June 25, 2021

Episode 121

14 minutes

Overview

Ubuntu One opens up two-factor authentication for all, plus we cover

security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4989-2] BlueZ vulnerabilities [00:57]

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2020-27153

CVE-2020-26558

Episode 120 - bluetooth spec issue around pairing takeover plus a

possible double-free in gattool that is likely quite hard to exploit due

to time window race between the two free() calls

[USN-4990-1] Nettle vulnerabilities [01:27]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2018-16869

CVE-2021-3580

Low level crypto library used by lots of packages - chrony, dnsmasq,

lighttpd, qemu, squid, supertuxkart

Last covered just a few weeks ago in Episode 112 - is someone taking a

closer look at this library?

Bleichenbacher type side-channel base on a padding oracle attack in

endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a

process on the same physical core as the victim - but could then allow

the plaintext to be extracted

RSA algo possible crash which is able to be triggered on decryption of

manipulated ciphertext

Changes required for both of these are too intrusive to backport for the

older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu

release if you are using nettle on these older releases and are concerned

about possible attacks

[USN-4991-1] libxml2 vulnerabilities [03:08]

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3541

CVE-2021-3537

CVE-2021-3518

CVE-2021-3516

CVE-2021-3517

CVE-2020-24977

CVE-2019-20388

CVE-2017-8872

Crafted XML could possibly trigger crash -> DoS or RCE

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-20233

CVE-2021-20225

CVE-2020-27779

CVE-2020-27749

CVE-2020-25632

CVE-2020-14372

Episode 106 - BootHole 2021 updates published to the security pocket

Vulns included the ability to load ACPI tables, UAF in rmmod, buffer

overflow in command-line parser, cutmem command boot locking bypass, heap

buffer overflow in option parser and menu rendering OOB write -> RCE —>@@

all could lead to a bypass of secure boot protections

Includes one grub - ie. same grub efi binary used across all recent

Ubuntu releases

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021

[USN-4993-1] Dovecot vulnerabilities [05:13]

2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-33515

CVE-2021-29157

STARTTLS plaintext command injection vuln via SMTP, plus if a local

attacker could write files to the disk, they could supply their own keys

to validate their own supplied JSON Web Token and hence login as any

other user and then access their emails if using OAUTH2

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-30641

CVE-2021-26691

CVE-2021-26690

CVE-2020-35452

CVE-2020-13950

Various DoS issues where under certain configurations an attacker could

issue particular requests and trigger various crashes in Apache

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-3605

CVE-2021-3598

CVE-2021-26260

CVE-2021-23215

CVE-2021-20296

Usual mix of issues for a library which is written in memory unsafe

language and handling complex image formats etc

Courtesy of OSS-Fuzz

[USN-4995-1] Thunderbird vulnerabilities [06:48]

20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-29957

CVE-2021-29956

CVE-2021-29949

CVE-2021-29948

CVE-2021-24002

CVE-2021-23995

CVE-2021-23993

CVE-2021-23992

CVE-2021-23991

CVE-2021-23984

CVE-2021-29967

CVE-2021-29946

CVE-2021-29945

CVE-2021-23999

CVE-2021-23998

CVE-2021-23994

CVE-2021-23987

CVE-2021-23982

CVE-2021-23981

CVE-2021-23961

78.11.0 - usual mix of untrusted content/web framework issues inherited

from Firefox, plus fixes for OpenPGP key handling, message signature

TOCTTOU-type condition due to writing out signatures to disk that then

could be replaced before being verified, UX issue in display of inline

signed/encrypted messages with additional unprotected parts

[USN-4997-1] Linux kernel vulnerabilities [08:22]

17 CVEs addressed in Hirsute (21.04)

CVE-2021-3543

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-31440

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

5.11

Basically the same set of fixes for all kernels, including a couple quite

interesting ones:

eBPF verifier bypass provides OOB write primitive, could allow a local

attacker to perform code execution in the kernel -> privesc

Race condition in CAN BCM networking protocol -> various UAFs -> code

execution as well

Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP

race condition -> UAF etc

[USN-4999-1] Linux kernel vulnerabilities [09:51]

17 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-31829

CVE-2021-31440

CVE-2021-29155

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-25673

CVE-2020-25672

CVE-2020-25671

CVE-2020-25670

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

5.8 (groovy, focal hwe)

[USN-5000-1] Linux kernel vulnerabilities [10:08]

15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

5.4 (focal, bionic hwe)

[USN-5001-1] Linux kernel (OEM) vulnerabilities

15 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3543

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31440

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-3609

5.10

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

1 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-3609

5.3

CAN BCM

[USN-5003-1] Linux kernel vulnerabilities [10:35]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-23133

CVE-2021-3600

CVE-2021-3609

4.15 (bionic, xenial esm hwe, trusty esm azure)

CAN BCM and eBPF verifier OOB write

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one

Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums,

publishers on the Snap Store etc

Allows to use a phone / desktop TOTP app as second factor, or Yubikey

TOTP etc

Has actually been supported since 2014 but only available to a beta

testing group plus for all Canonical employees, due to challenges in

account recovery

Since Ubuntu One purposefully doesn’t store any real identifying

information (name, email, username) we can’t easily verify account

holders if they lose the 2FA device

The intent is to be robust even in the event that a users email address

is compromised

Now have a comprehensive code recovery experience including printable

backup codes and mechanisms in place to encourage users to exercise

backup codes so that users can feel confident in using these if they need

to (ie where did I put my backup codes again..?)

