November 05, 2021

Episode 136

16 minutes

Overview

The road to Ubuntu 22.04 LTS begins so we look at some of its planned

features plus we cover security updates for the Linux kernel, Mailman,

Apport, PHP, Bind and more.

This week in Ubuntu Security Updates

92 unique CVEs addressed

[USN-5114-1] Linux kernel vulnerabilities [01:15]

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38198

CVE-2020-3702

4.15 + HWE on ESM

Race in ath9k -> could fail to properly encrypt traffic -> info leak

KVM shadow pages perms -> local user DoS

ext4 race in xattr handling - local DoS / priv-esc

6pack driver validation failure -> DoS / code-exec

[USN-5115-1] Linux kernel (OEM) vulnerabilities [02:19]

16 CVEs addressed in Focal (20.04 LTS)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38205

CVE-2021-38204

CVE-2021-38166

CVE-2021-3759

CVE-2021-3753

CVE-2021-3743

CVE-2021-3739

CVE-2021-3732

CVE-2021-37159

CVE-2021-3679

CVE-2021-35477

CVE-2021-34556

CVE-2021-33624

CVE-2020-3702

5.10 OEM

As above plus various BPF hardening fixes against spectre-like attacks,

fixes for security issues in tracing subsystem, overlayfs, btrfs,

Qualcomm IPC router, Xilinx ethernet driver info leak

[USN-5116-1, USN-5116-2] Linux kernel vulnerabilities [02:55]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38205

CVE-2021-38198

CVE-2021-3732

CVE-2020-3702

5.4 + KVM + bionic HWE + clouds (AWS, Azure, GCP, GKE, IBM, Oracle + RPi)

Race in ath9k -> could fail to properly encrypt traffic -> info leak

KVM shadow pages perms -> local user DoS

ext4 race in xattr handling - local DoS / priv-esc

6pack driver validation failure -> DoS / code-exec

overlayfs + xilinx

[USN-5117-1] Linux kernel (OEM) vulnerabilities [03:29]

4 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3759

CVE-2021-3753

CVE-2021-3743

CVE-2021-3739

5.13 OEM

btrfs, qualcomm IPC, VT IOCTL handling, memory leak in IPC object

handling

[USN-5120-1] Linux kernel (Azure) vulnerabilities [03:40]

9 CVEs addressed in Focal (20.04 LTS)

CVE-2021-40490

CVE-2021-38207

CVE-2021-38199

CVE-2021-3759

CVE-2021-3612

CVE-2021-22543

CVE-2020-36311

CVE-2020-26541

CVE-2019-19449

5.8 Azure

[USN-5119-1] libcaca vulnerabilities [03:53]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),

Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-30499

CVE-2021-30498

text mode graphics handling library

2 buffer overflows -> crash / code exec in handling of TGA images and

when exporting to troff format

[USN-5121-1, USN-5121-2] Mailman vulnerabilities [04:24]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), 5 CVEs

addressed in Focal (20.04 LTS)

CVE-2021-42096

CVE-2021-42097

CVE-2020-12137 (20.04 LTS only)

CVE-2020-15011 (20.04 LTS only)

CVE-2020-12108 (20.04 LTS only)

2 different CSRF attacks against mailman - in first, failed to properly

associate CSRF tokens with accounts - could be used to take over

another account

In second, CSRF tokens which are generated are derived from the admin

password - could then allow a remote attacker to use this to help brute

force guess admin pw

In both cases need to already be an existing list member and be logged

in to mount attacks

For focal also included a couple medium priority vulns (don’t affect

older versions):

Possible arbitrary content injection in 2 different ways which allow

content to be provided by an attacker as POST parameters to form

handling scripts which will then be incorporated into the page shown

to a user

So could allow an attacker to say inject a URL to be displayed on a

legitimate mailman admin page instance which an unsuspecting user

may then follow thinking this is trusted etc.

[USN-5122-1, USN-5122-2] Apport vulnerability [05:41]

Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

Could trick Apport into writing core files into arbitrary directories -

then these could say be interpreted by other root-level applications to

escalate privileges

Changed Apport to write core files to known location

/var/lib/apport/coredump

[USN-5123-1, USN-5123-2] MySQL vulnerabilities [06:25]

