Overview
For the final episode of 2023 we discuss creating PoCs for vulns in tar and the
looming EOL for Ubuntu 23.04, plus we look into security updates for curl,
BlueZ, Netatalk, GNOME Settings and a heap more.
This week in Ubuntu Security Updates
57 unique CVEs addressed
[USN-6535-1] curl vulnerabilities (00:54)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Mishandled cookies from domains with mixed case - allowing an attacker to
create so called “super cookies” that would then get passed back to more
domains that what is normally allowed - ie a site can set a cookie which is
then sent to different / unrelated sites. Depends on a feature called the
Public Suffix List which is a community initiative (led by Mozilla) to provide
an accurate list of domain name suffixes - ie.
.com
/ .org
but also .co.uk
etc - since there is no good algorithmic way of determining the highest level
at which a domain may be registered for a particular TLD as each registrar is
different
- so could set a cookie with
domain=co.UK
with a URL of say curl.co.uk
and
this would then get sent to every other .co.uk
domain contrary to the
expectations of the PSL which lists .co.uk
as a PSL domain
[USN-6463-2] Open VM Tools vulnerabilities (02:56)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- SAML token signature bypass - allows an attacker who already has Guest
Operation Privileges within a guest VM to elevate their privileges if the VM
has been assigned a more privileged Guest Alias
- File descriptor hijack vulnerability within the
vmware-user-suid
wrapper - a
local user with non-root privileges that is able to hijack the /dev/uinput
file descriptor may be able to simulate user inputs
[USN-6538-1] PostgreSQL vulnerabilities (03:48)
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Upgrades to the latest upstream point releases - includes both security and
bug fixes etc
- 15.5 (23.10, 23.04)
- 14.10 (22.04 LTS)
- 12.17 (20.04 LTS)
[USN-6539-1] python-cryptography vulnerabilities (04:14)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- NULL pointer dereference / segfault on loading of crafted PKCS7 certificates
[USN-6540-1] BlueZ vulnerability (04:57)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Whilst bluetooth discoverable, possible for an attacker to pair a HID device
and inject keystrokes etc without any intervention
- Fixed by enabling the existing configuration
ClassicBondedOnly=true
- this may
break some legacy input devices like PS3 controller - in which case, should
edit /etc/bluetooth/input.conf
and set this back to false
but then beware that
you may be vulnerable to attack from anyone within bluetooth range when your
machines is discoverable - ie. bluetooth settings panel is open
[USN-6541-1] GNU C Library vulnerabilities (06:30)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Previous fix for CVE-2023-4806 was not sufficient - UAF in
getaddrinfo()
-
possible to still trigger
[USN-6522-2] FreeRDP vulnerabilities (07:00)
[USN-6542-1] TinyXML vulnerability (07:08)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Infinite loop able to be triggered by a crafted XML document - CPU-based DoS
[USN-6543-1] GNU Tar vulnerability (07:18)
-
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
-
Stack buffer overflow on parsing a tar archive with an extremely large
extended attribute name/value - PAX
archive format allows to store extended
attributes - on the kernel’s VFS layer these are limited to 255 bytes for the
name and 64kB for the value - but in a tar these can be basically arbitrary
-
When processing the archive, tar would allocate space for these on the stack -
BUT the stack is limited to a maximum size of 8MB normally - so if can specify
an xattr name of more than 8MB can overflow the entire stack memory region -
then into guard pages or even beyond, triggering a segfault or at worst a heap
corruption and hence possible RCE -> but in Ubuntu we have enabled stack clash
protection since 19.10 - which turns this into a DoS only
- Reminiscent of the original Stack Clash “System Down” vulnerability in systemd
$ hardening-check $(which tar)
/usr/bin/tar:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: yes
Control flow integrity: yes
-
Speaking from experience, it is not easy to create such an archive - either
through a real xattr on disk or through specifying one on the command-line
(since you can specify arbitrary attributes be stored for files when adding
them to an archive but then you hit the maximum limit of command-line
arguments) BUT it is possible - in my case I did this though using sed to
replace the contents of a xattr name in an existing archive with a crafted one
and then doing a bunch of other hacks to fixup all the metadata of the tar
archive to match - helpfully, all these attributes in the archive are stored
as NUL-terminated strings, so can simply used sed to fix them all up assuming
