Episode 223

Overview

This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2Own Vancouver 2024, plus news of malicious themes in the KDE Store and we cover security updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash and more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6681-3] Linux kernel vulnerabilities (00:54)

• 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2024-0340
  • CVE-2023-6121
  • CVE-2023-51782
  • CVE-2023-51780
  • CVE-2023-51779
  • CVE-2023-4244
  • CVE-2023-22995
  • CVE-2021-44879
• 5.4 - IBM, Oracle
• UAF due to a race-condition in netfilter - underflow a reference counter -> UAF

[USN-6686-2] Linux kernel vulnerabilities (01:42)

• 9 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2024-0607
  • CVE-2024-0340
  • CVE-2023-6121
  • CVE-2023-51782
  • CVE-2023-51779
  • CVE-2023-46862
  • CVE-2023-46343
  • CVE-2023-4134
  • CVE-2023-22995
• 5.15 - Raspi, Lowlatency

[USN-6699-1] Linux kernel vulnerabilities (01:52)

• 3 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2024-24855
  • CVE-2023-4921
  • CVE-2023-30456
• 3.13 - generic, lowlatency, server, virtual
• KVM mishandling of control registers for nested guest VMs
  • [USN-6123-1] Linux kernel (OEM) vulnerabilities from Episode 197
• UAF in Quick Fair Queuing network packet scheduler
  • Local privesc, reported to Google’s kCTF

[USN-6700-1] Linux kernel vulnerabilities (02:40)

• 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2024-24855
  • CVE-2024-1086
  • CVE-2024-0775
  • CVE-2023-51781
  • CVE-2023-39197
  • CVE-2023-34256
  • CVE-2022-20567
• 4.4 - generic, kvm, lowlatency, virtual, aws (14.04 only)
• UAF in nftables - also originally reported to kCTF

[USN-6701-1] Linux kernel vulnerabilities

• 12 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CVE-2024-24855
  • CVE-2024-1086
  • CVE-2024-0775
  • CVE-2023-6121
  • CVE-2023-51781
  • CVE-2023-46838
  • CVE-2023-4132
  • CVE-2023-39197
  • CVE-2023-34256
  • CVE-2023-3006
  • CVE-2023-23000
  • CVE-2023-2002
• 4.15 - oracle, kvm, aws, generic, lowlatency
• UAF in nftables from above and UAF in AppleTalk network driver - [USN-6648-1] Linux kernel vulnerabilities from Episode 220

[USN-6680-3] Linux kernel (AWS) vulnerabilities

• 7 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-25744
  • CVE-2024-0607
  • CVE-2023-6560
  • CVE-2023-6121
  • CVE-2023-51782
  • CVE-2023-51779
  • CVE-2023-46343
• 6.5 - aws

[USN-6681-4] Linux kernel (AWS) vulnerabilities

• 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2024-0340
  • CVE-2023-6121
  • CVE-2023-51782
  • CVE-2023-51780
  • CVE-2023-51779
  • CVE-2023-4244
  • CVE-2023-22995
  • CVE-2021-44879
• 5.4 - aws
• UAF in netfilter discussed earlier

[USN-6686-3] Linux kernel (Oracle) vulnerabilities

• 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2024-0607
  • CVE-2024-0340
  • CVE-2023-6121
  • CVE-2023-51782
  • CVE-2023-51779
  • CVE-2023-46862
  • CVE-2023-46343
  • CVE-2023-4134
  • CVE-2023-22995
• 5.15 - oracle

[USN-6702-1] Linux kernel vulnerabilities

• 4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2024-24855
  • CVE-2024-1086
  • CVE-2023-23004
  • CVE-2023-23000
• 5.4 - iot, ibm, bluefield, gkeop, kvm, oracle, gcp, generic, lowlatency, oem
• Second netfilter UAF above

[USN-6587-5] X.Org X Server vulnerabilities (03:34)

• 7 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2024-21886
  • CVE-2024-21885
  • CVE-2024-0409
  • CVE-2024-0408
  • CVE-2024-0229
  • CVE-2023-6816
  • CVE-2023-6478
• Previous updates for X now available in 14.04 ESM
• Most issues either OOB R/W - impact is then can crash X Server or potentially get code execution - nowadays X runs unprivileged but in 14.04 still runs as root so these vulns are more severe in the older releases

[USN-6673-2] python-cryptography vulnerability (04:21)

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-50782
• [USN-6673-1] python-cryptography vulnerabilities from Episode 220

[USN-6695-1] TeX Live vulnerabilities (04:28)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-25262
  • CVE-2023-32668
  • CVE-2019-18604
• Heap buffer overflow via a crafted TTF file
• LuaTeX specific issue - allowed a document to make arbitrary network requests since it didn’t disable access to the underlying lua socket library
• Misused sprint() resulting in a buffer overflow in the axohelp - helper program for the LaTeX axodraw2 package when used with pdflatex

[USN-6694-1] Expat vulnerabilities (05:24)

• 2 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-28757
  • CVE-2023-52425
• C library for parsing xml
  • used by many other applications like gdb, dbus, audacity, git, python, polkit, squid and more
• CPU/memory-based DoS since would do many full reparsings of a document in some cases
• XML Entity Expansion attack
  • billion laughs attack / XML bomb - 10 entities which each comprise 10 of the previous entity with the document containing a single instance of the largest entity - 1 billion copies of the original entity

[USN-6696-1] OpenJDK 8 vulnerabilities (06:40)

• 6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-20952
  • CVE-2024-20945
  • CVE-2024-20926
  • CVE-2024-20921
  • CVE-2024-20919
  • CVE-2024-20918
• [USN-6660-1, USN-6661-1] OpenJDK 11 & 17 vulnerabilities from Episode 220

[USN-6697-1] Bash vulnerability (07:01)

• 1 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-3715
• Heap buffer overflow on a valid parameter transformation - can then unexpectedly lead to possible code execution

[USN-6698-1] Vim vulnerability (07:30)

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-22667
• stack buffer overflow when parsing a crafted command file - ie. the user has to load a crafted file to be sourced by vim

[USN-6703-1] Firefox vulnerabilities (07:48)

• 11 CVEs addressed in Focal (20.04 LTS)
  • CVE-2024-2613
  • CVE-2024-2612
  • CVE-2024-2610
  • CVE-2024-2608
  • CVE-2024-2607
  • CVE-2024-2606
  • CVE-2023-5388
  • CVE-2024-2615
  • CVE-2024-2614
  • CVE-2024-2611
  • CVE-2024-2609
• 124.0

Goings on in Ubuntu Security Community

Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 (08:05)

• https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results
• The DEVCORE Team was able to execute their LPE attack against Ubuntu Linux. However, the bug they used was previously known. They still earn $10,000 and 1 Master of Pwn points.
  • https://youtube.com/shorts/fXUrMIM2KYc?si=VIR7YKIt86NGEceU
• Kyle Zeng from ASU SEFCOM used an ever tricky race condition to escalate privileges on Ubuntu Linux desktop. This earns him him $20,000 and 20 Master of Pwn points.
  • https://www.youtube.com/shorts/HSIasEbEkXY
• https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results
• STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu desktop. However, they used a bug that was previously reported. They still earn $5,000 and 1 Master of Pwn point.
• The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a bug that was previously know to escalate privileges on Ubuntu desktop. He still wins $5,000 and 1 Master of Pwn point.

Reports of malicious themes in KDE Store (10:27)

• https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/
• https://floss.social/@kde/112128243960545659
• https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter