February 25, 2021

Episode 105

17 minutes

Overview

This week we discuss security updates in Linux Mint, Google funding Linux

kernel security development and details for security updates in BIND,

OpenSSL, Jackson, OpenLDAP and more.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-4737-1] Bind vulnerability [00:45]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-8625

If using GSS-TSIG could be vulnerable to a DoS or possible RCE - this

option is not enabled by default BUT is often used when bind is

integrated with Samba or with a AD-DC. In Ubuntu we confine BIND with an

AppArmor profile by default isolates BIND quite tightly so helps to

mitigate any affect a possible RCE attack could have.

Was interesting to see upstream released 2 advisories that some of

their upstream version updates (e.g. 9.16.12) for this caused some

regressions as this included some new as well features - and they

specifically ended up recommended downstreams ship the prior version

(9.16.11) with just the fix for this backported - this is what we do in

Ubuntu precisely for this reason, to minimise the chance of introducing

regressions in our security updates by only backporting the patch for

the particularly vulnerability

[USN-4738-1] OpenSSL vulnerabilities [02:13]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-23841

CVE-2021-23840

NULL ptr deref when parsing malicious issuer fields in X509

certificates - crash, DoS

Possible buffer overflow if some library functions were used in an

unlikely manner - had to specify an input length that was close to the

bounds of an integer size of the platform - so only if calling with a

buffer of INT_MAX or similar could this be an issue

[USN-4745-1] OpenSSL vulnerabilities [02:56]

2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)

CVE-2021-23841

CVE-2020-1971

NULL ptr deref above plus separate NULL pointer deref in handling of

EDIPartyNames as discussed in Episode 100

[USN-4739-1] WebKitGTK vulnerability [03:25]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-13558

UAF in audio handling - specially crafted webpage could cause an RCE on

local machine

[USN-4741-1] Jackson vulnerabilities [03:40]

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2019-10172

CVE-2017-7525

CVE-2017-15095

JSON processor for Java - allows to map JSON to Java objects

Flaws in (de)serialization could expose various classes to being mapped

to the resulting input and hence allow a remote code execution attack -

fix is to deny various classes being mapped as a result

Also fixed an XML external entity issue that could also result in RCE

[USN-4740-1] Apache Shiro vulnerabilities [04:20]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-1957

CVE-2020-11989

2 different possible authentication bypass issues when using with Spring

dynamic controllers

[USN-4742-1] Django vulnerability [04:33]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-23336

Possible web-cache poisoning attack - due to difference in handling of

requests between the proxy and the server - malicious requests can be

cached as they look like safe ones due to difference in interpretation

[USN-4743-1] GDK-PixBuf vulnerability [05:06]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-20240

Integer underflow in GIF loader - code execution?

[USN-4744-1] OpenLDAP vulnerability [05:27]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-27212

Assertion failure could be triggered by crafted timestamp content -> crash, DoS

[USN-4467-3] QEMU regression [05:46]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-13754

In patching previous vulnerabilities in QEMU, we backported various

patches but missed some related to riscv emulation so would cause a

possible crash in this case - fixed to add missing patches to resolve

this crash issue

Goings on in Ubuntu Security Community

Linux Mint users being slow with security updates, running old versions [06:33]

https://www.zdnet.com/article/top-linux-distro-tells-users-stop-using-out-of-date-versions-update-your-software-now/

https://www.theregister.com/2021/02/23/linux_mint_team_berates_users/

https://blog.linuxmint.com/?p=4030

Blog post from lead developer Clem (Clement Lefebvre) discussing how

Linux Mint users seem to not be installing updates

Linux Mint is a Ubuntu derivative - uses the Ubuntu archives plus some of

their own repos - so in general all security updates for Ubuntu get

propagated to Linux Mint - cf. relationship between Ubuntu and Debian.

Interesting history in regards to security

In Febrary 2016, website was hacked and the link to the installer ISO

was modified to point to a malicious one with a backdoor -

https://blog.linuxmint.com/?p=2994

Recommend to turn of UEFI Secure Boot since their shim is not signed by

Microsoft

Update Manager would offer security updates but would rate them in

supposed terms of safety - so would in essence deter users from

installing some security updates - and also would not select to install

some updates which they deemed as more risky - but how did they assign

this safety level? Based more on if a component was critical to boot

(kernel/firmware would get rated as more risky) than anything to do

with the actual update itself. So was intended to help guide users BUT

created a system where users believed they were “safer” in terms of

stability, but in fact were less safe in terms of security.

This created an impression that Linux Mint either blocked security

updates or actively discouraged users from installing them -

https://distrowatch.com/weekly.php?issue=20170320#myth

These levels were removed in the 19.2 release but it seems users are

still wary

30% of users apply updates in less than a week (based on recent Firefox update)

30% of users are still running 17.x - EOLd in April 2019 - (based on

Ubuntu 14.04)

So it is not really surprising given their past history that their

userbase is wary of security updates and are perhaps putting themselves

at risk as a result by delaying installing security updates

But good to see they are now actively encouraging users to install

security updates

Use of timeshift is interesting as a mitigation against possible issues

with security updates

Also was interesting to see they published an emergency update just for

Firefox for the 17.x release to upgrade this from 66.0 to 78 ESR - so

this gives some protection but perhaps again lessens the incentive for

these users to upgrade to a newer supported release of Linux Mint

Google funds Linux kernel developers to work exclusively on security [14:20]

https://www.linuxfoundation.org/en/press-release/google-funds-linux-kernel-developers-to-focus-exclusively-on-security/

Gustavo Silva and Nathan Chancellor

Chancellor - Triaging and fixing bugs found via Clang/LLVM, CI systems

Already leading a lot of the upstream ClangBuiltLinux work

Silva - KSPP related work on eliminating bug classes - VLAs etc

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings