September 24, 2021

Episode 132

17 minutes

Overview

Extended Security Maintenance gets an extension, Linux disk encryption and

authentication goes under the microscope and we cover security updates for

libgcrypt, the Linux kernel, Python, and more.

This week in Ubuntu Security Updates

20 unique CVEs addressed

[USN-5078-2] Squashfs-Tools vulnerabilities [01:02]

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2021-41072

CVE-2021-40153

Episode 131

[USN-5080-1, USN-5080-2] Libgcrypt vulnerabilities [01:43]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-40528

CVE-2021-33560

Side-channel attacks against the various ElGamal implementations in

OpenPGP - https://eprint.iacr.org/2021/923 - researchers from IBM

Research Europe

Patent free public key encryption scheme - popular in OpenPGP - 1 in 6

registered OpenPGP keys have an ElGamal subkey

Various implementations of ElGamal are used in different OpenPGP

implementations - Go stdlib, Crypto++ and gcrypt

libgcrypt has previously had other side-channel vulns found and was used

in the development of FLUSH+RELOAD attack against GnuPG

This attack exploits the different configurations used in the various

implementations to use timing differences to be able to recover plaintext

Fixed to remove support for smaller key lengths and add exponent blinding

(combining the exponent with randomness to avoid it being inferred by

timing analysis)

[USN-5071-2] Linux kernel (HWE) vulnerabilities [04:11]

5 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-3612

CVE-2021-22543

CVE-2020-36311

CVE-2021-3653

CVE-2021-3656

AMD nested virtualisation vulns (Episode 130, Episode 131)

2 other KVM vulns - UAF

OOB write in joystick subsystem via a malicious ioctl()

requires a joystick device to be present

snaps joystick interface is not auto-connected by default

[USN-5071-3] Linux kernel (Raspberry Pi) vulnerabilities

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3612

CVE-2021-22543

[USN-5082-1] Linux kernel (OEM) vulnerabilities

3 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3609

CVE-2021-3653

CVE-2021-3656

CAN BCM UAF (Episode 121), AMD nested virtualisation

[USN-5073-2] Linux kernel (GCP) vulnerabilities

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-38160

CVE-2021-3612

CVE-2021-34693

CVE-2021-3653

CVE-2021-3656

[USN-5073-3] Linux kernel (Raspberry Pi) vulnerabilities

3 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-38160

CVE-2021-3612

CVE-2021-34693

[USN-5079-3] curl vulnerabilities [06:34]

3 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-22947

CVE-2021-22946

CVE-2021-22945

Episode 131

[USN-5081-1] Qt vulnerabilities [06:49]

2 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-38593

CVE-2020-17507

2 issues in graphics / image handling

crafted XBM trigger OOB read -> crash

OOB write when rendering SVG or other crafted vector content

[USN-5083-1] Python vulnerabilities [07:22]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-3737

CVE-2021-3733

ReDOS - a malicious HTTP server which would send a crafted response for

BasicAuth which would cause high CPU usage in trying to match the header

value via a regex - fixed to use a simpler regex

Malicious server could cause a client to hang even if the client had set

a timeout - server sends a ‘100 Continue’ response and the client would

sit there waiting to receive more input which would never arrive (since

server is malicious)

[USN-5084-1] LibTIFF vulnerability [08:32]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-19143

Buffer overflow via crafted TIFF file

[USN-5079-4] curl regression [08:42]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-22947

CVE-2021-22946

Mistake in backporting patch would cause STARTTLS to fail when used for

SMTP only - thanks for tuaris for metioning this on

https://ubuntuforums.org/showthread.php?t=2467177 but next time please

file a LP bug directly as you will get our attention much faster (and

more reliably)

Goings on in Ubuntu Security Community

Authenticated boot and disk encryption on Linux [09:28]

http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html

systemd focused review of existing FDE in general purpose Linux distros

with pointers to proposed mechanisms to implement authenticated FDE etc

Laments lack of authenticated initrd, use of TPMs etc

Proposal is quite different than traditional distros - immutable,

authenticated /usr, encrypted, authenticated /etc, /var and per-user

/home/user encryption using their own login password

UC20 already does TPM backed FDE with authentication

Ubuntu 14.04 and 16.04 ESM extended [14:16]

https://ubuntu.com/blog/ubuntu-14-04-and-16-04-lifecycle-extended-to-ten-years

Total of 10 years of support (5 LTS, 5 ESM)

RELEASE

RELEASE DATE

END OF LIFE*

Ubuntu 14.04 (Trusty Tahr)

April 2014

April 2024(from April 2022)

Ubuntu 16.04 (Xenial Xerus)

April 2016

April 2026(from April 2024)

Ubuntu 18.04 (Bionic Beaver)

April 2018

April 2028(unchanged)

Ubuntu 20.04 (Focal Fossa)

April 2020

April 2030(unchanged)

Use extra time to plan upgrades

Hiring [15:48]

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Security Product Manager

https://canonical.com/careers/2278145/security-product-manager-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

September 24, 2021

Episode 132

17 minutes

Overview

Extended Security Maintenance gets an extension, Linux disk encryption and

authentication goes under the microscope and we cover security updates for

libgcrypt, the Linux kernel, Python, and more.