you can calculate the correct values
-
Fixed by instead allocating these on the heap which does not have the same
arbitrary limitation as the stack
[USN-6500-2] Squid vulnerabilities (11:35)
[USN-6544-1] GNU binutils vulnerabilities (11:44)
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Didn’t do bounds checking properly in various places - leading to heap buffer
overflows / OOB reads etc in various things like
objdump
etc
[USN-6545-1] WebKitGTK vulnerabilities (12:08)
- 2 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Both issues that come from upstream webkit
- OOB read -> info leak
- Memory corruption that Apple said was being exploited in the wild against
various versions of iOS
[USN-6546-1] LibreOffice vulnerabilities (12:45)
- 2 CVEs addressed in Lunar (23.04), Mantic (23.10)
- Uses gstreamer to play embedded videos (presumably in presentations etc) - to
do this, creates a gstreamer pipeline including the filename of the video
itself - this was not adequetely escaped, so could allow arbitrary code
execution if it contained shell meta characters etc
- Link targets allow arbitrary script execution - similar to historic
CVE-2023-2255 from [USN-6144-1] LibreOffice vulnerabilities in Episode 198
[USN-6547-1] Python vulnerability (13:46)
- 1 CVEs addressed in Lunar (23.04)
- Issue specific to Python 3.11 where if a path contained an embedded NUL byte
and was passed to
os.path.normpath()
it would get truncated at the NUL byte -
fixed to remove this behaviour
[USN-6550-1] PostfixAdmin vulnerabilities (14:19)
- 3 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Issues in various embedded modules - Smarty and Moment.js - allowing possible
arbitrary code execution, XSS or DoS
[USN-6551-1] Ghostscript vulnerability (14:37)
- 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- UAF on file object on error path
[USN-6552-1] Netatalk vulnerability (14:43)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Apple Filing Protocol (AFP) service - similar to SMB for Windows - allows a
Ubuntu machine to share files with MacOS
- Also implements support for Spotlight to search - using tracker as the
indexer, metadata store and search engine under-the-hood
- Parser for spotlight RPC packets failed to properly do type checking,
resulting in a type confusion bug and possible RCE via memory corruption -
similar to CVE-2023-34967 for Samba since the code in netatalk originated from
that code from Samba ([USN-6238-1] Samba vulnerabilities from Episode 204)
[USN-6554-1] GNOME Settings vulnerability (15:57)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- GNOME settings allows the ability to turn on / off remote SSH access from the
sharing panel within the main settings application in Ubuntu
- Since moving to socket activated SSHd in 22.10, GNOME Settings was never
updated in Ubuntu to support this as well
- Would mean that it would always show the machine was not accessible / sharing
via SSH even when it was (since it would only check the status of the
ssh.service, not ssh.socket)
- Ubuntu specific issue - fixed by extending GNOME settings to check both the
service and the socket (since it is still a legitimate configuration to use
the service over the socket in recent Ubuntu releases)
- Also backported to older releases since it is also a supported configuration
there to use socket activation (although the sysadmin has to set this up
themselves)
[USN-6553-1] Pydantic vulnerability (17:49)
- 1 CVEs addressed in Focal (20.04 LTS)
- Python data validation library
- CPU-based DoS since if passed the value of “infinity” to the validator to be
parsed as a date/datetime, would result in an infinite loop
[USN-6536-1] Linux kernel vulnerabilities (18:10)
- 6 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6537-1] Linux kernel (GCP) vulnerabilities
- 11 CVEs addressed in Mantic (23.10)
[USN-6548-1] Linux kernel vulnerabilities
- 10 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6549-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6534-2] Linux kernel vulnerabilities
- 12 CVEs addressed in Lunar (23.04)
[USN-6549-2] Linux kernel (GKE) vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6548-2] Linux kernel vulnerabilities
- 10 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
Goings on in Ubuntu Security Community
Ubuntu 23.04 (Lunar Lobster) approaching EOL (18:48)
Ubuntu Security team (and rest of Canonical) on break till early January 2024 (19:33)
- Various members of the team will be checking in each day to look for any
serious issues
- Not planning any new security update releases during this time unless
something major happens (we are still wincing from Log4Shell - Log4Shell
explodes the internet from Episode 142 in late December 2022)
- As usual, contact us via the normal means if something is particularly urgent
and someone should respond
Get in contact