Overview
For the first episode of 2024 we take a look at the case of a raft of bogus FOSS
CVEs reported on full-disclosure as well as AppSec tools in Ubuntu and the EOL
announcement for 23.04, plus we cover vulnerabilities in the Linux kernel, Puma,
Paramiko and more.
This week in Ubuntu Security Updates
81 unique CVEs addressed
[USN-6601-1] Linux kernel vulnerability (01:16)
- 1 CVEs addressed in Trusty ESM (14.04 ESM)
- UAF in IGMP protocol (allows multiple devices to share the same IPv4 address
and hence all receive the same data via multicasting - often used for things
like video streaming) - race condition between two different threads in the
handling of a timer which could cause the timer to be registered on an object
that is then later freed by another thread - when the timer then fires the
thread will try and access the object which has now been freed
- Can be exploited by an unprivileged local user in a user namespace
[USN-6602-1] Linux kernel vulnerabilities (02:23)
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- IGMP UAF
- OOB write in perf - didn’t properly check the size of all events when
processing them - direct memory corruption able to be triggered by a local
user - and on older kernels like the 4.4 kernel shipped in Ubuntu 16.04 this
can be done from userspace directly
- Divide-by-zero error on some AMD processors could return speculative data ->
info leak ([USN-6383-1] Linux kernel vulnerabilities from Episode 210)
[USN-6603-1] Linux kernel (AWS) vulnerabilities
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-6604-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
[USN-6604-2] Linux kernel (Azure) vulnerabilities
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
[USN-6605-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
[USN-6605-2] Linux kernel (KVM) vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-6606-1] Linux kernel (OEM) vulnerabilities (03:04)
- 5 CVEs addressed in Jammy (22.04 LTS)
- perf OOB write
- 2 very similar UAFs in netfilter - both require
CAP_NET_ADMIN
to be able to
exploit (ie to create a netfilter chain etc) but this can easily be obtained
in an unprivileged user namespace -> privesc for unprivileged local user
[USN-6608-1] Linux kernel vulnerabilities
- 5 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
[USN-6609-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6609-2] Linux kernel (NVIDIA) vulnerabilities
- 6 CVEs addressed in Jammy (22.04 LTS)
[USN-6607-1] Linux kernel (Azure) vulnerabilities (03:32)
- 7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 2 netfilter UAFs, IGMP UAF, perf OOB write
- UAF in SMB client implementation - local crash / privesc
[USN-6596-1] Apache::Session::LDAP vulnerability (03:45)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Would not check the validity of an X.509 certificate since uses the Net::LDAPS
Perl module which by default doesn’t do this and requires applications to
explicitly instruct it to do so
[USN-6597-1] Puma vulnerability (04:24)
- 1 CVEs addressed in Lunar (23.04), Mantic (23.10)
- HTTP server for Ruby/Rack applications that uses threading for improved performance
- Vulnerable to a HTTP request smuggling attack since it would fail to properly
parse packets with chunked transfer encoding
- Also failed to set a limit on the size of chunk extensions which could then
allow a CPU or network-bandwidth based DoS attack
[USN-6598-1] Paramiko vulnerability (04:58)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Fix for Terrapin attack disclosed back in December - flaw in SSH protocol
itself which allows an attacker who can interpose on the connection to drop
the
EXT_INFO
message which is sent during the handshake to negotiate various
protocol extensions in a way that neither the client or server will notice
(since they can just send an empty ignored packet with the same sequence
number). This can be done quite easily by an attacker since during this stage
of the connection there is no encryption in place. End result is the attacker
can cause either a loss of integrity (since this won’t be detected by the
other party) or potentially to compromise the key exchange itself and hence
cause a loss of confidentiality as well
[USN-6599-1] Jinja2 vulnerabilities
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6600-1] MariaDB vulnerabilities
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6611-1] Exim vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6610-1] Firefox vulnerabilities
- 14 CVEs addressed in Focal (20.04 LTS)
[USN-6613-1] Ceph vulnerability
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6612-1] TinyXML vulnerability
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6614-1] amanda vulnerability
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6615-1] MySQL vulnerabilities
- 22 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6616-1] OpenLDAP vulnerability
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6587-3] X.Org X Server regression
- 6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6618-1] Pillow vulnerabilities
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
[USN-6617-1] libde265 vulnerabilities
- 14 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
Goings on in Ubuntu Security Community
Ubuntu 23.04 (Lunar Lobster) EOL (06:48)
- Released back in April 2023 - like all interim releases, supported for 9 months
- Reached EOL on 25th January - won’t receive any package updates (security or
bug fix) and will be archived to old-releases.ubuntu.com in the coming weeks
- Urge to upgrade to the currently supported interim release 23.10 ASAP as once
it does get archived the process to upgrade becomes harder (since you have to
manually update your apt sources to refer to the old-releases server first)
- 23.10 (Mantic Minotaur) will then be supported for about 5 more months until
July this year
Awesome AppSec in Ubuntu (08:22)
- https://discourse.ubuntu.com/t/awesome-appsec-in-ubuntu/41922/1
- Andrei has compiled a list of tools available in Ubuntu which can be used by
security researchers
- Includes tools for:
- Coordinated Vulnerability Disclosure
- Fuzzing
- License scanning
- Reverse engineering
- Runtime process analysis
- Security linting
- Symbolic execution
- Threat modelling
- Scanning for vulnerable dependencies
- Web scanning
- Runtime application isolation (sandboxing)
- Whether you are an software engineer looking to make your software more secure
or a security researcher trying to find vulns or even a security engineer
wanting tools to help with vulnerabililty management, there is likely
something in the list for you
- If you find anything missing, send Andrei a PR as the list is hosted on Github
full-disclosure spammed with zombie CVEs (09:52)
- full-disclosure mailing list slowly declining in popularity but was once the
go-to place to discuss and disclose vulnerabilities
- In January, saw a large increase in the number of messages posted (75 compared
to 15-30 which was the usual number posted for any month in 2023)
- Meng Ruijie from National University in Singapore posted 36 different CVE
reports across a large range of OSS projects, including Redis Raft, TinyDTLS,
Mesa, ncurses, vim, GTK and more - and almost all of them were described as
NULL pointer dereferences or buffer overflows etc
- Alan Coppersmith raised this on the oss-security mailing list, since none of
these issues had been raised privately with any of these projects but also
that most of the CVE descriptions appeared to be quite bogus - e.g. for a CVE
in Mesa, where Meng describes them as a NULL pointer deref the associated
issue that the CVE points to in the upstream mesa gitlab describes a possible
OOB read but where there is no good evidence that this is able to be
influenced by the caller and hence there is no evidence that there is a
security issue here at all
- They appear to have been assigned by just looking for either reports in
upstream issue trackers that mention possible security issues OR upstream
commits that mention words like NULL pointer dereference but without any
consideration as to whether these are actual vulnerabilities
- For example - just because some code may potentially dereference a NULL
pointer, if the caller cannot influence that to occur then there is no way
to trigger it and so it is not an actual vulnerability
- Likely almost all of these CVEs will get disputed and so provide no real
value - also they waste the time of OSS developers to respond to these reports
as well as distros and others to investigate them etc
Get in contact