May 20, 2022

Episode 160

13 minutes

Overview

Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at

security updates for the Linux kernel, RSyslog, ClamAV, Apport and more.

This week in Ubuntu Security Updates

57 unique CVEs addressed

[USN-5413-1] Linux kernel vulnerabilities [01:06]

6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-28390

CVE-2022-27223

CVE-2022-26490

CVE-2021-4157

CVE-2021-39713

CVE-2020-27820

4.4 - 16.04 ESM GA + 14.04 ESM

UAF in nouveau driver when device is removed - external NVIDIA GPU? or

local user unbinding the driver?

UAF due to race condition in network packet scheduler

OOB write in NFS - user who had access to an NFS mount could possibly

exploit this

Buffer overflow in ST Micro NFC driver - failed to validate parameters

from NFC device - physically approximate attacker could possibly exploit

this but would need custom hw/sw

Similarly, Xilinx USB2 gadget driver failed to validate USB endpoints

ESM CAN/USB double-free

[USN-5415-1] Linux kernel vulnerabilities [02:27]

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-27223

CVE-2022-26490

CVE-2022-25375

CVE-2022-25258

CVE-2022-20008

CVE-2022-1016

CVE-2021-26401

CVE-2020-27820

5.4 - 20.04 LTS GA + 18.04 LTS HWE + clouds

Above vulns plus:

AMD specific issue around insufficient mitigations for Spectre v2

attacks

OOB read -> info leak through mishandling of MMC/SD read errors

[USN-5417-1] Linux kernel vulnerabilities [03:07]

8 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2022-29156

CVE-2022-27223

CVE-2022-26966

CVE-2022-26490

CVE-2022-25375

CVE-2022-25258

CVE-2022-20008

CVE-2021-26401

5.13 - 21.10, 20.04 LTS HWE + some clouds

~ same as above

[USN-5418-1] Linux kernel vulnerabilities [03:19]

13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2022-27223

CVE-2022-26966

CVE-2022-26490

CVE-2022-25375

CVE-2022-25258

CVE-2022-24958

CVE-2022-23042

CVE-2022-23040

CVE-2022-23039

CVE-2022-23038

CVE-2022-23037

CVE-2022-23036

CVE-2021-26401

4.15 - 18.04 LTS GA, 16.04 ESM HWE + clouds + OEM, 14.04 ESM azure

~ same as above

[USN-5416-1] Linux kernel (OEM) vulnerabilities [03:26]

5 CVEs addressed in Focal (20.04 LTS)

CVE-2022-28390

CVE-2022-28389

CVE-2022-28388

CVE-2022-1516

CVE-2022-1158

5.14 - 20.04 LTS OEM

KVM mishandled guest page table updates -> guest VM crash host OS

2 similar issues in CAN bus drivers - 8 Devices USB2CAN and Microchip CAN

Bus analyzer both had double-free on error paths - local attacker could

crash -> DoS

Plus ESM CAN/USB issue from above

[USN-5419-1] Rsyslog vulnerabilities [04:26]

3 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2019-17042

CVE-2019-17041

CVE-2018-16881

2 issues in handling of various message types (AIX + Cisco log messages

failed to properly validate contents and so could result in heap buffer overflow)

1 in handling of plain TCP socket comms - but this module is not enabled

in the default rsyslog configuration for Ubuntu

[USN-5420-1] Vorbis vulnerabilities [05:01]

3 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2018-10393

CVE-2018-10392

CVE-2017-14160

heap buffer overflow, OOB read + stack buffer overflow via crafted input

files - DoS / RCE

[USN-5421-1] LibTIFF vulnerabilities [05:16]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

CVE-2022-0865

CVE-2022-0891

CVE-2022-0562

CVE-2022-0561

CVE-2020-35522

Similar types of issues in libtiff - OOB reads / writes

[USN-5422-1] libxml2 vulnerabilities [05:32]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-29824

CVE-2022-23308

UAF plus possible integer overflows -> unspec impact (but requires victim

to process a multiGB XML file)

[USN-5311-2] containerd regression [06:03]

1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2022-23648

Episode 152 - subsequent update to containerd by different team reverted

the CVE fix accidentally - reinstated it

[USN-5423-1, USN-5423-2] ClamAV vulnerabilities [06:24]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-20796

CVE-2022-20792

CVE-2022-20785

CVE-2022-20771

CVE-2022-20770

0.103.6

Various infinite loops in different parsers (CPU-based DoS), memory leaks

plus a couple OOB writes

[USN-5424-1] OpenLDAP vulnerability [06:53]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-29155

SQL injection in the sql backend of slapd via an SQL statement within a LDAP query

[USN-5425-1] PCRE vulnerabilities [07:09]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2020-14155

