Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 227

25 min • 3 maj 2024

Overview

Ubuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6749-1] FreeRDP vulnerabilities (00:45)

[USN-6752-1] FreeRDP vulnerabilities (01:41)

[USN-6657-2] Dnsmasq vulnerabilities (01:54)

[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)

[USN-6750-1] Thunderbird vulnerabilities (02:19)

[USN-6751-1] Zabbix vulnerabilities (02:54)

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • First time Zabbix has featured in the podcast!
  • Fixes 2 reflected XSS issues - in newer versions both require the attacker to be able to specify the user’s specific CSRF token - but in older versions only there was only a session ID which is easier to guess

[USN-6753-1] CryptoJS vulnerability (03:38)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Insecure default config - uses older parameters for the implementation of PBKDF2 - SHA1 with a single iteration - makes any passwords protected via PBKDF2 in crypto-js easier to brute-force from the hashed value - instead updated to use SHA256 with 250,000 rounds

[USN-6754-1] nghttp2 vulnerabilities (04:32)

  • 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 - all DoS attacks)
  • HTTP/2 continuation frames - no proper limit on the amount of these frames which can be sent in a single stream - attacker can send many to cause a DoS on the server either through CPU by lots of processing or memory by storing all these headers in memory

[USN-6755-1] GNU cpio vulnerabilities (05:42)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Path traversal vuln - possible to write outside of the target directory
  • Specific to Debian/Ubuntu etc since reverted part of the fix for historic CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the archive - since it broke the use of the --no-absolute-filenames CLI argument
  • Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu since focal
  • Now use more correct fix from upstream (April 2023)

[USN-6756-1] less vulnerability (07:10)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
  • Similar issue - this time in the use of LESSOPEN environment variable - failed to properly quote newlines embedded in a filename - could then allow for arbitrary code execution if ran less on some untrusted file
  • LESSOPEN is automatically set in Debian/Ubuntu via lesspipe - allows to run less on say a gz compressed log file or even on a tar.gz tarball to list the files etc

[USN-6757-1] PHP vulnerabilities (08:41)

  • 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the same network/site could set a cookie via HTTP with one name, which then gets used by sessions using HTTPS and when using a different cookie name - is a problem since certain cookie names (like __Host- and __Secure-) have specific meanings which in general should be allowed to be specified by the network but only by the browser itself - so can be used to bypass usual restrictions (apparently this issue was reported upstream by the original reported of the 2022 vuln but it got ignored by upstream till now…)
  • password_verify() function would sometimes return true for wrong passwords - ie if the actual password started with a NUL byte and the specified a password was the empty string would verify as true (unlikely to be an issue in practice)
  • Heap buffer overflow due to a large PHP_CLI_SERVER_WORKERS env var value - integer overflow -> wraparound -> allocate small amount of memory for a large number of values -> buffer overflow (low priority since would need to be able to set this env var first)

[USN-6761-1] Anope vulnerability (11:15)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Failed to deny ability to reset the password of a suspended account and hence gain access again

[USN-6758-1] JSON5 vulnerability (11:37)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • NodeJS module for the JSON5 format - “JSON for humans” - much more similar to yaml, does away with a lot of the usual quotes etc
  • Protoype pollution vuln - when parsing would fail to restrict use of the __proto__ key and hence would allow the ability to set arbitrary keys etc within the returned object -> RCE

[LSN-0103-1] Linux kernel vulnerability (12:46)

Kernel type 22.04 20.04 18.04
aws 103.3 103.3
aws-5.15 103.3
aws-5.4 103.3
aws-6.5 103.1
azure 103.3 103.3
azure-5.4 103.3
azure-6.5 103.1
gcp 103.3 103.3
gcp-5.15 103.3
gcp-5.4 103.3
gcp-6.5 103.1
generic-5.15 103.3
generic-5.4 103.3 103.3
gke 103.3 103.3
hwe-6.5 103.1
ibm 103.3
ibm-5.15 103.3
linux 103.3
lowlatency-5.15 103.3
lowlatency-5.4 103.3 103.3
canonical-livepatch status

[USN-6760-1] Gerbv vulnerability (13:01)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Vuln found by the Ubuntu Security team - David and (former member) Andrei - Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of testing with ASan enabled - crafted filename -> crash

[USN-6759-1] FreeRDP vulnerabilities (13:41)

[USN-6737-2] GNU C Library vulnerability

[USN-6729-3] Apache HTTP Server vulnerabilities

[USN-6718-3] curl vulnerabilities

[USN-6733-2] GnuTLS vulnerabilities

[USN-6734-2] libvirt vulnerabilities

[USN-6744-3] Pillow vulnerability

Goings on in Ubuntu Security Community

Ubuntu 24.04 LTS (Noble Numbat) released (14:27)

Get in contact

Kategorier
Förekommer på
00:00 -00:00