September 10, 2021

Episode 130

18 minutes

Overview

This week we discuss compiler warnings as build errors in the Linux kernel,

plus we look at security updates for HAProxy, GNU cpio, PySAML2,

mod-auth-mellon and more.

This week in Ubuntu Security Updates

15 unique CVEs addressed

[USN-5051-4] OpenSSL regression [00:51]

1 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2021-3712

Episode 129

Original backport of patch contained a typo which introduced a regression

where ASN1_STRINGs would fail to print in some cases

[USN-5062-1] Linux kernel vulnerability [01:20]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-3653

AMD specific issue in KVM subsystem with nested virtualisation - would

fail to validate particular operations which could be performed by a

guest VM - in this case would allow a guest to enable the Advanced

Virtual Interrupt Controller for a nested VM (ie L2 VM) - this would then

allow the L2 VM to write to host memory -> code execution on the host

[USN-5063-1] HAProxy vulnerabilities [02:40]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-40346

Integer overflow in handling of header name lengths - most significant

bit of header name length could slip into the LSB of header value

length - could then craft a valid request that would inject a dummy

content-length on input, this would then be reproduced on the output as

well as the original correct header length - can then get a “blind”

request smuggling attack since the extra request bypasses ACL checking

etc

[USN-5064-1] GNU cpio vulnerability [04:13]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-38185

Integer overflow -> heap buffer overflow in the handling of pattern

files - this allows to specify a file which contains a list of patterns

to match against filenames in the cpio archive which should be

extracted - is not clear if can easily abuse this as a remote attacker

since would need to be able to supply a crafted pattern file and have

this get used but these are not often used in practice

[USN-5065-1] Open vSwitch vulnerability [05:08]

1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-36980

UAF in decoding of RAW_ENCAP actions - remote attacker could craft one ->

crash / RCE..?

[USN-5066-1, USN-5066-2] PySAML2 vulnerability [05:39]

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-21239

pysaml2 uses xmlsec1 binary to validate cryptographic signatures on SAML

documents

By default xmlsec will accept any type of key found in the document to

verify the signature - so an attacker could embed their own signature

using just a HMAC and this would get validated as correct without even

consulting the X509 cert which should be used to validate the document -

simple fix to just change the CLI arguments to xmlsec1 to specify that it

should validate based on x509 certs

[USN-5067-1] SSSD vulnerabilities [07:06]

4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-3621

CVE-2019-3811

CVE-2018-16838

CVE-2018-10852

Possible shell command injection via the sssctl binary using the

logs-fetch and cache-expire subcommands - if could trick root into

running crafted commands could then get root… - was as a result of

using the system() syscall which evaluates a string to the shell - so

allows shell command injection directly - was fixed to instead use

fork() + execvp() on an array of arguments - which doesn’t go via the

shell to run the specified subcommand

common pattern for security vulns, something we specifically look for

when auditing packages as part of the security review for MIRs

[USN-5069-1] mod-auth-mellon vulnerability [08:54]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3639

SAML2 auth module for Apache

Failed to filter URLS that start with /// - an attacker could craft a URL

that specified a particular URL via the ReturnTo parameter and this would

then automatically redirect the user to that crafted URL - so could be

used for phishing attacks that look more trustworthy. ie. an attacker

creates a phishing site that copies the victim site at their own

domain. they then send an email to a user asking them to login and they

specify a URL to the real victim site but with the ReturnTo parameter set

to their own site - a user looking at this URL will see it specifies the

real site so won’t be concerned - when they visit it they get

automatically redirected to the victim site - so if they don’t then check

the URL they will start logging into the fake phishing site and not the

real one - fixed to just reject these URLs so they don’t get abused by

the redirect process

[USN-5068-1] GD library vulnerabilities [10:24]

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-38115

CVE-2021-40145

CVE-2021-381

CVE-2017-6363

Crafted image files -> OOB read / write - crash / code exec

One in TGA handling but others in the proprietary GD/GD2 formats which

upstream say is now deprecated so shouldn’t get a CVE - recommend if you

are processing GD/GD2 image files from untrusted sources that you stop as

upstream may stop issuing updates for these / may not get CVEs

Goings on in Ubuntu Security Community

Linux kernel enables -Werror [11:33]

Initially enabled by default, in response to patches from Kees Cook @

Google which introduced a bunch of new warnings - Linus wants a clean

build

Lots of push back since this then immediately broke a heap of CI systems

as there a lots of existing bits of kernel code that generates warnings -

and depending on what config options you enable you compile different

bits of code so can see or not see various warnings - and hence different

architectures etc - even having a different locale / LANG setting can

result in different compiler warnings as Kees found due to the nature of

some of the tests

Given the huge codebase with so many different configurations is almost

impossible to test them all and find all the various warnings, let alone

actually fix them

For years folks have been trying to drive down the warnings but is still

a hard and ongoing effort

As such, ended up changing this to a suggestion from Marco Elver (also at

Google) to enable this when COMPILE_TEST is enabled - this used as a flag

to tell the kernel to compile everything even if it is not being used -

and is then often used by CI systems / developers which explicitly want

to compile everything who work on detecting new warnings

Is a lofty goal and is very useful from a security PoV and is

illustrative of many real world efforts that try and introduce static

analysis etc for an existing codebase

Immediately get a high number of ’errors’ now that need to be addressed -

was fine before? - so how to introduce these in a way that doesn’t impose

a huge upfront cost but still incentivizes fixing them over time and

allows to detect new issues

Is good to see a focus on this in a more tangible way from upstream as

compiler warnings are there for a reason and should not be ignored

Hiring

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings