Overview
As the podcast winds down for a break over the next month, this week we talk
about RSA timing side-channel attacks and the recently announced DNSBomb
vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK,
amavisd-new, Unbound, Intel Microcode and more.
This week in Ubuntu Security Updates
152 unique CVEs addressed
[USN-6783-1] VLC vulnerabilities (00:54)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- integer underflow and a heap buffer overflow -> RCE
[USN-6663-3] OpenSSL update (01:40)
- Affecting Noble (24.04 LTS)
- [USN-6663-1] OpenSSL update from Episode 220 - hardening improvement to return
deterministic random bytes instead of an error when an incorrect padding
length is detected during PKCS#1 v1.5 RSA to avoid this being used for
possible Bleichenbacher timing attacks
[USN-6673-3] python-cryptography vulnerability (02:32)
[USN-6736-2] klibc vulnerabilities (02:43)
[USN-6784-1] cJSON vulnerabilities (02:58)
- 3 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- 2 different researchers fuzzing cJSON APIs
- all different NULL ptr deref - requires particular / “incorrect” or possible
misuse use of the APIs (like passing in purposefully corrupted values) so
unlikely to be an issue in practice
[USN-6785-1] GNOME Remote Desktop vulnerability (03:52)
- 1 CVEs addressed in Noble (24.04 LTS)
- Discovered by a member of the SUSE security team when reviewing g-r-d
- Exposed various DBus services that were able to be called by any unprivileged
user which would then return the SSL private key used to encrypt the
connection - so could allow a local user to possibly spy on the sessions of
other users remotely connected to the system
[USN-6786-1] Netatalk vulnerabilities (04:45)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Apple file sharing implementation for Linux
- If the same path was shared via both AFP and SMB then a remote attacker could
combine various operations through both file-systems (like creating a crafted
symlink, which would then be followed during a second operation where a file
is renamed) to allow them to overwrite arbirary files and hence achieve
arbitrary code execution on the host
[USN-6788-1] WebKitGTK vulnerabilities (05:48)
- 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Possible pointer authentication bypass - used on arm64 in particular -
demonstrated at Pwn2Own earlier this year by Manfred Paul - $60k
[USN-6789-1] LibreOffice vulnerability (06:28)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Unchecked script execution triggered when clicking on a graphic - allows to
run arbitrary scripts without the usual prompt
[USN-6790-1] amavisd-new vulnerability (07:09)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- MTA / AV interface - often used in conjunction with Postfix, not just for AV
but also can be used to do DKIM verification and integration with spamassassin
etc
- Misinterpreted MIME message boundaries in emails, allowing email parts to
possibly bypass usual checks
[USN-6791-1] Unbound vulnerability (07:46)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- DNSBomb attack announced recently at IEEE S&P - affecting multiple different
DNS implementations including BIND, Unbound, PowerDNS, Knot, DNSMasq and others
- Unbound itself was not necessarily vulnerable to such an attack specifically,
but could be used to generate such an attack against others - in particular
Unbound had the highest amplification factor of ~22k times - next highest was
DNSMasq at ~3k times
- Fix involves introducing a number of timeout parameters for various operations
and discarding operations if they take longer than this to avoid the ability
to “store up” responses to be released at a later time
[USN-6793-1] Git vulnerabilities (09:31)
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
[USN-6792-1] Flask-Security vulnerability
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-6794-1] FRR vulnerabilities
- 4 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
[USN-6777-4] Linux kernel (HWE) vulnerabilities (09:40)
[USN-6795-1] Linux kernel (Intel IoTG) vulnerabilities (10:00)
[USN-6779-2] Firefox regressions (10:30)
- 14 CVEs addressed in Focal (20.04 LTS)
- 126.0.1 - drag-and-drop was broken in 126.0
[USN-6787-1] Jinja2 vulnerability (10:48)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Incorrect handling of various HTML attributes - attacker could then possibly
inject arbitrary HTML attrs/values and hence inject JS code to peform XSS
attacks etc
[USN-6797-1] Intel Microcode vulnerabilities (11:22)
- 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Latest release from upstream - mitigates against various hardware vulns
- A couple issues in SGX/TDX on different Intel Xeon processors:
- Invalid restrictions -> local root -> super-privesc
- Invalid input on TDX -> local root -> super-privesc
- Invalid SGX base key calculation -> info leak
- Transient execution attacks to read privileged information
- DoS through bus lock mishandling or through invalid instruction sequences
Get in contact