February 05, 2021

Episode 102

12 minutes

Overview

This week we discuss the recent high profile vulnerability found in

libcrypt 1.9.0, plus we look at updates for the Linux kernel, XStream,

Django, Apport and more.

This week in Ubuntu Security Updates

66 unique CVEs addressed

[USN-4705-2] Sudo vulnerability [00:48]

1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)

CVE-2021-3156

Episode 101

[USN-4708-1] Linux kernel vulnerabilities

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2020-27777

CVE-2020-25669

CVE-2019-19816

CVE-2019-19813

CVE-2018-13093

[USN-4709-1] Linux kernel vulnerabilities

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2020-25669

CVE-2019-19816

CVE-2019-19813

CVE-2018-13093

CVE-2020-28374

[USN-4710-1] Linux kernel vulnerability

1 CVEs addressed in Bionic (18.04 LTS)

CVE-2020-25704

[USN-4711-1] Linux kernel vulnerabilities

2 CVEs addressed in Bionic (18.04 LTS)

CVE-2020-25704

CVE-2020-28374

[USN-4712-1] Linux kernel regression

Affecting Focal (20.04 LTS), Groovy (20.10)

[USN-4713-1] Linux kernel vulnerability [01:31]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-28374

XCOPY requests in the LIO SCSI target would not properly check

permissions of the requester and so could allow an attacker to access

backing stores to which they did not have permission. If using iSCSI,

this could then be exploited over the network to access other LUNs

etc. Also affected tcmu-runner which is the userspace daemon for handling

requests in userspace and can be used for HA setups etc.

[USN-4707-1] TCMU vulnerability [02:23]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3139

Separate CVE was assigned but is the same issue as for the kernel above

[LSN-0074-1] Linux kernel vulnerability [02:40]

4 CVEs addressed

CVE-2020-28374

CVE-2020-25645

CVE-2020-12352

CVE-2020-0427

[USN-4706-1] Ceph vulnerabilities [02:55]

4 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2020-25660

CVE-2018-1128

CVE-2020-10753

CVE-2020-10736

[USN-4714-1] XStream vulnerabilities [03:02]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-26259

CVE-2020-26258

CVE-2020-26217

Java library to serialise objects to/from XML

Possible RCE by manipulating the processed input stream to inject shell

commands

Similarly could obtain arbitrary file deletion (depending on the rights

of the process which is using XStream)

[USN-4715-1, USN-4715-2] Django vulnerability [03:58]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3281

Directory traversal via archives with absolute paths of relative paths

with dot components - this is used with startapp or startproject via the

–template argument so can be exploited if using an attacker controlled

archive to bootstrap a new django app etc

[USN-4716-1] MySQL vulnerabilities [05:00]

25 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-2122

CVE-2021-2088

CVE-2021-2087

CVE-2021-2081

CVE-2021-2076

CVE-2021-2072

CVE-2021-2070

CVE-2021-2065

CVE-2021-2061

CVE-2021-2060

CVE-2021-2058

CVE-2021-2056

CVE-2021-2048

CVE-2021-2046

CVE-2021-2038

CVE-2021-2036

CVE-2021-2032

CVE-2021-2031

CVE-2021-2024

CVE-2021-2022

CVE-2021-2021

CVE-2021-2014

CVE-2021-2011

CVE-2021-2010

CVE-2021-2002

Latest upstream version: 8.0.23 for 20.10/20.04 LTS and 5.7.33 for 16.04

LTS/18.04 LTS

[USN-4717-1] Firefox vulnerabilities [05:32]

11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-23965

CVE-2021-23964

CVE-2021-23963

CVE-2021-23962

CVE-2021-23961

CVE-2021-23960

CVE-2021-23958

CVE-2021-23956

CVE-2021-23955

CVE-2021-23954

CVE-2021-23953

Latest upstream version: 85.0

[USN-4467-2] QEMU vulnerabilities [05:52]

6 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2020-14364

CVE-2020-13754

CVE-2020-13659

CVE-2020-13362

CVE-2020-13361

CVE-2020-13253

Episode 88 - subset of these applied for the older release of QEMU in

14.04 ESM, now fixed there

[USN-4718-1] fastd vulnerability [06:12]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Groovy (20.10)

CVE-2020-27638

DoS in popular VPN daemon for embedded systems etc

[USN-4719-1] ca-certificates update [06:28]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

Updated to the latest 2.46 version of the Mozilla certificate authority

bundle

[USN-4720-1] Apport vulnerabilities [06:46]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-25684

CVE-2021-25683

CVE-2021-25682

3 vulns all discovered by Itai Greenhut and reported to us via Launchpad

When a process crashes, Apport reads various files under /proc to obtain

info about the crashed process to prepare a crash report

If an attacker could control the values in the files they could then

cause Apport to misbehave and fail to drop privileges or possibly get

code execution - in this case, they found that Apport failed to properly

handle malformed contents in these files - fixed to parse them more

strictly

Goings on in Ubuntu Security Community

libgcrypt 1.9.0 0-day [08:32]

https://bugs.chromium.org/p/project-zero/issues/detail?id=2145

Discovered by Tavis Ormandy from GPZ - heap buffer overflow, allows to

overwrite a structure on the heap which contains the buffer, followed by

a function pointer - so can relatively easily get code execution by

overwriting the function pointer to an attacker controlled function

(which could be in the initial buffer itself)

Ubuntu not affected since this only exists in 1.9.0 which was released on

19th January this year and even current devel release of Ubuntu 21.04

only contains 1.8.7

So is an interesting thought experiment - if you run the most latest

release of anything, you get both the newest patches automatically BUT

you also get the 0-days since any unknown, unpatched vulns introduced in

new code will be present. However, if you run older releases, they won’t

have this newer code so won’t have 0-days but may have N-days if you

aren’t patching. Worst case is to run old software and never update it

since it has vulns that are unpatched and which have more time to have

been discovered and more time for exploits to have been developed

against it. Whereas if you run the latest code, there is less chance an

exploit exists for any new vulns / 0-days it may contain but it clearly

could have 0-days… Also if you are constantly upgrading to the latest

version that is a lot of churn and introduces the chance for feature

regressions and other breakage etc. So the best option then is to run a

known stable version and apply patches on top just for security

vulnerabilities - this is exactly the approach we take for Ubuntu :)

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings