May 14, 2021

Episode 115

12 minutes

Overview

This week we look at some details of the 90 unique CVEs addressed across the supported Ubuntu releases and more.

This week in Ubuntu Security Updates

90 unique CVEs addressed

[USN-4934-2] Exim vulnerabilities [00:41]

16 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2021-27216

CVE-2020-28025

CVE-2020-28024

CVE-2020-28022

CVE-2020-28020

CVE-2020-28017

CVE-2020-28016

CVE-2020-28015

CVE-2020-28014

CVE-2020-28013

CVE-2020-28012

CVE-2020-28011

CVE-2020-28009

CVE-2020-28008

CVE-2020-28007

CVE-2020-28026

Episode 114

[USN-4937-1] GNOME Autoar vulnerability [01:00]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-28650

Directory traversal due to failure to properly handle symlinks (result of

incomplete fix for previous CVE-2020-36241)

[USN-4936-1] Thunderbird vulnerabilities [01:47]

5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-29950

CVE-2021-23978

CVE-2021-23973

CVE-2021-23969

CVE-2021-23968

78.8.1

If used a PGP key but then a failure occurred, TB would keep the

decrypted key in memory - on Ubuntu we enable Yama ptrace restrictions

(ptrace_scope) - so this means processes can only ptrace their

descendents by default and hence even other user-level processes cannot

dump the memory of another process to say extract this private key

Various other CVEs inherited from Firefox

[USN-4938-1] Unbound vulnerabilities [03:21]

13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-28935

CVE-2019-25042

CVE-2019-25041

CVE-2019-25040

CVE-2019-25039

CVE-2019-25038

CVE-2019-25037

CVE-2019-25036

CVE-2019-25035

CVE-2019-25034

CVE-2019-25033

CVE-2019-25032

CVE-2019-25031

Validating, recursive DNS resolver

Remote DoS, command injection, RCE, local file overwrite etc

[USN-4939-1] WebKitGTK vulnerabilities [03:48]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-1871

CVE-2021-1844

CVE-2021-1788

1 logic issue, 2 memory corruption bugs - all leading to possible RCE

[USN-4940-1] PyYAML vulnerability [04:12]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14343

RCE when processing untrusted YAML - due to incomplete fix for previous

CVE-2020-1747 - that CVE not specifically patched in Ubuntu as either the

versions of pyyaml were too old to be affected or were based on upstream

releases that had already patched it

[USN-4941-1] Exiv2 vulnerabilities [04:35]

4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3482

CVE-2021-29470

CVE-2021-29458

CVE-2021-29457

EXIF/IPTC/XMP metadata manipulation tool

Heap buffer overflow or OOB read when writing metadata - so not so likely

to be triggered by applications that are just extracting metadata etc

Heap buffer overflow for handling EXIF in JPG images

[USN-4942-1] Firefox vulnerability [05:09]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-29952

88.0.1

Race condition on destruction of WebRender components -> UAF? -> possible RCE

[USN-4943-1] XStream vulnerabilities [05:32]

14 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-21351

CVE-2021-21350

CVE-2021-21349

CVE-2021-21348

CVE-2021-21347

CVE-2021-21346

CVE-2021-21345

CVE-2021-21344

CVE-2021-21343

CVE-2021-21342

CVE-2021-21341

CVE-2020-26259

CVE-2020-26258

CVE-2020-26217

Episode 102 - B+F - corresponding fixes for those 3 CVEs for G

Also a heap of others - denial of service, arbitrary code execution,

arbitrary file deletion and server-side forgery attacks

[USN-4944-1] MariaDB vulnerabilities [06:04]

Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

Latest upstream point releases rolling in a large number of security fixes:

Ubuntu 18.04 LTS has been updated to MariaDB 10.1.48.

Ubuntu 20.04 LTS has been updated to MariaDB 10.3.29.

Ubuntu 20.10 has been updated to MariaDB 10.3.29.

Ubuntu 21.04 has been updated to MariaDB 10.5.10.

Thanks to Otto Kekäläinen from the MariaDB foundation for contributing

and preparing these updates

[USN-4945-1] Linux kernel vulnerabilities [06:33]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29265

CVE-2021-28660

CVE-2021-28375

CVE-2021-28038

CVE-2020-25639

5.4 (standard kernel for 20.04 LTS, HWE for 18.04 LTS)

[USN-4946-1] Linux kernel vulnerabilities

9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29265

CVE-2021-29264

CVE-2021-28688

CVE-2021-28038

CVE-2021-26931

CVE-2021-26930

CVE-2021-20292

4.15 (standard kernel for 18.04 LTS, HWE for 16.04 ESM, Azure for 14.04

ESM)

[USN-4947-1] Linux kernel (OEM) vulnerabilities

5 CVEs addressed in Focal (20.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29646

CVE-2021-28375

CVE-2020-35519

5.6 (OEM for 20.04 LTS)

