October 22, 2021

Episode 135

11 minutes

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security

updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-38204

CVE-2021-38199

CVE-2021-38160

CVE-2021-37576

CVE-2021-3679

CVE-2021-33624

[USN-5092-3] Linux kernel (Azure) regression [00:50]

12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-38205

CVE-2021-38204

CVE-2021-38201

CVE-2021-38199

CVE-2021-38160

CVE-2021-37576

CVE-2021-37159

CVE-2021-3679

CVE-2021-35477

CVE-2021-34556

CVE-2021-33624

CVE-2021-41073

Failure to boot on large Azure instance types - caused by a patch that

got backported to the 5.14 upstream stable kernel that was purported to

head off possible future problems, but itself caused issues on say the

Standard_D48_v3 instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped

that patch to resolve the issue

[USN-5109-1] nginx vulnerability [01:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2017-20005

Buffer overflow when handling files with modification dates a long time

in the past - ie. 1969 or very far in the future - integer overflow in

the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-22617

UAF in handling of crafted XML files - if using attacker provided files

could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-41991

CVE-2021-41990

Integer overflow when replacing certs in cache - if can send many

requests with different certs can fill cache and then cause replacement

of cache entries when gets full - LRU algorithm could then cause integer

overflow and hence OOB write as a result

Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a

self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38166

CVE-2021-3753

CVE-2021-3743

CVE-2021-3739

CVE-2021-3732

CVE-2020-3702

5.11 hirsute kernel (20.04 HWE)

overlayfs perms handling issue, race condition -> OOB read in VT

subsystem, integer overflow in hashtable implementation in BPF, ext4

xattrs race -> UAF, ath9k race condition -> info leak

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

https://www.tianfucup.com/en

16-17th October - China’s own Pwn2Own

Teams required to use original vulns to hack target platforms - 1.5m USD

total reward

Targets

Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04

desktop container with ssh access as root to the container running

unprivileged w/o uidmap, volume mount and default bridge network - 60k

USD price

Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged

user to escalate to root - 40k USD

Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu -

VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD

3 5 minute attempts to run their exploits

According to media reports - Ubuntu 20.04 root privesc - 4 times,

Docker-CE and qemu VM - once

Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus

Google Chrome to get kernel privesc on Windows as well

Also according to one media outlet “details unknown but vendors are

expected to release patches in coming weeks” - so far no contact /

details have been provided to us…

Same has happened in previous years - no details get provided to vendors

so issues don’t get patched - in the past, exploits which have been

showcased at Tianfu have then allegedly gone on to be used in hacking

campaigns by the Chinese government

Contrast with Pwn2Own - we are invited by organisers to watch and verify

attempts in real-time to help judge whether exploits used are actually

unique and new, and then ZDI provide details immediately regarding the

vulns along with PoCs so we can patch them ASAP

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

October 22, 2021

Episode 135

11 minutes

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security

updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-38204

CVE-2021-38199

CVE-2021-38160

CVE-2021-37576

CVE-2021-3679

CVE-2021-33624

[USN-5092-3] Linux kernel (Azure) regression [00:50]

12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-38205

CVE-2021-38204

CVE-2021-38201

CVE-2021-38199

CVE-2021-38160

CVE-2021-37576

CVE-2021-37159

CVE-2021-3679

CVE-2021-35477

CVE-2021-34556

CVE-2021-33624

CVE-2021-41073

Failure to boot on large Azure instance types - caused by a patch that

got backported to the 5.14 upstream stable kernel that was purported to

head off possible future problems, but itself caused issues on say the

Standard_D48_v3 instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped

that patch to resolve the issue

[USN-5109-1] nginx vulnerability [01:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2017-20005

Buffer overflow when handling files with modification dates a long time

in the past - ie. 1969 or very far in the future - integer overflow in

the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-22617

UAF in handling of crafted XML files - if using attacker provided files

could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2021-41991

CVE-2021-41990

Integer overflow when replacing certs in cache - if can send many

requests with different certs can fill cache and then cause replacement

of cache entries when gets full - LRU algorithm could then cause integer

overflow and hence OOB write as a result

Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a

self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38166

CVE-2021-3753

CVE-2021-3743

CVE-2021-3739

CVE-2021-3732

CVE-2020-3702

5.11 hirsute kernel (20.04 HWE)

overlayfs perms handling issue, race condition -> OOB read in VT

subsystem, integer overflow in hashtable implementation in BPF, ext4

xattrs race -> UAF, ath9k race condition -> info leak

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

https://www.tianfucup.com/en

16-17th October - China’s own Pwn2Own

Teams required to use original vulns to hack target platforms - 1.5m USD

total reward

Targets

Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04

desktop container with ssh access as root to the container running

unprivileged w/o uidmap, volume mount and default bridge network - 60k

USD price

Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged

user to escalate to root - 40k USD

Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu -

VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD

3 5 minute attempts to run their exploits

According to media reports - Ubuntu 20.04 root privesc - 4 times,

Docker-CE and qemu VM - once

Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus

Google Chrome to get kernel privesc on Windows as well

Also according to one media outlet “details unknown but vendors are

expected to release patches in coming weeks” - so far no contact /

details have been provided to us…

Same has happened in previous years - no details get provided to vendors

so issues don’t get patched - in the past, exploits which have been

showcased at Tianfu have then allegedly gone on to be used in hacking

campaigns by the Chinese government

Contrast with Pwn2Own - we are invited by organisers to watch and verify

attempts in real-time to help judge whether exploits used are actually

unique and new, and then ZDI provide details immediately regarding the

vulns along with PoCs so we can patch them ASAP

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 135

Sign up to save your podcasts

Episode 135

Episode 135