This week in Ubuntu Security Updates

20 unique CVEs addressed

[USN-5078-2] Squashfs-Tools vulnerabilities [01:02]

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2021-41072

CVE-2021-40153

Episode 131

[USN-5080-1, USN-5080-2] Libgcrypt vulnerabilities [01:43]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-40528

CVE-2021-33560

Side-channel attacks against the various ElGamal implementations in

OpenPGP - https://eprint.iacr.org/2021/923 - researchers from IBM

Research Europe

Patent free public key encryption scheme - popular in OpenPGP - 1 in 6

registered OpenPGP keys have an ElGamal subkey

Various implementations of ElGamal are used in different OpenPGP

implementations - Go stdlib, Crypto++ and gcrypt

libgcrypt has previously had other side-channel vulns found and was used

in the development of FLUSH+RELOAD attack against GnuPG

This attack exploits the different configurations used in the various

implementations to use timing differences to be able to recover plaintext

Fixed to remove support for smaller key lengths and add exponent blinding

(combining the exponent with randomness to avoid it being inferred by

timing analysis)

[USN-5071-2] Linux kernel (HWE) vulnerabilities [04:11]

5 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-3612

CVE-2021-22543

CVE-2020-36311

CVE-2021-3653

CVE-2021-3656

AMD nested virtualisation vulns (Episode 130, Episode 131)

2 other KVM vulns - UAF

OOB write in joystick subsystem via a malicious ioctl()

requires a joystick device to be present

snaps joystick interface is not auto-connected by default

[USN-5071-3] Linux kernel (Raspberry Pi) vulnerabilities

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3612

CVE-2021-22543

[USN-5082-1] Linux kernel (OEM) vulnerabilities

3 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3609

CVE-2021-3653

CVE-2021-3656

CAN BCM UAF (Episode 121), AMD nested virtualisation

[USN-5073-2] Linux kernel (GCP) vulnerabilities

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-38160

CVE-2021-3612

CVE-2021-34693

CVE-2021-3653

CVE-2021-3656

[USN-5073-3] Linux kernel (Raspberry Pi) vulnerabilities

3 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-38160

CVE-2021-3612

CVE-2021-34693

[USN-5079-3] curl vulnerabilities [06:34]

3 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-22947

CVE-2021-22946

CVE-2021-22945

Episode 131

[USN-5081-1] Qt vulnerabilities [06:49]

2 CVEs addressed in Bionic (18.04 LTS)

CVE-2021-38593

CVE-2020-17507

2 issues in graphics / image handling

crafted XBM trigger OOB read -> crash

OOB write when rendering SVG or other crafted vector content

[USN-5083-1] Python vulnerabilities [07:22]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-3737

CVE-2021-3733

ReDOS - a malicious HTTP server which would send a crafted response for

BasicAuth which would cause high CPU usage in trying to match the header

value via a regex - fixed to use a simpler regex

Malicious server could cause a client to hang even if the client had set

a timeout - server sends a ‘100 Continue’ response and the client would

sit there waiting to receive more input which would never arrive (since

server is malicious)

[USN-5084-1] LibTIFF vulnerability [08:32]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-19143

Buffer overflow via crafted TIFF file

[USN-5079-4] curl regression [08:42]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-22947

CVE-2021-22946

Mistake in backporting patch would cause STARTTLS to fail when used for

SMTP only - thanks for tuaris for metioning this on

https://ubuntuforums.org/showthread.php?t=2467177 but next time please

file a LP bug directly as you will get our attention much faster (and

more reliably)

Goings on in Ubuntu Security Community

Authenticated boot and disk encryption on Linux [09:28]

http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html

systemd focused review of existing FDE in general purpose Linux distros

with pointers to proposed mechanisms to implement authenticated FDE etc

Laments lack of authenticated initrd, use of TPMs etc

Proposal is quite different than traditional distros - immutable,

authenticated /usr, encrypted, authenticated /etc, /var and per-user

/home/user encryption using their own login password

UC20 already does TPM backed FDE with authentication

Ubuntu 14.04 and 16.04 ESM extended [14:16]

https://ubuntu.com/blog/ubuntu-14-04-and-16-04-lifecycle-extended-to-ten-years

Total of 10 years of support (5 LTS, 5 ESM)

RELEASE

RELEASE DATE

END OF LIFE*

Ubuntu 14.04 (Trusty Tahr)

April 2014

April 2024(from April 2022)

Ubuntu 16.04 (Xenial Xerus)

April 2016

April 2026(from April 2024)

Ubuntu 18.04 (Bionic Beaver)

April 2018

April 2028(unchanged)

Ubuntu 20.04 (Focal Fossa)

April 2020

April 2030(unchanged)

Use extra time to plan upgrades

Hiring [15:48]

Linux Cryptography and Security Engineer

https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Security Product Manager

https://canonical.com/careers/2278145/security-product-manager-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 132

Sign up to save your podcasts

Episode 132

Episode 132