[USN-4948-1] Linux kernel (OEM) vulnerabilities

21 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3483

CVE-2021-31916

CVE-2021-29657

CVE-2021-29650

CVE-2021-29649

CVE-2021-29647

CVE-2021-29646

CVE-2021-29266

CVE-2021-29264

CVE-2021-28972

CVE-2021-28971

CVE-2021-28964

CVE-2021-28952

CVE-2021-28951

CVE-2021-28688

CVE-2020-25672

CVE-2020-25671

CVE-2020-25670

CVE-2021-3491

CVE-2021-3490

CVE-2021-3489

5.10 (OEM for 20.04 LTS)

3 Pwn2Own vulnerabilities

Ryota Shiga - eBPF ring buffer

Manfred Paul - eBPF bounds tracking on bitwise operations

Billy Jheng Bing-Jhong - io_uring

All OOB writes + info leaks -> local priv esc + code execution as

root

[USN-4949-1] Linux kernel vulnerabilities

12 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-29650

CVE-2021-29646

CVE-2021-29266

CVE-2021-29265

CVE-2021-29264

CVE-2021-28375

CVE-2021-26931

CVE-2021-26930

CVE-2020-25639

CVE-2021-3491

CVE-2021-3490

CVE-2021-3489

5.8 (standard kernel for 20.10, HWE for 20.04 ESM, Azure for 14.04

ESM)

[USN-4950-1] Linux kernel vulnerabilities

3 CVEs addressed in Hirsute (21.04)

CVE-2021-3491

CVE-2021-3490

CVE-2021-3489

5.11

Plus CAN ISOTP race condition - discovered by a Norbert Slusarek (high

school student in Germany) - local privilege escalation

Introduced via recent broadcast mode support (normally a CAN socket

registers a particular CAN ID to receive and only gets those frames -

was only in 5.11 kernel so only affected hirsute) - this support has

been removed from the hirsute kernel until a proper fix comes from

upstream

[USN-4951-1] Flatpak vulnerability [10:16]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-21381

File forwarding issue which could allow an attacker to get access to

files that are not normally provided by the permissions granted to an app

Use special tokens in the Exec line of the desktop file for an app could

trick flatpak runtime into providing access to a file as though this had

been explicitly granted by the user

snapd generates desktop files so less likely to be affected by this

sort of issue - less untrusted input in general (but perhaps also less

flexible)

Goings on in Ubuntu Security Community

Hiring [11:47]

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

May 14, 2021

Episode 115

12 minutes

Overview

This week we look at some details of the 90 unique CVEs addressed across the supported Ubuntu releases and more.

This week in Ubuntu Security Updates

90 unique CVEs addressed

[USN-4934-2] Exim vulnerabilities [00:41]

16 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2021-27216

CVE-2020-28025

CVE-2020-28024

CVE-2020-28022

CVE-2020-28020

CVE-2020-28017

CVE-2020-28016

CVE-2020-28015

CVE-2020-28014

CVE-2020-28013

CVE-2020-28012

CVE-2020-28011

CVE-2020-28009

CVE-2020-28008

CVE-2020-28007

CVE-2020-28026

Episode 114

[USN-4937-1] GNOME Autoar vulnerability [01:00]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-28650

Directory traversal due to failure to properly handle symlinks (result of

incomplete fix for previous CVE-2020-36241)

[USN-4936-1] Thunderbird vulnerabilities [01:47]

5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-29950

CVE-2021-23978

CVE-2021-23973

CVE-2021-23969

CVE-2021-23968

78.8.1

If used a PGP key but then a failure occurred, TB would keep the

decrypted key in memory - on Ubuntu we enable Yama ptrace restrictions

(ptrace_scope) - so this means processes can only ptrace their

descendents by default and hence even other user-level processes cannot

dump the memory of another process to say extract this private key

Various other CVEs inherited from Firefox

[USN-4938-1] Unbound vulnerabilities [03:21]

13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-28935

CVE-2019-25042

CVE-2019-25041

CVE-2019-25040

CVE-2019-25039

CVE-2019-25038

CVE-2019-25037

CVE-2019-25036

CVE-2019-25035

CVE-2019-25034

CVE-2019-25033

CVE-2019-25032

CVE-2019-25031

Validating, recursive DNS resolver

Remote DoS, command injection, RCE, local file overwrite etc

[USN-4939-1] WebKitGTK vulnerabilities [03:48]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-1871

CVE-2021-1844

CVE-2021-1788

1 logic issue, 2 memory corruption bugs - all leading to possible RCE

[USN-4940-1] PyYAML vulnerability [04:12]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14343

RCE when processing untrusted YAML - due to incomplete fix for previous

CVE-2020-1747 - that CVE not specifically patched in Ubuntu as either the

versions of pyyaml were too old to be affected or were based on upstream

releases that had already patched it

[USN-4941-1] Exiv2 vulnerabilities [04:35]