43 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal

(20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-35648

CVE-2021-35647

CVE-2021-35646

CVE-2021-35645

CVE-2021-35644

CVE-2021-35643

CVE-2021-35642

CVE-2021-35641

CVE-2021-35640

CVE-2021-35639

CVE-2021-35638

CVE-2021-35637

CVE-2021-35636

CVE-2021-35635

CVE-2021-35634

CVE-2021-35633

CVE-2021-35632

CVE-2021-35631

CVE-2021-35630

CVE-2021-35628

CVE-2021-35627

CVE-2021-35626

CVE-2021-35625

CVE-2021-35624

CVE-2021-35623

CVE-2021-35622

CVE-2021-35613

CVE-2021-35612

CVE-2021-35610

CVE-2021-35608

CVE-2021-35607

CVE-2021-35604

CVE-2021-35602

CVE-2021-35597

CVE-2021-35596

CVE-2021-35591

CVE-2021-35584

CVE-2021-35577

CVE-2021-35575

CVE-2021-35546

CVE-2021-2481

CVE-2021-2479

CVE-2021-2478

8.0.27 in Ubuntu 20.04 LTS, Ubuntu 21.04 and Ubuntu 21.10

5.7.36 in Ubuntu 18.04 LTS, Ubuntu 16.04 ESM

https://www.oracle.com/security-alerts/cpuoct2021.html

[USN-5124-1] GNU binutils vulnerabilities [06:53]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3487

CVE-2020-16592

2 issues in libbfd (binary file descriptor) - can be triggered by crafted

files

UAF in when using hash table impl

cause large memory allocation - crash

[USN-5009-2] libslirp vulnerabilities [07:30]

6 CVEs addressed in Impish (21.10)

CVE-2021-3595

CVE-2021-3594

CVE-2021-3593

CVE-2021-3592

CVE-2020-29130

CVE-2020-29129

Episode 124

[USN-5125-1] PHP vulnerability [07:41]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),

Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-21703

Root code exec in PHP-FPM - uses a privileged root level process and

unpriv child worker processes but child could access shared memory with

parent and cause it to do OOB R/W -> code execution in parent -> priv-esc

[USN-5126-1, USN-5126-2] Bind vulnerability [08:33]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),

Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-25219

Possible cache poisoning could lead to DoS via excessive entries in the

cache causing slow lookup performance

[USN-5127-1] WebKitGTK vulnerabilities [08:55]

3 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-42762

CVE-2021-30851

CVE-2021-30846

Usual web engine vulns - plus one in the bubblewrap launcher which allows

a limited sandbox bypass - could trick host processors into believing a

sandboxed process was not and hence could potentially escalate privs

[USN-5128-1] Ceph vulnerabilities [09:35]

5 CVEs addressed in Bionic (18.04 LTS), Hirsute (21.04)

CVE-2021-3531

CVE-2021-3524

CVE-2021-3509

CVE-2021-20288

CVE-2020-27781

Goings on in Ubuntu Security Community

22.04 LTS development cycle begins [09:46]

Will include all the features from the various interim releases since the

last 20.04 LTS plus some more

Since is an LTS, this cycle is mostly to be spent making things as solid

and stable as possible, but a few new features are planned:

nftables supported

firewalling on Linux has 2 components - kernel-space mechanism and

userspace tooling to control that

traditionally kernel supported iptables (aka xtables - ip,ip6,arp,eb -tables)

nftables as introduced into the kernel in 3.13 as a new mechanism to

implement network packet classification and handling - aka firewalling

etc

kernel has 2 mechanisms then - xtables and nftables

userspace then has 2 primary tools for handling these - iptables for

xtables and nftables (nft) for nftables

iptables userspace added a nft backend so existing iptables rules and

users would be switched to that automatically - was already switched to

use nft backend in Ubuntu 21.04

now want to support the nftables userspace package for handling

nftables as a first class system

also look at implementing a nftables backend in ufw so it can drive

nftables directly rather than iptables

Improvements to OVAL data

Improved information around ESM products etc

Improved handling of pivot_root in AppArmor

Upstream issue https://gitlab.com/apparmor/apparmor/-/issues/113

once a pivot_root occurs, AppArmor loses track of the original paths so

if a root level process is granted pivot_root permission, can move

around inside it’s own mount namespace to be able to escape outside the

AppArmor policy

AppArmor needs to track root before and after and allow to specify

policy both pre-and-post

Hiring [14:46]

Security - Product Manager

HOME BASED - EMEA (Europe, Middle East, Africa)

Role includes:

guiding the evolution of security offerings from Canonical and Ubuntu

driving compliance and certification of Ubuntu

engaging with the open source security community

telling the story of Canonical’s work to deliver secure platforms

https://canonical.com/careers/2278145/security-product-manager-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

November 05, 2021

Episode 136

16 minutes

Overview

The road to Ubuntu 22.04 LTS begins so we look at some of its planned

features plus we cover security updates for the Linux kernel, Mailman,

Apport, PHP, Bind and more.