CVE-2019-20838

OOB read -> info leak

integer overflow -> buffer overflow? -> crash / code execution

[USN-5426-1] needrestart vulnerability [07:20]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-30688

detects daemons that need to be restarted after libraries are upgraded

uses various regex’s to detect scripting languages - but since these were

not specific enough, it could allow a user to get their own script

executed in the context of the user which is running needrestart - which

could be root

[USN-5427-1] Apport vulnerabilities [08:08]

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-28658

CVE-2022-28657

CVE-2022-28656

CVE-2022-28655

CVE-2022-28654

CVE-2022-28652

CVE-2022-1242

CVE-2021-3899

Gerrit Venema reported a heap of issues in Apport - thanks to Marc

Deslauriers on our team for working on these

Crash handler in Ubuntu - is invoked by the kernel when an application

crashes to collect various data to then upload to Ubuntu developers

Runs as root but can be invoked as a regular user so has been a target

for privesc vulns in the past

Has various code to drop privileges etc but these were found to be

incomplete

Impacts of these issues range from DoS by crashing Apport through to

local privesc to root

[USN-5428-1] libXrandr vulnerabilities [09:14]

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2016-7948

CVE-2016-7947

Integer overflows -> OOB write plus another different OOB write - all

able to be triggered by a malicious remote X server

Goings on in Ubuntu Security Community

Ubuntu in Pwn2Own Vancouver 2022 [09:39]

15 year anniversary of Pwn2Own

17 teams attempting to exploit 21 targets - including Ubuntu Desktop for EoP

https://www.zerodayinitiative.com/blog/2022/5/17/pwn2own-vancouver-2022-the-schedule

5 different teams targeting Ubuntu Desktop - Ubuntu 22.04 LTS fully

up-to-date

Prize of $40k USD

2 on day 1, 2 on day 2, 1 on day 3 (tomorrow)

https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results

So far all 4 have been successful:

Team Orca of Sea Security (not live streamed)

OOBW + UAF

Keith Yeo

UAF

Bien Pham

UAF

Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), and Xinyu Xing (@xingxinyu) of Team TUTELARY

UAF

Lots of great new bugs - expect to hear more about these in the coming weeks

Past episodes covering Ubuntu @ Pwn2Own over previous years Episode 111

and Episode 71 - in particular has a great interview with Steve and Marc

from our team who cover what it is like as a vendor

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

May 20, 2022

Episode 160

13 minutes

Overview

Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at

security updates for the Linux kernel, RSyslog, ClamAV, Apport and more.

This week in Ubuntu Security Updates

57 unique CVEs addressed

[USN-5413-1] Linux kernel vulnerabilities [01:06]

6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-28390

CVE-2022-27223

CVE-2022-26490

CVE-2021-4157

CVE-2021-39713

CVE-2020-27820

4.4 - 16.04 ESM GA + 14.04 ESM

UAF in nouveau driver when device is removed - external NVIDIA GPU? or

local user unbinding the driver?

UAF due to race condition in network packet scheduler

OOB write in NFS - user who had access to an NFS mount could possibly

exploit this

Buffer overflow in ST Micro NFC driver - failed to validate parameters

from NFC device - physically approximate attacker could possibly exploit

this but would need custom hw/sw

Similarly, Xilinx USB2 gadget driver failed to validate USB endpoints

ESM CAN/USB double-free

[USN-5415-1] Linux kernel vulnerabilities [02:27]

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-27223

CVE-2022-26490

CVE-2022-25375

CVE-2022-25258

CVE-2022-20008

CVE-2022-1016

CVE-2021-26401

CVE-2020-27820

5.4 - 20.04 LTS GA + 18.04 LTS HWE + clouds

Above vulns plus:

AMD specific issue around insufficient mitigations for Spectre v2

attacks

OOB read -> info leak through mishandling of MMC/SD read errors

[USN-5417-1] Linux kernel vulnerabilities [03:07]

8 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2022-29156

CVE-2022-27223

CVE-2022-26966

CVE-2022-26490

CVE-2022-25375

CVE-2022-25258

CVE-2022-20008

CVE-2021-26401

5.13 - 21.10, 20.04 LTS HWE + some clouds

~ same as above

[USN-5418-1] Linux kernel vulnerabilities [03:19]

13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2022-27223

CVE-2022-26966

CVE-2022-26490

CVE-2022-25375

CVE-2022-25258

CVE-2022-24958

CVE-2022-23042

CVE-2022-23040

CVE-2022-23039

CVE-2022-23038

CVE-2022-23037

CVE-2022-23036

CVE-2021-26401

4.15 - 18.04 LTS GA, 16.04 ESM HWE + clouds + OEM, 14.04 ESM azure

~ same as above

[USN-5416-1] Linux kernel (OEM) vulnerabilities [03:26]

