April 08, 2021

Episode 111

12 minutes

Overview

This week we look at how Ubuntu is faring at Pwn2Own 2021 (which still has

1 day and 2 more attempts at pwning Ubuntu 20.10 to go) plus we look at

security updates for SpamAssassin, the Linux kernel, Rack and Django, and

we cover some open positions on the Ubuntu Security team too.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-4899-1] SpamAssassin vulnerability [00:46]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-1946

Damian Lukowski - remote code execution in configuration file parser for

SpamAssassin - failed to properly sanitise certain elements of config

files so could allow an attacker to specify commands to be executed by

SpamAssassin - if not using configs from untrusted sources should be fine

[USN-4900-1] OpenEXR vulnerabilities [01:40]

6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3479

CVE-2021-3478

CVE-2021-3477

CVE-2021-3476

CVE-2021-3475

CVE-2021-3474

Usual mix of memory corruption vulns in this image processing library -

DoS via memory consumption, integer overflow -> buffer overflow -> RCE

etc from crafted image files

[USN-4901-1] Linux kernel (Trusty HWE) vulnerabilities [02:24]

4 CVEs addressed in Precise ESM (12.04 ESM)

CVE-2021-27364

CVE-2021-27363

CVE-2020-28374

CVE-2021-27365

3.13 kernel used as the HWE kernel from 14.04 backported to 12.04 ESM

iSCSI issues from Episode 109 plus LIO SCSI XCOPY issue from Episode 102

[USN-4561-2] Rack vulnerabilities [03:27]

2 CVEs addressed in Xenial (16.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-8184

CVE-2020-8161

Modular Ruby webserver interface

Episode 93 - 18.04 LTS - now provided for remaining releases

[USN-4902-1] Django vulnerability [03:53]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-28658

Potential directory traversal via uploaded files - if using a custom

upload handler with the MultiPartParser from the django parsers

framework, could have been vulnerable - didn’t affect any of the built-in

upload parsers within django hence the low priority rating for this CVE

Goings on in Ubuntu Security Community

Ubuntu at Pwn2Own 2021 [04:47]

https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results

6th, 7th & 8th April - 23 separate entries targeting 10 different

products in the categories of Web Browsers, Virtualization, Servers,

Local Escalation of Privilege, and Enterprise

Communications (aka Zoom, MS Teams etc)

14 years - grows each year to include new targets / platforms - this year

included categories for both automotive (Tesla Model 3) and Enterprise

applications (MS Office, Adobe Reader) - but neither had any entrants

4 different teams targeted Ubuntu Desktop in local privilege escalation

category - go from a standard user to root - and pwn2own rules say this

must be via a kernel vulnerability - in this case it is an up-to-date

Ubuntu 20.10 install running inside a virtual machine

Attempts on day 1 and 2 were both successful - Ryota Shiga of Flatt

Security and Manfred Paul both used separate OOB access bugs to escalate

from a standard user to root

each earned $30,000 and 3 points in the competitions Master of Pwn

award

Tomorrow (8th) will see two more attempts by Billy from STAR Labs and

Vincent Dehors of Synacktiv - this will be live-streamed too on YouTube,

Twitch, and the conference site.

Also not just Ubuntu was exploited - so far all teams who have attempted

to exploit have been successful - Safari, MS Exchange, MS Teams, Windows

10, Parallels Desktop, Chrome, Microsoft Edge, Zoom

only exception so far is for STAR Labs who have not managed to get

their exploits working in the allotted time

More details to follow once the vulns and their fixes become public -

competition has a 90 day policy for fixes to be public but I suspect we

will see these sooner than that - regardless will look at remaining results of

other 2 teams next week as well

Hiring [10:03]

AppArmor Security Engineer

https://canonical.com/careers/2114847/apparmor-security-engineer-remote

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

April 08, 2021

Episode 111

12 minutes

Overview

This week we look at how Ubuntu is faring at Pwn2Own 2021 (which still has

1 day and 2 more attempts at pwning Ubuntu 20.10 to go) plus we look at

security updates for SpamAssassin, the Linux kernel, Rack and Django, and

we cover some open positions on the Ubuntu Security team too.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-4899-1] SpamAssassin vulnerability [00:46]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-1946

Damian Lukowski - remote code execution in configuration file parser for

SpamAssassin - failed to properly sanitise certain elements of config

files so could allow an attacker to specify commands to be executed by

SpamAssassin - if not using configs from untrusted sources should be fine

[USN-4900-1] OpenEXR vulnerabilities [01:40]

6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3479

CVE-2021-3478

CVE-2021-3477

CVE-2021-3476

CVE-2021-3475

CVE-2021-3474

Usual mix of memory corruption vulns in this image processing library -

DoS via memory consumption, integer overflow -> buffer overflow -> RCE

etc from crafted image files

[USN-4901-1] Linux kernel (Trusty HWE) vulnerabilities [02:24]

4 CVEs addressed in Precise ESM (12.04 ESM)

CVE-2021-27364

CVE-2021-27363

CVE-2020-28374

CVE-2021-27365

3.13 kernel used as the HWE kernel from 14.04 backported to 12.04 ESM

iSCSI issues from Episode 109 plus LIO SCSI XCOPY issue from Episode 102

[USN-4561-2] Rack vulnerabilities [03:27]

2 CVEs addressed in Xenial (16.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-8184

CVE-2020-8161

Modular Ruby webserver interface

Episode 93 - 18.04 LTS - now provided for remaining releases

[USN-4902-1] Django vulnerability [03:53]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-28658

Potential directory traversal via uploaded files - if using a custom

upload handler with the MultiPartParser from the django parsers

framework, could have been vulnerable - didn’t affect any of the built-in

upload parsers within django hence the low priority rating for this CVE

Goings on in Ubuntu Security Community

Ubuntu at Pwn2Own 2021 [04:47]

https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results

6th, 7th & 8th April - 23 separate entries targeting 10 different

products in the categories of Web Browsers, Virtualization, Servers,

Local Escalation of Privilege, and Enterprise

Communications (aka Zoom, MS Teams etc)

14 years - grows each year to include new targets / platforms - this year

included categories for both automotive (Tesla Model 3) and Enterprise

applications (MS Office, Adobe Reader) - but neither had any entrants

4 different teams targeted Ubuntu Desktop in local privilege escalation

category - go from a standard user to root - and pwn2own rules say this

must be via a kernel vulnerability - in this case it is an up-to-date

Ubuntu 20.10 install running inside a virtual machine

Attempts on day 1 and 2 were both successful - Ryota Shiga of Flatt

Security and Manfred Paul both used separate OOB access bugs to escalate

from a standard user to root

each earned $30,000 and 3 points in the competitions Master of Pwn

award

Tomorrow (8th) will see two more attempts by Billy from STAR Labs and

Vincent Dehors of Synacktiv - this will be live-streamed too on YouTube,

Twitch, and the conference site.

Also not just Ubuntu was exploited - so far all teams who have attempted

to exploit have been successful - Safari, MS Exchange, MS Teams, Windows

10, Parallels Desktop, Chrome, Microsoft Edge, Zoom

only exception so far is for STAR Labs who have not managed to get

their exploits working in the allotted time

More details to follow once the vulns and their fixes become public -

competition has a 90 day policy for fixes to be public but I suspect we

will see these sooner than that - regardless will look at remaining results of

other 2 teams next week as well

Hiring [10:03]

AppArmor Security Engineer

https://canonical.com/careers/2114847/apparmor-security-engineer-remote

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 111

Sign up to save your podcasts

Episode 111

Episode 111