Sign up to save your podcasts
Or
Share Episode 133
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 133
Overview
This week we look at a Wifi lookalike attack dubbed “SSID stripping” plus
updates for ca-certificates, EDK II, Apache, the Linux kernel and even vim!
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-5086-1] Linux kernel vulnerability [00:50]
[USN-5085-1] SQL parse vulnerability [01:33]
carriage-return, newline combinations
[USN-5087-1] WebKitGTK vulnerabilities [02:18]
various operating systems - not actually against webkit directly…
[USN-5088-1] EDK II vulnerabilities [02:46]
EDK-II itself - one in the handling of Intel Boot Guard which is designed
to detect attacks against the static root of trust, in particualr
modifification of the initial boot block - an attacker with physical
access to the SPI flash chip, could get code execution after the IBB has
been validated by then injecting SPI transactions to modify the contents
of the IBB in memory
[USN-5089-1, USN-5089-2] ca-certificates update [04:34]
LetsEncrypt started they got their issuing / intermediate cert (R3)
signed by IdenTrust’s “DST Root CA X3” root certificate -
“cross-signature”
LetsEncrypt cert would fail
updates anymore, IdenTrust issued an updated cross-signature expiring in
Sept 2024 so that those Android devices would continue to trust the
issuing cert
trusted by ca-certificates - this is present on all Ubuntu back to 12.04
gnutls etc would see the cross-signature with an expiry in the future and
so return this as a valid chain to validate against - but then when
validating the full chain, it would fail as the DST Root CA X3 cert at
the root is now expired
cross-signature is seen as invalid and instead the shorter chain back to
LetsEncrypt’s own root cert is used to do the validation
[USN-5090-1, USN-5090-2, USN-5090-3, USN-5090-4] Apache HTTP Server vulnerabilities + regression [07:41]
forwarded by mod_proxy - so could lead to request splitting / cache
poising
apache itself don’t pass untrusted input to this but other 3rd party
modules might
specified in the request - SSRF
config option for mod_proxy that broke various configurations using
unix sockets - these got interpreted more like URIs and so would be
seen as invalid - broke Plesk and others - upstream then issued further
fixes which we released in a follow-up
[USN-5091-1] Linux kernel vulnerabilities [09:44]
[USN-5092-1, USN-5092-2] Linux kernel vulnerabilities [09:56]
memory - code execution
kernel memory
[USN-5094-1] Linux kernel vulnerabilities [10:39]
[USN-5093-1] Vim vulnerabilities [10:57]
UAF
Goings on in Ubuntu Security Community
SSID stripping attack against various OSes including Ubuntu [11:37]
against Windows, MacOS, iOS, Android and Ubuntu
part of the SSID name rather than the entire thing so gets confused
really a new problem
NetworkManager, gnome-shell etc)
representable format to users but then could still get lookalike names
that use these placeholder chars
credentials anyway (assuming are using WPA2-PSK since 4-way handshake
makes both the client and AP prove they know the PSK without revealing it
to each other) then is not really much of a risk
an unsecured network then there is no security anyway
Hiring [15:54]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Security Product Manager
1 week break for the Ubuntu Security Podcast
Farewell Ubuntu Podcast
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we look at a Wifi lookalike attack dubbed “SSID stripping” plus
updates for ca-certificates, EDK II, Apache, the Linux kernel and even vim!
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-5086-1] Linux kernel vulnerability [00:50]
[USN-5085-1] SQL parse vulnerability [01:33]
carriage-return, newline combinations
[USN-5087-1] WebKitGTK vulnerabilities [02:18]
various operating systems - not actually against webkit directly…
[USN-5088-1] EDK II vulnerabilities [02:46]
EDK-II itself - one in the handling of Intel Boot Guard which is designed
to detect attacks against the static root of trust, in particualr
modifification of the initial boot block - an attacker with physical
access to the SPI flash chip, could get code execution after the IBB has
been validated by then injecting SPI transactions to modify the contents
of the IBB in memory
[USN-5089-1, USN-5089-2] ca-certificates update [04:34]
LetsEncrypt started they got their issuing / intermediate cert (R3)
signed by IdenTrust’s “DST Root CA X3” root certificate -
“cross-signature”
LetsEncrypt cert would fail
updates anymore, IdenTrust issued an updated cross-signature expiring in
Sept 2024 so that those Android devices would continue to trust the
issuing cert
trusted by ca-certificates - this is present on all Ubuntu back to 12.04
gnutls etc would see the cross-signature with an expiry in the future and
so return this as a valid chain to validate against - but then when
validating the full chain, it would fail as the DST Root CA X3 cert at
the root is now expired
cross-signature is seen as invalid and instead the shorter chain back to
LetsEncrypt’s own root cert is used to do the validation
[USN-5090-1, USN-5090-2, USN-5090-3, USN-5090-4] Apache HTTP Server vulnerabilities + regression [07:41]
forwarded by mod_proxy - so could lead to request splitting / cache
poising
apache itself don’t pass untrusted input to this but other 3rd party
modules might
specified in the request - SSRF
config option for mod_proxy that broke various configurations using
unix sockets - these got interpreted more like URIs and so would be
seen as invalid - broke Plesk and others - upstream then issued further
fixes which we released in a follow-up
[USN-5091-1] Linux kernel vulnerabilities [09:44]
[USN-5092-1, USN-5092-2] Linux kernel vulnerabilities [09:56]
memory - code execution
kernel memory
[USN-5094-1] Linux kernel vulnerabilities [10:39]
[USN-5093-1] Vim vulnerabilities [10:57]
UAF
Goings on in Ubuntu Security Community
SSID stripping attack against various OSes including Ubuntu [11:37]
against Windows, MacOS, iOS, Android and Ubuntu
part of the SSID name rather than the entire thing so gets confused
really a new problem
NetworkManager, gnome-shell etc)
representable format to users but then could still get lookalike names
that use these placeholder chars
credentials anyway (assuming are using WPA2-PSK since 4-way handshake
makes both the client and AP prove they know the PSK without revealing it
to each other) then is not really much of a risk
an unsecured network then there is no security anyway
Hiring [15:54]
Linux Cryptography and Security Engineer
Security Engineer - Ubuntu
Security Product Manager
1 week break for the Ubuntu Security Podcast
Farewell Ubuntu Podcast
Get in contact