June 18, 2021

Episode 120

10 minutes

Overview

In this week’s episode we look at how to get media coverage for your shiny

new vulnerability, plus we cover security updates for ExifTool,

ImageMagick, BlueZ and more.

This week in Ubuntu Security Updates

49 unique CVEs addressed

[USN-4986-2] rpcbind vulnerability [00:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2017-8779

Episode 119 (bionic) - memory leak on crafted requests

[USN-4986-3, USN-4986-4] rpcbind regression [01:11]

Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

Original fix missed follow-up patches to correct problems in the upstream

fix - required multiple other bits to work correctly

[USN-4971-2] libwebp vulnerabilities [01:34]

10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2020-36331

CVE-2020-36330

CVE-2020-36329

CVE-2020-36328

CVE-2018-25014

CVE-2018-25013

CVE-2018-25012

CVE-2018-25011

CVE-2018-25010

CVE-2018-25009

Episode 118

[USN-4987-1] ExifTool vulnerability [01:50]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-22204

Was originally reported to gitlab via hackerone as exiftool is used on

image uploads to redact image metadata etc - they coordinated the fix

with exiftool upstream. RCE when parsing a malicious DjVu image - uses

perl to parse DjVu and in doing so it eval’s certain constructs without

properly validating them

[USN-4988-1] ImageMagick vulnerabilities [03:17]

34 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-20176

CVE-2020-27776

CVE-2020-27775

CVE-2020-27774

CVE-2020-27773

CVE-2020-27772

CVE-2020-27771

CVE-2020-27770

CVE-2020-27769

CVE-2020-27768

CVE-2020-27767

CVE-2020-27766

CVE-2020-27765

CVE-2020-27764

CVE-2020-27763

CVE-2020-27762

CVE-2020-27761

CVE-2020-27760

CVE-2020-27759

CVE-2020-27758

CVE-2020-27757

CVE-2020-27756

CVE-2020-27755

CVE-2020-27754

CVE-2020-27753

CVE-2020-27751

CVE-2020-27750

CVE-2020-25676

CVE-2020-25675

CVE-2020-25674

CVE-2020-25666

CVE-2020-25665

CVE-2020-19667

CVE-2017-14528

every ~30 weeks we seem to have another ImageMagick update - so that time again ;)

DoS, RCE etc

[USN-4989-1] BlueZ vulnerabilities [03:56]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3588

CVE-2020-27153

CVE-2020-26558

1 bluetooth core specification issue - during pairing a nearby attacker

could interpose on the pairing process and hence complete the pairing

instead of the intended device

2 issues in bluez code itself

double free (UAF) + OOB read

Goings on in Ubuntu Security Community

How to get media coverage for your Linux vulnerabilities [04:48]

In Episode 119 covered an update for polkit - the following day Github

published a blog post with significant details of the vuln - then we saw

a heap of media coverage

https://www.theregister.com/2021/06/11/linux_polkit_package_patched/

https://www.zdnet.com/article/nasty-linux-systemd-root-level-security-bug-revealed-and-patched/

Why did this vuln get so much coverage when lots of others don’t?

Great technical detail from a reputable and popular source (github)

Very clearly written and easy to understand

Is a simple logic error that can be triggered via a race-condition in

a privileged daemon

PoC can be implemented as a 1 line bash invocation so is also simple

to understand

c.f. a complicated memory corruption vuln or similar (ie no need to

understand memory management, heap grooming etc etc)

Or give it a cool name and logo

heartbleed was one of the first to do this and this likely helped it

get noticed and patched (plus fame/notoriety for the researchers)

Since then we have seen many (shellshock, stagefright, dirty cow,

spectre, meltdown, boothole etc) but not all vulns that get names/logos

are created equal - impact / exploitability varies greatly - so a name

and a logo doesn’t necessarily mean a vuln is critical

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

June 18, 2021

Episode 120

10 minutes

Overview

In this week’s episode we look at how to get media coverage for your shiny

new vulnerability, plus we cover security updates for ExifTool,

ImageMagick, BlueZ and more.

This week in Ubuntu Security Updates

49 unique CVEs addressed

[USN-4986-2] rpcbind vulnerability [00:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2017-8779

Episode 119 (bionic) - memory leak on crafted requests

[USN-4986-3, USN-4986-4] rpcbind regression [01:11]

Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

Original fix missed follow-up patches to correct problems in the upstream

fix - required multiple other bits to work correctly

[USN-4971-2] libwebp vulnerabilities [01:34]

10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2020-36331

CVE-2020-36330

CVE-2020-36329

CVE-2020-36328

CVE-2018-25014

CVE-2018-25013

CVE-2018-25012

CVE-2018-25011

CVE-2018-25010

CVE-2018-25009

Episode 118

[USN-4987-1] ExifTool vulnerability [01:50]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-22204

Was originally reported to gitlab via hackerone as exiftool is used on

image uploads to redact image metadata etc - they coordinated the fix

with exiftool upstream. RCE when parsing a malicious DjVu image - uses

perl to parse DjVu and in doing so it eval’s certain constructs without

properly validating them

[USN-4988-1] ImageMagick vulnerabilities [03:17]

34 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-20176

CVE-2020-27776

CVE-2020-27775

CVE-2020-27774

CVE-2020-27773

CVE-2020-27772

CVE-2020-27771

CVE-2020-27770

CVE-2020-27769

CVE-2020-27768

CVE-2020-27767

CVE-2020-27766

CVE-2020-27765

CVE-2020-27764

CVE-2020-27763

CVE-2020-27762

CVE-2020-27761

CVE-2020-27760

CVE-2020-27759

CVE-2020-27758

CVE-2020-27757

CVE-2020-27756

CVE-2020-27755

CVE-2020-27754

CVE-2020-27753

CVE-2020-27751

CVE-2020-27750

CVE-2020-25676

CVE-2020-25675

CVE-2020-25674

CVE-2020-25666

CVE-2020-25665

CVE-2020-19667

CVE-2017-14528

every ~30 weeks we seem to have another ImageMagick update - so that time again ;)

DoS, RCE etc

[USN-4989-1] BlueZ vulnerabilities [03:56]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3588

CVE-2020-27153

CVE-2020-26558

1 bluetooth core specification issue - during pairing a nearby attacker

could interpose on the pairing process and hence complete the pairing

instead of the intended device

2 issues in bluez code itself

double free (UAF) + OOB read

Goings on in Ubuntu Security Community

How to get media coverage for your Linux vulnerabilities [04:48]

In Episode 119 covered an update for polkit - the following day Github

published a blog post with significant details of the vuln - then we saw

a heap of media coverage

https://www.theregister.com/2021/06/11/linux_polkit_package_patched/

https://www.zdnet.com/article/nasty-linux-systemd-root-level-security-bug-revealed-and-patched/

Why did this vuln get so much coverage when lots of others don’t?

Great technical detail from a reputable and popular source (github)

Very clearly written and easy to understand

Is a simple logic error that can be triggered via a race-condition in

a privileged daemon

PoC can be implemented as a 1 line bash invocation so is also simple

to understand

c.f. a complicated memory corruption vuln or similar (ie no need to

understand memory management, heap grooming etc etc)

Or give it a cool name and logo

heartbleed was one of the first to do this and this likely helped it

get noticed and patched (plus fame/notoriety for the researchers)

Since then we have seen many (shellshock, stagefright, dirty cow,

spectre, meltdown, boothole etc) but not all vulns that get names/logos

are created equal - impact / exploitability varies greatly - so a name

and a logo doesn’t necessarily mean a vuln is critical

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 120

Sign up to save your podcasts

Episode 120

Episode 120