This week in Ubuntu Security Updates

92 unique CVEs addressed

[USN-5114-1] Linux kernel vulnerabilities [01:15]

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38198

CVE-2020-3702

4.15 + HWE on ESM

Race in ath9k -> could fail to properly encrypt traffic -> info leak

KVM shadow pages perms -> local user DoS

ext4 race in xattr handling - local DoS / priv-esc

6pack driver validation failure -> DoS / code-exec

[USN-5115-1] Linux kernel (OEM) vulnerabilities [02:19]

16 CVEs addressed in Focal (20.04 LTS)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38205

CVE-2021-38204

CVE-2021-38166

CVE-2021-3759

CVE-2021-3753

CVE-2021-3743

CVE-2021-3739

CVE-2021-3732

CVE-2021-37159

CVE-2021-3679

CVE-2021-35477

CVE-2021-34556

CVE-2021-33624

CVE-2020-3702

5.10 OEM

As above plus various BPF hardening fixes against spectre-like attacks,

fixes for security issues in tracing subsystem, overlayfs, btrfs,

Qualcomm IPC router, Xilinx ethernet driver info leak

[USN-5116-1, USN-5116-2] Linux kernel vulnerabilities [02:55]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-42008

CVE-2021-40490

CVE-2021-38205

CVE-2021-38198

CVE-2021-3732

CVE-2020-3702

5.4 + KVM + bionic HWE + clouds (AWS, Azure, GCP, GKE, IBM, Oracle + RPi)

Race in ath9k -> could fail to properly encrypt traffic -> info leak

KVM shadow pages perms -> local user DoS

ext4 race in xattr handling - local DoS / priv-esc

6pack driver validation failure -> DoS / code-exec

overlayfs + xilinx

[USN-5117-1] Linux kernel (OEM) vulnerabilities [03:29]

4 CVEs addressed in Focal (20.04 LTS)

CVE-2021-3759

CVE-2021-3753

CVE-2021-3743

CVE-2021-3739

5.13 OEM

btrfs, qualcomm IPC, VT IOCTL handling, memory leak in IPC object

handling

[USN-5120-1] Linux kernel (Azure) vulnerabilities [03:40]

9 CVEs addressed in Focal (20.04 LTS)

CVE-2021-40490

CVE-2021-38207

CVE-2021-38199

CVE-2021-3759

CVE-2021-3612

CVE-2021-22543

CVE-2020-36311

CVE-2020-26541

CVE-2019-19449

5.8 Azure

[USN-5119-1] libcaca vulnerabilities [03:53]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),

Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-30499

CVE-2021-30498

text mode graphics handling library

2 buffer overflows -> crash / code exec in handling of TGA images and

when exporting to troff format

[USN-5121-1, USN-5121-2] Mailman vulnerabilities [04:24]

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), 5 CVEs

addressed in Focal (20.04 LTS)

CVE-2021-42096

CVE-2021-42097

CVE-2020-12137 (20.04 LTS only)

CVE-2020-15011 (20.04 LTS only)

CVE-2020-12108 (20.04 LTS only)

2 different CSRF attacks against mailman - in first, failed to properly

associate CSRF tokens with accounts - could be used to take over

another account

In second, CSRF tokens which are generated are derived from the admin

password - could then allow a remote attacker to use this to help brute

force guess admin pw

In both cases need to already be an existing list member and be logged

in to mount attacks

For focal also included a couple medium priority vulns (don’t affect

older versions):

Possible arbitrary content injection in 2 different ways which allow

content to be provided by an attacker as POST parameters to form

handling scripts which will then be incorporated into the page shown

to a user

So could allow an attacker to say inject a URL to be displayed on a

legitimate mailman admin page instance which an unsuspecting user

may then follow thinking this is trusted etc.