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

June 25, 2021

Episode 121

14 minutes

Overview

Ubuntu One opens up two-factor authentication for all, plus we cover

security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4989-2] BlueZ vulnerabilities [00:57]

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2020-27153

CVE-2020-26558

Episode 120 - bluetooth spec issue around pairing takeover plus a

possible double-free in gattool that is likely quite hard to exploit due

to time window race between the two free() calls

[USN-4990-1] Nettle vulnerabilities [01:27]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2018-16869

CVE-2021-3580

Low level crypto library used by lots of packages - chrony, dnsmasq,

lighttpd, qemu, squid, supertuxkart

Last covered just a few weeks ago in Episode 112 - is someone taking a

closer look at this library?

Bleichenbacher type side-channel base on a padding oracle attack in

endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a

process on the same physical core as the victim - but could then allow

the plaintext to be extracted

RSA algo possible crash which is able to be triggered on decryption of

manipulated ciphertext

Changes required for both of these are too intrusive to backport for the

older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu

release if you are using nettle on these older releases and are concerned

about possible attacks

[USN-4991-1] libxml2 vulnerabilities [03:08]

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-3541

CVE-2021-3537

CVE-2021-3518

CVE-2021-3516

CVE-2021-3517

CVE-2020-24977

CVE-2019-20388

CVE-2017-8872

Crafted XML could possibly trigger crash -> DoS or RCE

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-20233

CVE-2021-20225

CVE-2020-27779

CVE-2020-27749

CVE-2020-25632

CVE-2020-14372

Episode 106 - BootHole 2021 updates published to the security pocket

Vulns included the ability to load ACPI tables, UAF in rmmod, buffer

overflow in command-line parser, cutmem command boot locking bypass, heap

buffer overflow in option parser and menu rendering OOB write -> RCE —>@@

all could lead to a bypass of secure boot protections

Includes one grub - ie. same grub efi binary used across all recent

Ubuntu releases

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021

[USN-4993-1] Dovecot vulnerabilities [05:13]

2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-33515

CVE-2021-29157

STARTTLS plaintext command injection vuln via SMTP, plus if a local

attacker could write files to the disk, they could supply their own keys

to validate their own supplied JSON Web Token and hence login as any

other user and then access their emails if using OAUTH2

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-30641

CVE-2021-26691

CVE-2021-26690

CVE-2020-35452

CVE-2020-13950

Various DoS issues where under certain configurations an attacker could

issue particular requests and trigger various crashes in Apache

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-3605

CVE-2021-3598

CVE-2021-26260

CVE-2021-23215

CVE-2021-20296

Usual mix of issues for a library which is written in memory unsafe

language and handling complex image formats etc

Courtesy of OSS-Fuzz

[USN-4995-1] Thunderbird vulnerabilities [06:48]

20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-29957

CVE-2021-29956

CVE-2021-29949

CVE-2021-29948

CVE-2021-24002

CVE-2021-23995

CVE-2021-23993

CVE-2021-23992

CVE-2021-23991

CVE-2021-23984

CVE-2021-29967

CVE-2021-29946

CVE-2021-29945

CVE-2021-23999

CVE-2021-23998

CVE-2021-23994

CVE-2021-23987

CVE-2021-23982

CVE-2021-23981

CVE-2021-23961

78.11.0 - usual mix of untrusted content/web framework issues inherited

from Firefox, plus fixes for OpenPGP key handling, message signature

TOCTTOU-type condition due to writing out signatures to disk that then

could be replaced before being verified, UX issue in display of inline

signed/encrypted messages with additional unprotected parts

[USN-4997-1] Linux kernel vulnerabilities [08:22]

17 CVEs addressed in Hirsute (21.04)

CVE-2021-3543

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-31440

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

5.11

Basically the same set of fixes for all kernels, including a couple quite

interesting ones:

eBPF verifier bypass provides OOB write primitive, could allow a local

attacker to perform code execution in the kernel -> privesc

Race condition in CAN BCM networking protocol -> various UAFs -> code

execution as well

Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP

race condition -> UAF etc

[USN-4999-1] Linux kernel vulnerabilities [09:51]

17 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-31829

CVE-2021-31440

CVE-2021-29155

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-25673

CVE-2020-25672

CVE-2020-25671

CVE-2020-25670

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

5.8 (groovy, focal hwe)

[USN-5000-1] Linux kernel vulnerabilities [10:08]

15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

5.4 (focal, bionic hwe)

[USN-5001-1] Linux kernel (OEM) vulnerabilities

15 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3543

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31440

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-3609

5.10

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

1 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-3609

5.3

CAN BCM

[USN-5003-1] Linux kernel vulnerabilities [10:35]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-23133

CVE-2021-3600

CVE-2021-3609

4.15 (bionic, xenial esm hwe, trusty esm azure)

CAN BCM and eBPF verifier OOB write

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one

Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums,

publishers on the Snap Store etc

Allows to use a phone / desktop TOTP app as second factor, or Yubikey

TOTP etc

Has actually been supported since 2014 but only available to a beta

testing group plus for all Canonical employees, due to challenges in

account recovery

Since Ubuntu One purposefully doesn’t store any real identifying

information (name, email, username) we can’t easily verify account

holders if they lose the 2FA device

The intent is to be robust even in the event that a users email address

is compromised

Now have a comprehensive code recovery experience including printable

backup codes and mechanisms in place to encourage users to exercise

backup codes so that users can feel confident in using these if they need

to (ie where did I put my backup codes again..?)

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 121

Sign up to save your podcasts

Episode 121

Episode 121