Episode 226

Overview

John and Georgia are at the Linux Security Summit presenting on some long awaited developments in AppArmor and we give you all the details in a sneak peek preview as well as some of the other talks to look out for, plus we cover security updates for NSS, Squid, Apache, libvirt and more and we put out a call for testing of a pending AppArmor security fix too.

This week in Ubuntu Security Updates

86 unique CVEs addressed

[USN-6727-1, USN-6727-2] NSS vulnerabilities + regression (01:02)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2023-6135
  • CVE-2023-5388
  • CVE-2023-4421
• All various different timing side channels - two were effectively the same since the original fix was incomplete - mishandling of padding in PKCS#1 (RSA) certificate checks - possible to infer the length of the encrypted message and other properties to eventually infer secret key by sending a large number of attacker-chosen ciphertexts, the other when using various NIST curves (elliptic curve cryptography)
• Original fix caused some issues with loading NSS security modules so published a second update to fix that on focal+jammy

[USN-6728-1, USN-6728-2] Squid vulnerabilities + regression (02:05)

• 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-25617
  • CVE-2024-25111
  • CVE-2024-23638
  • CVE-2023-5824
  • CVE-2023-49288
• All found by the same researcher (Joshua Rogers) who performed a security audit of Squid back in 2021 - https://megamansec.github.io/Squid-Security-Audit/ - first mentioned by us in [USN-6500-1] Squid vulnerabilities in Episode 214 back in December 2023
• Then we mentioned how squid was under-resourced and so hadn’t be able to fix all the identified issues - over time upstream has published fixes for more issues and we are now incorporating those into squid in Ubuntu
• All of these were various DoS issues where could either cause squid to crash or stop responding
• One of these fixes was problematic and caused squid to crash itself so was reverted

[USN-6729-1] Apache HTTP Server vulnerabilities (03:01)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-27316
  • CVE-2024-24795
  • CVE-2023-38709
• 2 different issues that could result in HTTP request splitting attacks - similar to HTTP request smuggling which is a more specific version of this attack, relies on different parsing/interpretation of HTTP request messages by an intermediate (load balancer/proxy/WAF etc.) to split a single HTTP request into multiple HTTP requests at the backend - allowing to bypass restrictions along the way - usually involves the use of injected CR/LF/TAB/SPC etc in headers
• Plus memory-based DoS in handling of HTTP/2 - client could just keep sending more headers, buffered by the server so it can generate an informative response, until it exhausts memory
  • limit to just 100 headers before bailing with such an error

[USN-6730-1] Apache Maven Shared Utils vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-29599

[USN-6731-1] YARD vulnerabilities

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-27285
  • CVE-2019-1020001
  • CVE-2017-17042

[USN-6732-1] WebKitGTK vulnerabilities

• 8 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-23284
  • CVE-2024-23280
  • CVE-2024-23263
  • CVE-2024-23254
  • CVE-2024-23252
  • CVE-2023-42956
  • CVE-2023-42950
  • CVE-2023-42843

[USN-6733-1] GnuTLS vulnerabilities (04:57)

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-28835
  • CVE-2024-28834
• Timing side-channel in ECDSA
• Crash when verifying crafted PEM bundles -> DoS

[USN-6734-1] libvirt vulnerabilities (05:13)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2024-2496
  • CVE-2024-2494
  • CVE-2024-1441
• off-by-one in handling of udev interface names - unpriv client could then abuse this to send crafted udev data to the libvirt daemon, triggering a crash -> DoS
• NULL ptr deref in same code - race condition, need to detach a host interface whilst calling into the function
• Crash in RPC handling - pass a negative length value, would then try and allocate a negative number of array indices - uses underlying g_new0() from glib which expects an unsigned value -> tries to allocate an extremely large amount of memory -> crash

[USN-6735-1] Node.js vulnerabilities

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2023-30590
  • CVE-2023-30589
  • CVE-2023-30588

[USN-6736-1] klibc vulnerabilities (06:33)

• 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2022-37434
  • CVE-2018-25032
  • CVE-2016-9841
  • CVE-2016-9840
• All old memory corruption issues in zlib - vendored within klibc

[USN-6724-2] Linux kernel vulnerabilities

• 12 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2023-52438
  • CVE-2023-52439
  • CVE-2023-52435
  • CVE-2023-52436
  • CVE-2023-52434
  • CVE-2024-23850
  • CVE-2024-22705
  • CVE-2023-6610
  • CVE-2024-23851
  • CVE-2023-52429
  • CVE-2023-50431
  • CVE-2023-46838

[USN-6725-2] Linux kernel (AWS) vulnerabilities

• 46 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-52470
  • CVE-2023-52469
  • CVE-2023-52451
  • CVE-2023-52610
  • CVE-2023-52441
  • CVE-2023-52467
  • CVE-2023-52449
  • CVE-2024-26591
  • CVE-2023-52458
  • CVE-2024-26597
  • CVE-2024-26633
  • CVE-2023-52436
  • CVE-2023-52444
  • CVE-2024-26589
  • CVE-2024-26586
  • CVE-2024-26598
  • CVE-2023-52612
  • CVE-2023-52439
  • CVE-2024-26631
  • CVE-2023-52442
  • CVE-2023-52443
  • CVE-2023-52480
  • CVE-2023-52438
  • CVE-2023-52454
  • CVE-2023-52456
  • CVE-2023-52464
  • CVE-2023-52457
  • CVE-2023-52448
  • CVE-2023-52609
  • CVE-2023-52462
  • CVE-2023-52445
  • CVE-2023-52463
  • CVE-2024-24860
  • CVE-2024-23850
  • CVE-2024-22705
  • CVE-2024-23851
  • CVE-2023-52429
  • CVE-2023-52340
  • CVE-2023-46838
  • CVE-2023-3867
  • CVE-2023-38431
  • CVE-2023-38430
  • CVE-2023-38427
  • CVE-2023-32258
  • CVE-2023-32254
  • CVE-2023-1194