4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3482

CVE-2021-29470

CVE-2021-29458

CVE-2021-29457

EXIF/IPTC/XMP metadata manipulation tool

Heap buffer overflow or OOB read when writing metadata - so not so likely

to be triggered by applications that are just extracting metadata etc

Heap buffer overflow for handling EXIF in JPG images

[USN-4942-1] Firefox vulnerability [05:09]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-29952

88.0.1

Race condition on destruction of WebRender components -> UAF? -> possible RCE

[USN-4943-1] XStream vulnerabilities [05:32]

14 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-21351

CVE-2021-21350

CVE-2021-21349

CVE-2021-21348

CVE-2021-21347

CVE-2021-21346

CVE-2021-21345

CVE-2021-21344

CVE-2021-21343

CVE-2021-21342

CVE-2021-21341

CVE-2020-26259

CVE-2020-26258

CVE-2020-26217

Episode 102 - B+F - corresponding fixes for those 3 CVEs for G

Also a heap of others - denial of service, arbitrary code execution,

arbitrary file deletion and server-side forgery attacks

[USN-4944-1] MariaDB vulnerabilities [06:04]

Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

Latest upstream point releases rolling in a large number of security fixes:

Ubuntu 18.04 LTS has been updated to MariaDB 10.1.48.

Ubuntu 20.04 LTS has been updated to MariaDB 10.3.29.

Ubuntu 20.10 has been updated to MariaDB 10.3.29.

Ubuntu 21.04 has been updated to MariaDB 10.5.10.

Thanks to Otto Kekäläinen from the MariaDB foundation for contributing

and preparing these updates

[USN-4945-1] Linux kernel vulnerabilities [06:33]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29265

CVE-2021-28660

CVE-2021-28375

CVE-2021-28038

CVE-2020-25639

5.4 (standard kernel for 20.04 LTS, HWE for 18.04 LTS)

[USN-4946-1] Linux kernel vulnerabilities

9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29265

CVE-2021-29264

CVE-2021-28688

CVE-2021-28038

CVE-2021-26931

CVE-2021-26930

CVE-2021-20292

4.15 (standard kernel for 18.04 LTS, HWE for 16.04 ESM, Azure for 14.04

ESM)

[USN-4947-1] Linux kernel (OEM) vulnerabilities

5 CVEs addressed in Focal (20.04 LTS)

CVE-2021-30002

CVE-2021-29650

CVE-2021-29646

CVE-2021-28375

CVE-2020-35519

5.6 (OEM for 20.04 LTS)

[USN-4948-1] Linux kernel (OEM) vulnerabilities

21 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3483

CVE-2021-31916

CVE-2021-29657

CVE-2021-29650

CVE-2021-29649

CVE-2021-29647

CVE-2021-29646

CVE-2021-29266

CVE-2021-29264

CVE-2021-28972

CVE-2021-28971

CVE-2021-28964

CVE-2021-28952

CVE-2021-28951

CVE-2021-28688

CVE-2020-25672

CVE-2020-25671

CVE-2020-25670

CVE-2021-3491

CVE-2021-3490

CVE-2021-3489

5.10 (OEM for 20.04 LTS)

3 Pwn2Own vulnerabilities

Ryota Shiga - eBPF ring buffer

Manfred Paul - eBPF bounds tracking on bitwise operations

Billy Jheng Bing-Jhong - io_uring

All OOB writes + info leaks -> local priv esc + code execution as

root

[USN-4949-1] Linux kernel vulnerabilities

12 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-29650

CVE-2021-29646

CVE-2021-29266

CVE-2021-29265

CVE-2021-29264

CVE-2021-28375

CVE-2021-26931

CVE-2021-26930

CVE-2020-25639

CVE-2021-3491

CVE-2021-3490

CVE-2021-3489

5.8 (standard kernel for 20.10, HWE for 20.04 ESM, Azure for 14.04

ESM)

[USN-4950-1] Linux kernel vulnerabilities

3 CVEs addressed in Hirsute (21.04)

CVE-2021-3491

CVE-2021-3490

CVE-2021-3489

5.11

Plus CAN ISOTP race condition - discovered by a Norbert Slusarek (high

school student in Germany) - local privilege escalation

Introduced via recent broadcast mode support (normally a CAN socket

registers a particular CAN ID to receive and only gets those frames -

was only in 5.11 kernel so only affected hirsute) - this support has

been removed from the hirsute kernel until a proper fix comes from

upstream

[USN-4951-1] Flatpak vulnerability [10:16]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-21381

File forwarding issue which could allow an attacker to get access to

files that are not normally provided by the permissions granted to an app

Use special tokens in the Exec line of the desktop file for an app could

trick flatpak runtime into providing access to a file as though this had

been explicitly granted by the user

snapd generates desktop files so less likely to be affected by this

sort of issue - less untrusted input in general (but perhaps also less

flexible)

Goings on in Ubuntu Security Community

Hiring [11:47]

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 115

Sign up to save your podcasts

Episode 115

Episode 115