
[USN-6447-1] AOM vulnerabilities (11:32)
- 7 CVEs addressed in Focal (20.04 LTS)
- AV1 Video Codec Library - used by things like gstreamer, libavcodec - in turn
is used by a huge number of multimedia applications from blender, ffmpeg,
kodi, mplayer, obs-studio, vlc and more
- Various buffer overflows, use-after-frees, stack buffer overflow, NULL ptr
derefs etc.
[USN-6288-2] MySQL vulnerability (12:40)
[USN-6451-1] ncurses vulnerability (12:47)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Heap buffer overflow via crafted terminfo file - found by fuzzing
infotocap
- terminfo files are usually trusted content so unlikely to be an issue in
practice
[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)
- 13 CVEs addressed in Jammy (22.04 LTS)
- 5.15 raspi for 22.04 LTS
- Most interesting vuln fixed is AMD “INCEPTION” - [USN-6319-1] AMD Microcode
vulnerability from Episode 207 - speculative execution attack similar to the
original Spectre
- Have now added a mitigation within the kernel itself rather than having to
rely on CPU microcode (particularly when that microcode only covers a subset
of the affected CPUs)
[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 generic,low-latency,kvm,aws etc
- includes various high priority fixes which we’ve covered in previous episodes
[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- 4.15
- kvm, gcp, aws, azure, generic, lowlatency on 18.04 / 16.04 HWE
- azure 14.04
- same as above
[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)
- 9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 xilinx zyncmp, ibm, gkeop, kvm, oracle, aws, gcp, azure, generic, lowlatency
[USN-6442-1] Linux kernel (BlueField) vulnerabilities
- 10 CVEs addressed in Focal (20.04 LTS)
- 5.4 bluefiled (same as above)
[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)
- 6 CVEs addressed in Jammy (22.04 LTS)
- 6.1 oem
[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)
- 11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- 6.2 starfive, aws, oracle, azure, kvm, lowlatency, raspi, gcp, generic for 23.04
[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities
- 24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 intel iotg
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 gkeop, nvidia, ibm, raspi, gcp, gke, kvm, oracle, aws, azure, azure-fde
Goings on in Ubuntu Security Community
Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)
- Ubuntu Summit
- https://events.canonical.com/event/31/
- Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS
maintainers who want to be proactive about security and protecting their
users
- Tobias Heider will be presenting with Hector Martin on Asahi Linux and in
particular Ubuntu Asahi - community project to bring the Asahi Linux work to
Ubuntu (also was a great shout-out from Joe Ressington on the most recent
Late Night Linux plus a good write-up on omgubuntu)
Goodbye and good luck to David Lane (21:31)
- Led the snap store reviewers work - much more streamlined process for folks
interacting on the snapcraft forum
- Great manager + engineer and a great friend
- See you at b-sides cbr in 2024
Get in contact