5 CVEs addressed in Focal (20.04 LTS)

CVE-2022-28390

CVE-2022-28389

CVE-2022-28388

CVE-2022-1516

CVE-2022-1158

5.14 - 20.04 LTS OEM

KVM mishandled guest page table updates -> guest VM crash host OS

2 similar issues in CAN bus drivers - 8 Devices USB2CAN and Microchip CAN

Bus analyzer both had double-free on error paths - local attacker could

crash -> DoS

Plus ESM CAN/USB issue from above

[USN-5419-1] Rsyslog vulnerabilities [04:26]

3 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2019-17042

CVE-2019-17041

CVE-2018-16881

2 issues in handling of various message types (AIX + Cisco log messages

failed to properly validate contents and so could result in heap buffer overflow)

1 in handling of plain TCP socket comms - but this module is not enabled

in the default rsyslog configuration for Ubuntu

[USN-5420-1] Vorbis vulnerabilities [05:01]

3 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2018-10393

CVE-2018-10392

CVE-2017-14160

heap buffer overflow, OOB read + stack buffer overflow via crafted input

files - DoS / RCE

[USN-5421-1] LibTIFF vulnerabilities [05:16]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

CVE-2022-0865

CVE-2022-0891

CVE-2022-0562

CVE-2022-0561

CVE-2020-35522

Similar types of issues in libtiff - OOB reads / writes

[USN-5422-1] libxml2 vulnerabilities [05:32]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-29824

CVE-2022-23308

UAF plus possible integer overflows -> unspec impact (but requires victim

to process a multiGB XML file)

[USN-5311-2] containerd regression [06:03]

1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)

CVE-2022-23648

Episode 152 - subsequent update to containerd by different team reverted

the CVE fix accidentally - reinstated it

[USN-5423-1, USN-5423-2] ClamAV vulnerabilities [06:24]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-20796

CVE-2022-20792

CVE-2022-20785

CVE-2022-20771

CVE-2022-20770

0.103.6

Various infinite loops in different parsers (CPU-based DoS), memory leaks

plus a couple OOB writes

[USN-5424-1] OpenLDAP vulnerability [06:53]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-29155

SQL injection in the sql backend of slapd via an SQL statement within a LDAP query

[USN-5425-1] PCRE vulnerabilities [07:09]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2020-14155

CVE-2019-20838

OOB read -> info leak

integer overflow -> buffer overflow? -> crash / code execution

[USN-5426-1] needrestart vulnerability [07:20]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-30688

detects daemons that need to be restarted after libraries are upgraded

uses various regex’s to detect scripting languages - but since these were

not specific enough, it could allow a user to get their own script

executed in the context of the user which is running needrestart - which

could be root

[USN-5427-1] Apport vulnerabilities [08:08]

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-28658

CVE-2022-28657

CVE-2022-28656

CVE-2022-28655

CVE-2022-28654

CVE-2022-28652

CVE-2022-1242

CVE-2021-3899

Gerrit Venema reported a heap of issues in Apport - thanks to Marc

Deslauriers on our team for working on these

Crash handler in Ubuntu - is invoked by the kernel when an application

crashes to collect various data to then upload to Ubuntu developers

Runs as root but can be invoked as a regular user so has been a target

for privesc vulns in the past

Has various code to drop privileges etc but these were found to be

incomplete

Impacts of these issues range from DoS by crashing Apport through to

local privesc to root

[USN-5428-1] libXrandr vulnerabilities [09:14]

2 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2016-7948

CVE-2016-7947

Integer overflows -> OOB write plus another different OOB write - all

able to be triggered by a malicious remote X server

Goings on in Ubuntu Security Community

Ubuntu in Pwn2Own Vancouver 2022 [09:39]

15 year anniversary of Pwn2Own

17 teams attempting to exploit 21 targets - including Ubuntu Desktop for EoP

https://www.zerodayinitiative.com/blog/2022/5/17/pwn2own-vancouver-2022-the-schedule

5 different teams targeting Ubuntu Desktop - Ubuntu 22.04 LTS fully

up-to-date

Prize of $40k USD

2 on day 1, 2 on day 2, 1 on day 3 (tomorrow)

https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results

So far all 4 have been successful:

Team Orca of Sea Security (not live streamed)

OOBW + UAF

Keith Yeo

UAF

Bien Pham

UAF

Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), and Xinyu Xing (@xingxinyu) of Team TUTELARY

UAF

Lots of great new bugs - expect to hear more about these in the coming weeks

Past episodes covering Ubuntu @ Pwn2Own over previous years Episode 111

and Episode 71 - in particular has a great interview with Steve and Marc

from our team who cover what it is like as a vendor

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 160

Sign up to save your podcasts

Episode 160

Episode 160