July 02, 2021

Episode 122

10 minutes

Overview

This week we look at some new Linux kernel security features including the

Landlock LSM and Core Scheduling plus we cover security updates for

RabbitMQ, Ceph, Thunderbird and more.

This week in Ubuntu Security Updates

46 unique CVEs addressed

[USN-5004-1] RabbitMQ vulnerabilities [00:44]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-22116

CVE-2019-11287

AMQP server written in Erlang

Possible to cause the server to consume excessive memory by sending large

values in the X-Reason HTTP header - resource exhaustion - DoS

Possible infinite loop - failed to perform sufficient validation - DoS

[USN-4998-1] Ceph vulnerabilities [01:38]

7 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3531

CVE-2021-3524

CVE-2021-3509

CVE-2021-20288

CVE-2020-27839

CVE-2020-27781

CVE-2020-25678

May log passwords in clear

Exposure of user credentials to unprivileged users in particular

configurations

2 different XSS in ceph-dashboard

Possible to authenticate as another user since could reuse session keys

Crash radosgw through malicious GET requests with crafted swift URLs ->

DoS

[USN-4995-2] Thunderbird vulnerabilities [02:22]

20 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-29957

CVE-2021-29956

CVE-2021-29949

CVE-2021-29948

CVE-2021-24002

CVE-2021-23995

CVE-2021-23993

CVE-2021-23992

CVE-2021-23991

CVE-2021-23984

CVE-2021-29967

CVE-2021-29946

CVE-2021-29945

CVE-2021-23999

CVE-2021-23998

CVE-2021-23994

CVE-2021-23987

CVE-2021-23982

CVE-2021-23981

CVE-2021-23961

Episode 121

78.11.0

[USN-5000-2] Linux kernel (KVM) vulnerabilities [02:48]

15 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

Episode 121

KVM kernel for 20.04 LTS

2 high priority privesc issues fixed - CAN BCM UAFs, eBPF OOB write -

plus various others too

[USN-4997-2] Linux kernel (KVM) vulnerabilities

17 CVEs addressed in Hirsute (21.04)

CVE-2021-3543

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-31440

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

Goings on in Ubuntu Security Community

Landlock released in 5.13 kernel [03:49]

Allows unprivileged processes to sandbox themselves - currently only

supports file paths - so can specify read/write of files/dirs etc

Took 34 revisions of the patch set and it evolved significantly over

time - was originally based on attaching BPF programs to LSM hooks but

given how fraught unprivileged BPF has been this was NACKd and instead

went with a new approach based on a custom API with brand new system

calls to support it

API is quite low-level compared to say how AppArmor policy is specified

so will be interesting to see if there becomes a liblandlock in the

future to make this kind of thing easier (cf. libseccomp for doing

seccomp BPF programs etc)

https://lwn.net/Articles/859908/

https://landlock.io/

Core Scheduling merged for 5.14 kernel [06:43]

SMT siblings share lots of microarchitectural state like L1D cache etc -

various micro-arch attacks could only be mitigated across different SMT

cores - so processes which shared the same core could snoop on each other

(eg. L1TF - in the context of virtualisation, a malicious guest VM could

snoop on the L1D contents of another VM on the same SMT core) - so the

only option was to disable SMT which brings a big performance hit

Solution is core scheduling - ie. make the schedular aware of and respect

SMT threads on the same core

Tag processes via cgroups - this defines the trust boundaries - processes

in the same tagged cgroup share a trust boundary and can be scheduled on

sibling SMT cores - and by default all processes are in the same group

Uses prctl() to allow setting / copying these - and can only set these on

processes which you can ptrace

https://lwn.net/Articles/820321/

https://www.phoronix.com/scan.php?page=news_item&px=Core-Scheduling-Linux-Close

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

July 02, 2021

Episode 122

10 minutes

Overview

This week we look at some new Linux kernel security features including the

Landlock LSM and Core Scheduling plus we cover security updates for

RabbitMQ, Ceph, Thunderbird and more.