[USN-6726-2] Linux kernel (IoT) vulnerabilities

• 23 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-52438
  • CVE-2023-52436
  • CVE-2023-52454
  • CVE-2023-52470
  • CVE-2023-52451
  • CVE-2023-52445
  • CVE-2023-52469
  • CVE-2023-52609
  • CVE-2023-52444
  • CVE-2023-52449
  • CVE-2024-26597
  • CVE-2024-26633
  • CVE-2023-52612
  • CVE-2023-52439
  • CVE-2023-52443
  • CVE-2023-52457
  • CVE-2023-52448
  • CVE-2023-52464
  • CVE-2024-0607
  • CVE-2024-23851
  • CVE-2023-52429
  • CVE-2023-52340
  • CVE-2023-46838

[USN-6726-3] Linux kernel (Xilinx ZynqMP) vulnerabilities

• 23 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-52438
  • CVE-2023-52436
  • CVE-2023-52454
  • CVE-2023-52470
  • CVE-2023-52451
  • CVE-2023-52445
  • CVE-2023-52469
  • CVE-2023-52609
  • CVE-2023-52444
  • CVE-2023-52449
  • CVE-2024-26597
  • CVE-2024-26633
  • CVE-2023-52612
  • CVE-2023-52439
  • CVE-2023-52443
  • CVE-2023-52457
  • CVE-2023-52448
  • CVE-2023-52464
  • CVE-2024-0607
  • CVE-2024-23851
  • CVE-2023-52429
  • CVE-2023-52340
  • CVE-2023-46838

Goings on in Ubuntu Security Community

Linux Security Summit NA 2024 (07:22)

• https://events.linuxfoundation.org/linux-security-summit-north-america/
• Unprivileged Access Control in AppArmor - John Johansen & Georgia Garcia, Canonical
  • https://static.sched.com/hosted_files/lssna24/97/AppArmor%20-%20Unprivileged%20Application%20Policy.pdf
  • Friday 19th @ 9.15am PDT - live stream at https://www.youtube.com/watch?v=S-RQZGRoQFY
  • AppArmor - MAC - sysadmin defines policy
  • Allowing applications to define and load their own policy
    • APIs in libapparmor to allow this to be done from static policy OR to build up policy over time
    • policy is compiled in userspace and loaded into the kernel as usual
    • To then stop a compromised application from unloading its policy, can mark it immutable so it can’t be further modified / removed
    • Any further restrictions though can then be stacked against the immutable policy to say allow it to be confined futher
    • On kernel side
      • sysctl to allow/deny applications to load their own policy
      • checks on the amount of memory able to be used to avoid apps DoSing system
      • verification of compiled policy by kernel state machine
      • policy only applies to the task and its children
    • Various complexities in handling credentials/labels across tasks (ie. processes) and how these interact with the userspace processes/threads etc
    • Also still have to resolve whether to use prctl vs syscall as the interface since we can’t use the LSM syscalls
      • May result in an AppArmor specific syscall
      • But for now just using a prctl
    • Application profiles then stack against any relevant system policy
    • ie. if there is system policy, and policy loaded by the application itself is bounded by the system policy
  • Demo of implementing pledge() and unveil() from OpenBSD
    • pledge is similar to seccomp() on linux - allows an application to restrict what it can do by declaring what subsystems it should be allowed access to “promises”
      • stdio, inet, bpf, unix, audio, video and many others
      • map these to equivalent AppArmor permissions (although this is not a perfect mapping but WIP)
      • also since this is at the LSM layer, we are not necessarily blocking syscalls as is done by pledge (since it is more akin to seccomp)
      • but can use seccomp to plug any gaps
      • to fully emulate this also need to emulate the return value - since on OpenBSD if the application violates the promise, deliver a SIGABRT - whereas LSMs return EACCES
      • can do this via a new profile flag called kill along with the associated signal to deliver
      • further complications to this since not always SIGABRT, sometimes is an errno (ENOSYS/EACCES) too
      • extend apparmor policy to allow to specify priorities of what action should be taken in various cases
      • can use the aforementioned immutable profile flag and stacking to then implement the promise reduction feature of pledge()
    • unveil is used to remove visibility of parts of the file-system
      • maps quite cleanly to apparmor file rules
  • Full video of the session should be available soon
• Lots of other interesting talks:
  • Stacked LSMs and User Space - Casey Schaufler, The Smack Project
    • LSM syscalls and associated liblsm to provide an easier API plus emulation for older systems
    • https://static.sched.com/hosted_files/lssna24/1a/2024-04-LSSNA-liblsm.pdf
  • Mitigating Integer Overflow in C - Kees Cook, Google
    • LKSPP - latest efforts to mitigate integer overflows within the kernel through the use of compiler sanitizers
    • https://static.sched.com/hosted_files/lssna24/fb/Mitigating%20Integer%20Overflow%20in%20C.pdf
  • Enhancing Kernel Bug Discovery with Large Language Models - Zahra Tarkhani, Microsoft
  • SandBox Mode (SBM) - New Execution Mode Between Kernel and User Space - Petr Tesarik, Self-employed

Upcoming AppArmor Security update for CVE-2016-1585

• https://discourse.ubuntu.com/t/upcoming-apparmor-security-update-for-cve-2016-1585/44268/1
• https://bugs.launchpad.net/apparmor/+bug/1597017

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @[email protected], @ubuntu_sec on twitter