May 06, 2021

Episode 114

12 minutes

Overview

This week we look at the response from the Linux Technical Advisory Board

to the UMN Linux kernel incident, plus we cover the 21Nails Exim

vulnerabilities as well as updates for Bind, Samba, OpenVPN and more.

This week in Ubuntu Security Updates

40 unique CVEs addressed

[USN-4928-1] GStreamer Good Plugins vulnerabilities [00:40]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3498

CVE-2021-3497

UAF or heap corruption when handling crafted Matroska files - crash / RCE

[USN-4929-1] Bind vulnerabilities [01:18]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-25216

CVE-2021-25215

CVE-2021-25214

2 possible crasher bugs (failed assertions) -> DoS, 1 buffer over-read or

possible overflow -> crash / RCE

[USN-4930-1] Samba vulnerability [02:08]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-20254

Failed to properly handle negative idmap cache entries - could then end

up with incorrect group entries and as such could possibly allow a user

to access / modify files they should not have access to

[USN-4931-1] Samba vulnerabilities [02:51]

4 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2021-20254

CVE-2020-14383

CVE-2020-14323

CVE-2020-14318

negative idmap cache entries issue plus some older vulns (Episode 95)

[LSN-0076-1] Linux kernel vulnerability [03:03]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-29154

CVE-2021-3493

2 local user privesc vulns fixed:

BPF JIT branch displacement issue (Episode 112)

Overlayfs / file system capabilities interaction

[USN-4918-3] ClamAV regression [03:52]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-1405

CVE-2021-1404

CVE-2021-1252

Previous clamav update (back in April ) introduced a regression where clamdscan

would crash if called with –multiscan and –fdpass AND you had an

ExcludePath configured in the configuration - backported the upstream

commit from the development branch to fix this

[USN-4932-1] Django vulnerability [04:30]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-31542

Directory traversal via uploaded files with crafted names

[USN-4933-1] OpenVPN vulnerabilities [04:47]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2020-15078

CVE-2020-11810

Race condition in handling of data packets could allow an attacker to

inject a packet using a victim’s peer-id before the crypto channel is

properly initialised - could cause the victim’s connection to be dropped

(DoS) but doesn’t appear to expose any sensitive info etc

Attackers could possibly bypass auth on control channel and hence leak info

[USN-4934-1] Exim vulnerabilities [05:39]

21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-27216

CVE-2020-28026

CVE-2020-28025

CVE-2020-28024

CVE-2020-28023

CVE-2020-28022

CVE-2020-28021

CVE-2020-28020

CVE-2020-28019

CVE-2020-28018

CVE-2020-28017

CVE-2020-28016

CVE-2020-28015

CVE-2020-28014

CVE-2020-28013

CVE-2020-28012

CVE-2020-28011

CVE-2020-28010

CVE-2020-28009

CVE-2020-28008

CVE-2020-28007

Qualsys - 21Nails - various vulns which could be chained together to get

full remote unauthenticated RCE and root privesc

Full write-up

Possibly 60% of internet mail servers run exim and 4 million are publicly

accessible

Previously has been a target of Sandworm

In the process of preparing the updates for 16.04 / 14.04 ESM - expect to

be available in the next day or 2 so most likely will already be out by

the time you are listening to this

[USN-4935-1] NVIDIA graphics drivers vulnerabilities [07:58]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-1077

CVE-2021-1076

Not much detail from NVIDIA

improper access control -> DoS, infoleak or data corruption -> privesc etc

incorrect use of reference counting -> DoS (crash?) (UAF?)

Goings on in Ubuntu Security Community

Linux Technical Advisory Board response to UMN incident [08:56]

Covered in Episode 113

https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/

Kees Cook (previously inaugural Tech Lead of Ubuntu Security Team) posted

to LKML the Tab’s report (various folks from across the Linux Kernel

community, including from Red Hat, Google, Canonical and others)

Detailed timeline of events, identification of the “hypocrite” commits in

question

Recommendations going forward

UMN must improve quality of their submissions since even for a lot of

what were good-faith patches, they actually had issues and either

didn’t fix the purported issue or tried to fix a non-issue

TAB will create a best-practices document for all research groups when

working with the kernel or other open source projects

Hiring [11:36]

AppArmor Security Engineer

https://canonical.com/careers/2114847/apparmor-security-engineer-remote

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

May 06, 2021

Episode 114

12 minutes

Overview

This week we look at the response from the Linux Technical Advisory Board

to the UMN Linux kernel incident, plus we cover the 21Nails Exim

vulnerabilities as well as updates for Bind, Samba, OpenVPN and more.