[USN-5122-1, USN-5122-2] Apport vulnerability [05:41]

Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

Could trick Apport into writing core files into arbitrary directories -

then these could say be interpreted by other root-level applications to

escalate privileges

Changed Apport to write core files to known location

/var/lib/apport/coredump

[USN-5123-1, USN-5123-2] MySQL vulnerabilities [06:25]

43 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal

(20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-35648

CVE-2021-35647

CVE-2021-35646

CVE-2021-35645

CVE-2021-35644

CVE-2021-35643

CVE-2021-35642

CVE-2021-35641

CVE-2021-35640

CVE-2021-35639

CVE-2021-35638

CVE-2021-35637

CVE-2021-35636

CVE-2021-35635

CVE-2021-35634

CVE-2021-35633

CVE-2021-35632

CVE-2021-35631

CVE-2021-35630

CVE-2021-35628

CVE-2021-35627

CVE-2021-35626

CVE-2021-35625

CVE-2021-35624

CVE-2021-35623

CVE-2021-35622

CVE-2021-35613

CVE-2021-35612

CVE-2021-35610

CVE-2021-35608

CVE-2021-35607

CVE-2021-35604

CVE-2021-35602

CVE-2021-35597

CVE-2021-35596

CVE-2021-35591

CVE-2021-35584

CVE-2021-35577

CVE-2021-35575

CVE-2021-35546

CVE-2021-2481

CVE-2021-2479

CVE-2021-2478

8.0.27 in Ubuntu 20.04 LTS, Ubuntu 21.04 and Ubuntu 21.10

5.7.36 in Ubuntu 18.04 LTS, Ubuntu 16.04 ESM

https://www.oracle.com/security-alerts/cpuoct2021.html

[USN-5124-1] GNU binutils vulnerabilities [06:53]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-3487

CVE-2020-16592

2 issues in libbfd (binary file descriptor) - can be triggered by crafted

files

UAF in when using hash table impl

cause large memory allocation - crash

[USN-5009-2] libslirp vulnerabilities [07:30]

6 CVEs addressed in Impish (21.10)

CVE-2021-3595

CVE-2021-3594

CVE-2021-3593

CVE-2021-3592

CVE-2020-29130

CVE-2020-29129

Episode 124

[USN-5125-1] PHP vulnerability [07:41]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),

Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-21703

Root code exec in PHP-FPM - uses a privileged root level process and

unpriv child worker processes but child could access shared memory with

parent and cause it to do OOB R/W -> code execution in parent -> priv-esc

[USN-5126-1, USN-5126-2] Bind vulnerability [08:33]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),

Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-25219

Possible cache poisoning could lead to DoS via excessive entries in the

cache causing slow lookup performance

[USN-5127-1] WebKitGTK vulnerabilities [08:55]

3 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)

CVE-2021-42762

CVE-2021-30851

CVE-2021-30846

Usual web engine vulns - plus one in the bubblewrap launcher which allows

a limited sandbox bypass - could trick host processors into believing a

sandboxed process was not and hence could potentially escalate privs

[USN-5128-1] Ceph vulnerabilities [09:35]

5 CVEs addressed in Bionic (18.04 LTS), Hirsute (21.04)

CVE-2021-3531

CVE-2021-3524

CVE-2021-3509

CVE-2021-20288

CVE-2020-27781

Goings on in Ubuntu Security Community

22.04 LTS development cycle begins [09:46]

Will include all the features from the various interim releases since the

last 20.04 LTS plus some more

Since is an LTS, this cycle is mostly to be spent making things as solid

and stable as possible, but a few new features are planned:

nftables supported

firewalling on Linux has 2 components - kernel-space mechanism and

userspace tooling to control that

traditionally kernel supported iptables (aka xtables - ip,ip6,arp,eb -tables)

nftables as introduced into the kernel in 3.13 as a new mechanism to

implement network packet classification and handling - aka firewalling

etc

kernel has 2 mechanisms then - xtables and nftables

userspace then has 2 primary tools for handling these - iptables for

xtables and nftables (nft) for nftables

iptables userspace added a nft backend so existing iptables rules and

users would be switched to that automatically - was already switched to

use nft backend in Ubuntu 21.04

now want to support the nftables userspace package for handling

nftables as a first class system

also look at implementing a nftables backend in ufw so it can drive

nftables directly rather than iptables

Improvements to OVAL data

Improved information around ESM products etc

Improved handling of pivot_root in AppArmor

Upstream issue https://gitlab.com/apparmor/apparmor/-/issues/113

once a pivot_root occurs, AppArmor loses track of the original paths so

if a root level process is granted pivot_root permission, can move

around inside it’s own mount namespace to be able to escape outside the

AppArmor policy

AppArmor needs to track root before and after and allow to specify

policy both pre-and-post

Hiring [14:46]

Security - Product Manager

HOME BASED - EMEA (Europe, Middle East, Africa)

Role includes:

guiding the evolution of security offerings from Canonical and Ubuntu

driving compliance and certification of Ubuntu

engaging with the open source security community

telling the story of Canonical’s work to deliver secure platforms

https://canonical.com/careers/2278145/security-product-manager-remote

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 136

Sign up to save your podcasts

Episode 136

Episode 136