Overview
Ubuntu 24.04 LTS is finally released and we cover all the new security features
it brings, plus we look at security vulnerabilities in, and updates for,
FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.
This week in Ubuntu Security Updates
61 unique CVEs addressed
[USN-6749-1] FreeRDP vulnerabilities (00:45)
- 7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Bunch of issues all reported by researcher from Kaspersky - usual sorts of issues in this package - written in C etc
- OOB reads, heap buffer overflow, integer overflow / underflow -> OOB write
[USN-6752-1] FreeRDP vulnerabilities (01:41)
- 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Not long after those - more CVEs announced
- OOB read, NULL ptr deref and memory exhaustion
[USN-6657-2] Dnsmasq vulnerabilities (01:54)
[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)
- 5 CVEs addressed in Jammy (22.04 LTS)
[USN-6750-1] Thunderbird vulnerabilities (02:19)
- 8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- 115.10.1
[USN-6751-1] Zabbix vulnerabilities (02:54)
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- First time Zabbix has featured in the podcast!
- Fixes 2 reflected XSS issues - in newer versions both require the attacker to
be able to specify the user’s specific CSRF token - but in older versions only
there was only a session ID which is easier to guess
[USN-6753-1] CryptoJS vulnerability (03:38)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Insecure default config - uses older parameters for the implementation of
PBKDF2 - SHA1 with a single iteration - makes any passwords protected via
PBKDF2 in crypto-js easier to brute-force from the hashed value - instead
updated to use SHA256 with 250,000 rounds
[USN-6754-1] nghttp2 vulnerabilities (04:32)
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM
releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we
covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 -
all DoS attacks)
- HTTP/2 continuation frames - no proper limit on the amount of these frames
which can be sent in a single stream - attacker can send many to cause a DoS
on the server either through CPU by lots of processing or memory by storing
all these headers in memory
[USN-6755-1] GNU cpio vulnerabilities (05:42)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Path traversal vuln - possible to write outside of the target directory
- Specific to Debian/Ubuntu etc since reverted part of the fix for historic
CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the
archive - since it broke the use of the
--no-absolute-filenames
CLI argument
- Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu
since focal
- Now use more correct fix from upstream (April 2023)
[USN-6756-1] less vulnerability (07:10)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
- Similar issue - this time in the use of
LESSOPEN
environment variable - failed
to properly quote newlines embedded in a filename - could then allow for
arbitrary code execution if ran less
on some untrusted file
LESSOPEN
is automatically set in Debian/Ubuntu via lesspipe
- allows to run
less on say a gz compressed log file or even on a tar.gz tarball to list the
files etc
[USN-6757-1] PHP vulnerabilities (08:41)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the
same network/site could set a cookie via HTTP with one name, which then gets
used by sessions using HTTPS and when using a different cookie name - is a
problem since certain cookie names (like
__Host-
and __Secure-
) have specific
meanings which in general should be allowed to be specified by the network but
only by the browser itself - so can be used to bypass usual restrictions
(apparently this issue was reported upstream by the original reported of the
2022 vuln but it got ignored by upstream till now…)
password_verify()
function would sometimes return true for wrong passwords -
ie if the actual password started with a NUL byte and the specified a password
was the empty string would verify as true (unlikely to be an issue in practice)
- Heap buffer overflow due to a large
PHP_CLI_SERVER_WORKERS
env var value -
integer overflow -> wraparound -> allocate small amount of memory for a large
number of values -> buffer overflow (low priority since would need to be able
to set this env var first)
[USN-6761-1] Anope vulnerability (11:15)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Failed to deny ability to reset the password of a suspended account and hence
gain access again
[USN-6758-1] JSON5 vulnerability (11:37)
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- NodeJS module for the JSON5 format - “JSON for humans” - much more similar to
yaml, does away with a lot of the usual quotes etc
- Protoype pollution vuln - when parsing would fail to restrict use of the
__proto__
key and hence would allow the ability to set arbitrary keys etc
within the returned object -> RCE
[LSN-0103-1] Linux kernel vulnerability (12:46)
- 7 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
Kernel type |
22.04 |
20.04 |
18.04 |
aws |
103.3 |
103.3 |
— |
aws-5.15 |
— |
103.3 |
— |
aws-5.4 |
— |
— |
103.3 |
aws-6.5 |
103.1 |
— |
— |
azure |
103.3 |
103.3 |
— |
azure-5.4 |
— |
— |
103.3 |
azure-6.5 |
103.1 |
— |
— |
gcp |
103.3 |
103.3 |
— |
gcp-5.15 |
— |
103.3 |
— |
gcp-5.4 |
— |
— |
103.3 |
gcp-6.5 |
103.1 |
— |
— |
generic-5.15 |
— |
103.3 |
— |
generic-5.4 |
— |
103.3 |
103.3 |
gke |
103.3 |
103.3 |
— |
hwe-6.5 |
103.1 |
— |
— |
ibm |
103.3 |
— |
— |
ibm-5.15 |
— |
103.3 |
— |
linux |
103.3 |
— |
— |
lowlatency-5.15 |
— |
103.3 |
— |
lowlatency-5.4 |
— |
103.3 |
103.3 |
canonical-livepatch status
[USN-6760-1] Gerbv vulnerability (13:01)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Vuln found by the Ubuntu Security team - David and (former member) Andrei -
Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of
testing with ASan enabled - crafted filename -> crash
[USN-6759-1] FreeRDP vulnerabilities (13:41)
- 5 CVEs addressed in Noble (24.04 LTS)
[USN-6737-2] GNU C Library vulnerability
- 1 CVEs addressed in Noble (24.04 LTS)
[USN-6729-3] Apache HTTP Server vulnerabilities
- 3 CVEs addressed in Noble (24.04 LTS)
[USN-6718-3] curl vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6733-2] GnuTLS vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6734-2] libvirt vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6744-3] Pillow vulnerability
- 1 CVEs addressed in Noble (24.04 LTS)
Goings on in Ubuntu Security Community
Ubuntu 24.04 LTS (Noble Numbat) released (14:27)
Get in contact