This week in Ubuntu Security Updates

40 unique CVEs addressed

[USN-4928-1] GStreamer Good Plugins vulnerabilities [00:40]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3498

CVE-2021-3497

UAF or heap corruption when handling crafted Matroska files - crash / RCE

[USN-4929-1] Bind vulnerabilities [01:18]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-25216

CVE-2021-25215

CVE-2021-25214

2 possible crasher bugs (failed assertions) -> DoS, 1 buffer over-read or

possible overflow -> crash / RCE

[USN-4930-1] Samba vulnerability [02:08]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-20254

Failed to properly handle negative idmap cache entries - could then end

up with incorrect group entries and as such could possibly allow a user

to access / modify files they should not have access to

[USN-4931-1] Samba vulnerabilities [02:51]

4 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2021-20254

CVE-2020-14383

CVE-2020-14323

CVE-2020-14318

negative idmap cache entries issue plus some older vulns (Episode 95)

[LSN-0076-1] Linux kernel vulnerability [03:03]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-29154

CVE-2021-3493

2 local user privesc vulns fixed:

BPF JIT branch displacement issue (Episode 112)

Overlayfs / file system capabilities interaction

[USN-4918-3] ClamAV regression [03:52]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-1405

CVE-2021-1404

CVE-2021-1252

Previous clamav update (back in April ) introduced a regression where clamdscan

would crash if called with –multiscan and –fdpass AND you had an

ExcludePath configured in the configuration - backported the upstream

commit from the development branch to fix this

[USN-4932-1] Django vulnerability [04:30]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-31542

Directory traversal via uploaded files with crafted names

[USN-4933-1] OpenVPN vulnerabilities [04:47]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2020-15078

CVE-2020-11810

Race condition in handling of data packets could allow an attacker to

inject a packet using a victim’s peer-id before the crypto channel is

properly initialised - could cause the victim’s connection to be dropped

(DoS) but doesn’t appear to expose any sensitive info etc

Attackers could possibly bypass auth on control channel and hence leak info

[USN-4934-1] Exim vulnerabilities [05:39]

21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-27216

CVE-2020-28026

CVE-2020-28025

CVE-2020-28024

CVE-2020-28023

CVE-2020-28022

CVE-2020-28021

CVE-2020-28020

CVE-2020-28019

CVE-2020-28018

CVE-2020-28017

CVE-2020-28016

CVE-2020-28015

CVE-2020-28014

CVE-2020-28013

CVE-2020-28012

CVE-2020-28011

CVE-2020-28010

CVE-2020-28009

CVE-2020-28008

CVE-2020-28007

Qualsys - 21Nails - various vulns which could be chained together to get

full remote unauthenticated RCE and root privesc

Full write-up

Possibly 60% of internet mail servers run exim and 4 million are publicly

accessible

Previously has been a target of Sandworm

In the process of preparing the updates for 16.04 / 14.04 ESM - expect to

be available in the next day or 2 so most likely will already be out by

the time you are listening to this

[USN-4935-1] NVIDIA graphics drivers vulnerabilities [07:58]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-1077

CVE-2021-1076

Not much detail from NVIDIA

improper access control -> DoS, infoleak or data corruption -> privesc etc

incorrect use of reference counting -> DoS (crash?) (UAF?)

Goings on in Ubuntu Security Community

Linux Technical Advisory Board response to UMN incident [08:56]

Covered in Episode 113

https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/

Kees Cook (previously inaugural Tech Lead of Ubuntu Security Team) posted

to LKML the Tab’s report (various folks from across the Linux Kernel

community, including from Red Hat, Google, Canonical and others)

Detailed timeline of events, identification of the “hypocrite” commits in

question

Recommendations going forward

UMN must improve quality of their submissions since even for a lot of

what were good-faith patches, they actually had issues and either

didn’t fix the purported issue or tried to fix a non-issue

TAB will create a best-practices document for all research groups when

working with the kernel or other open source projects

Hiring [11:36]

AppArmor Security Engineer

https://canonical.com/careers/2114847/apparmor-security-engineer-remote

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 114

Sign up to save your podcasts

Episode 114

Episode 114