This week in Ubuntu Security Updates

46 unique CVEs addressed

[USN-5004-1] RabbitMQ vulnerabilities [00:44]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)

CVE-2021-22116

CVE-2019-11287

AMQP server written in Erlang

Possible to cause the server to consume excessive memory by sending large

values in the X-Reason HTTP header - resource exhaustion - DoS

Possible infinite loop - failed to perform sufficient validation - DoS

[USN-4998-1] Ceph vulnerabilities [01:38]

7 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3531

CVE-2021-3524

CVE-2021-3509

CVE-2021-20288

CVE-2020-27839

CVE-2020-27781

CVE-2020-25678

May log passwords in clear

Exposure of user credentials to unprivileged users in particular

configurations

2 different XSS in ceph-dashboard

Possible to authenticate as another user since could reuse session keys

Crash radosgw through malicious GET requests with crafted swift URLs ->

DoS

[USN-4995-2] Thunderbird vulnerabilities [02:22]

20 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-29957

CVE-2021-29956

CVE-2021-29949

CVE-2021-29948

CVE-2021-24002

CVE-2021-23995

CVE-2021-23993

CVE-2021-23992

CVE-2021-23991

CVE-2021-23984

CVE-2021-29967

CVE-2021-29946

CVE-2021-29945

CVE-2021-23999

CVE-2021-23998

CVE-2021-23994

CVE-2021-23987

CVE-2021-23982

CVE-2021-23981

CVE-2021-23961

Episode 121

78.11.0

[USN-5000-2] Linux kernel (KVM) vulnerabilities [02:48]

15 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

Episode 121

KVM kernel for 20.04 LTS

2 high priority privesc issues fixed - CAN BCM UAFs, eBPF OOB write -

plus various others too

[USN-4997-2] Linux kernel (KVM) vulnerabilities

17 CVEs addressed in Hirsute (21.04)

CVE-2021-3543

CVE-2021-3506

CVE-2021-33034

CVE-2021-32399

CVE-2021-31829

CVE-2021-31440

CVE-2021-23134

CVE-2021-23133

CVE-2020-26147

CVE-2020-26145

CVE-2020-26141

CVE-2020-26139

CVE-2020-24588

CVE-2020-24587

CVE-2020-24586

CVE-2021-33200

CVE-2021-3609

Goings on in Ubuntu Security Community

Landlock released in 5.13 kernel [03:49]

Allows unprivileged processes to sandbox themselves - currently only

supports file paths - so can specify read/write of files/dirs etc

Took 34 revisions of the patch set and it evolved significantly over

time - was originally based on attaching BPF programs to LSM hooks but

given how fraught unprivileged BPF has been this was NACKd and instead

went with a new approach based on a custom API with brand new system

calls to support it

API is quite low-level compared to say how AppArmor policy is specified

so will be interesting to see if there becomes a liblandlock in the

future to make this kind of thing easier (cf. libseccomp for doing

seccomp BPF programs etc)

https://lwn.net/Articles/859908/

https://landlock.io/

Core Scheduling merged for 5.14 kernel [06:43]

SMT siblings share lots of microarchitectural state like L1D cache etc -

various micro-arch attacks could only be mitigated across different SMT

cores - so processes which shared the same core could snoop on each other

(eg. L1TF - in the context of virtualisation, a malicious guest VM could

snoop on the L1D contents of another VM on the same SMT core) - so the

only option was to disable SMT which brings a big performance hit

Solution is core scheduling - ie. make the schedular aware of and respect

SMT threads on the same core

Tag processes via cgroups - this defines the trust boundaries - processes

in the same tagged cgroup share a trust boundary and can be scheduled on

sibling SMT cores - and by default all processes are in the same group

Uses prctl() to allow setting / copying these - and can only set these on

processes which you can ptrace

https://lwn.net/Articles/820321/

https://www.phoronix.com/scan.php?page=news_item&px=Core-Scheduling-Linux-Close

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 122

Sign up to save your podcasts

Episode 122

Episode 122