Overview
A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this
week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif,
Roundcube, the Linux kernel and more.
This week in Ubuntu Security Updates
175 unique CVEs addressed
[USN-6842-1] gdb vulnerabilities (01:10)
- 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- a couple of these are inherited from binutils as they share that code -
parsing of crafted ELF executables -> NULL ptr deref or possible heap based
buffer overflow -> DoS/RCE
- other stack and heap buffer overflows as well - parsing of crafted ada files
and crafted debug info files as well -> DoS/RCE
[USN-6845-1] Hibernate vulnerability (02:12)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Object relational-mapping (ORM) library for Java
- SQL injection in the JPA Criteria API implementation - could allow unvalidated
literals when they are used in the SQL comments of a query when logging is
enabled - fixed by properly escaping comments in this case
[USN-6846-1] Ansible vulnerabilities (02:46)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Possibly would leak the password into log file when using the AWS EC2 module
since failed to validate the
tower_callback
(nowadays is called aap_callback
-
Ansible Automation Platform) parameter appropriately
- Allows to mark variables as
unsafe
- in that they may come from an external,
untrusted source - won’t get evaluated/expanded when used to avoid possible
info leaks etc - various issues where ansible would fail to respect this and
essentially forget they were tagged as unsafe and end up exposing secrets as a
result
[USN-6844-1] CUPS vulnerability (04:08)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- When starting, cups would arbitrarily chmod the socket specified as the Listen
parameter to make it world-writable - if this was a symlink, would then make
the target of the symlink world-readable - in general the cups config file is
only writable by root so requires some other vuln to be able to exploit it
where you can get write access to the config file to exploit it OR be able to
replace the regular cups socket path with a user-controlled symlink - but if
you can, then you can even change the cups config itself to be world-writable
and hence modify other parameters like the user and group that cups should run
as, as well as a crafted
FoomaticRIPCommandLine
then can run arbitrary commands
as root
[USN-6849-1] Salt vulnerabilities (06:20)
- 2 CVEs addressed in Trusty ESM (14.04 ESM)
- Failed to properly validate paths in some methods and also failed to restrict
access to other methods, allowing them to be used without authentication -
could then either allow arbitrary directory access or the ability to retrieve
tokens from the master or run arbitrary commands on minions
[USN-6746-2] Google Guest Agent and Google OS Config Agent vulnerability (06:44)
- 1 CVEs addressed in Noble (24.04 LTS)
- A vuln in the embedded golang protobuf module - when parsing JSON could end up
in an infinite loop -> DoS
[USN-6850-1] OpenVPN vulnerability (07:04)
[USN-6847-1] libheif vulnerabilities (07:36)
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- First time to mention libheif on the podcast - High Efficiency Image File
Format - part of the MPEG-H standard - container format used to store images
or sequences of images
- Commonly seen due to its use by Apple for images on iPhone
- C++ - usual types of issues
- UAF, buffer overflows, floating point exception etc
- most found through fuzzing
[USN-6848-1] Roundcube vulnerabilities (08:21)
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- webmail front-end for IMAP
- 2 different possible XSS issues due to mishandling of SVG - email containing
an SVG could embed JS that then gets loaded when the email is viewed
- Also possible XSS through a crafted user preference value - similarly through
a crafted Content-Type/Content-Disposition header which can be used for
attachment preview/download
[USN-6819-4] Linux kernel (Oracle) vulnerabilities (09:21)
- 149 CVEs addressed in Jammy (22.04 LTS)
- Of all these CVEs, 6 had a high priority rating
- many are due to bugs in the async handling of cryto operations in the
in-kernel TLS implementation
- CVE-2024-26582 and CVE-2024-26584 - both reported by Google kernelCTF program (talked about back in [USN-6766-2] Linux kernel vulnerabilities from Episode 228)
- first is UAF in TLS handling of scattter/gather arrays
- second is UAF when crypto requests get backlogged and the underlying
crypto engine can’t process them all in time - can then end up having
the async callback invoked twice
- CVE-2024-26585
- very similar - UAF in handling of crypto operations from TLS - thread
which handles the socket could close this before all the operations had
been scheduled
- CVE-2024-26583 - similarly, race between async notify event and socket close -> UAF
- UAF in BPF and a UAF in netfilter - also reported via Google kernelCTF -
both able to be triggered via an unpriv userns
Goings on in Ubuntu Security Community
Discussion of CISA KEV
- US Gov Cybersecurity & Infrastructure Security Agency
- “America’s Cyber Defense Agency”
- National Coordinator for Critical Infrastructure Security and Resilience
- Publish various guidance for organisations around topics of cybersecurity
- for instance, recently published a report “Exploring Memory Safety in Critical Open Source Projects”
- Joint guidance (FBI, ASD / ACSC & Candadian CSC)
- Builds on the previous case for memory safe roadmaps by looking at the
prevalence of memory unsafe languages in various critical open source
projects
- Also maintain the KEV - Known Exploitable Vulnerabilities Catalog
- “authoritative source of vulnerabilities that have been exploited in the wild”
- Mandates for federal civilian agencies in the US to remediate KEV vulns within various timeframes
- Also recommend that anyone else monitors this list and immediately addresses these vulns as part of the vuln remediation plan
- List of vilns that are causing immediate harm based on observed adversarial activity
- Various requirements to be listed in the KEV:
- CVE ID assigned
- Evidence it has been or is being actively exploited
- reliable evidence that execution of malicious code was performed on a system by an unauthorised actor
- also includes both attempted and successful exploitation (e.g. includes honeypots as well as real systems)
- Clear remediation guidelines
- An update is available and should be applied OR
- Vulnerable component should be removed from networks etc if it is EOL and cannot be updated
- available as CSV or JSON
- Currently lists 1126 CVEs including:
- Accellion File Transfer Appliances
- Adobe Reader, Flash Player
- Apache HTTP Server, Struts (Solarwinds), Log4j
- Huge number of Apple iOS etc (WebKit and more)
- Atlassian Confluence
- Citrix Gateways
- Exim
- Fortinet
- Gitlab
- Google Chromium
- ImageMagick
- Microsoft Windows and Exchange
- Mozilla Firefox
- Ivanti Pulse Connect Security
- SaltStack
- VMWare
- WordPress
- Oldest CVEs are 2 against Windows from 2002 and 2004
- Newest include 26 2024 CVEs - various Chromium, Windows, Android Pixel, Ivanti and more
- interestingly includes ARM Mali GPU Driver CVE-2024-4610 - this affects
the Bifrost and Valhall drivers - in Ubuntu we only ship the related
Midgard driver back in bionic and focal so not affected by this one
- but as you may have noticed, lots that we potentially are affected by
- Apache HTTP Server, Exim, Firefox, Thunderbird - plus OpenJDK, GNU C
Library, Bash, Roundcube (mentioned earlier but not this particular vuln),
WinRAR (unrar), not to mention a number against the Linux kernel
- all for Linux kernel are privesc - most against either netfilter or
various other systems like perf,
AF_PACKET
, tty, ptrace, futex and
others
- For Ubuntu, not surprisingly, we prioritise these vulnerabilities in our
patching process
Get in contact