July 22, 2022

Episode 169

14 minutes

Overview

It’s the 22.10 mid-cycle roadmap sprint at Canonical this week plus we look

at security updates for Git, the Linux kernel, Vim, Python, PyJWT and more.

This week in Ubuntu Security Updates

58 unique CVEs addressed

[USN-5511-1] Git vulnerabilities [00:45]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-29187

CVE-2022-24765

Related to CVE-2022-24765 which we covered back in Episode 157 - this was

a vuln in Git for Windows which could allow a local user who could write

to C:\ to create a gitconfig that would contain commands that may then

get executed by other users when running git themselves

Is an issue for Ubuntu since with WSL you can now run git as shipped in

Ubuntu on Windows which then would be vulnerable (or at least it was

until we fixed it 😁)

[USN-5473-2] ca-certificates update [01:41]

Affecting Xenial ESM (16.04 ESM)

Episode 164

[USN-5513-1] Linux kernel (AWS) vulnerabilities [01:53]

19 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2022-28388

CVE-2022-28356

CVE-2022-24958

CVE-2022-21166

CVE-2022-21125

CVE-2022-21123

CVE-2022-1734

CVE-2022-1679

CVE-2022-1652

CVE-2022-1419

CVE-2022-1353

CVE-2022-0330

CVE-2021-4202

CVE-2021-4197

CVE-2021-39714

CVE-2021-39685

CVE-2021-3760

CVE-2021-3752

CVE-2021-3609

4.4 kernel for 14.04 ESM machines on AWS

Most interesting vulnerablity is a race condition in the CAN BCM

networking protocol which then results in multiple possible UAFs - the

use of unprivileged user namespaces allows a local unprivileged user to

exploit this and then gain root priviliges in the root namespace - PoC on

github along with a very detailed write-up, hence the high priority

rating given to this vulnerability

Various other similar vulns (race conditions and the like which can then

allow a local user to possibly escalate privileges to root) - but the

others don’t have public exploits, hence the medium priority rating

[USN-5514-1] Linux kernel vulnerabilities [03:11]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-33981

CVE-2022-1789

CVE-2022-1205

CVE-2022-1204

CVE-2022-1199

CVE-2022-1195

5.4 GA / HWE for 18.04 LTS as well as various kernels optimised for the

different public clouds

Bunch of vulns in AX.25 amateur radio protocol implementation - local

attacker could possibly crash kernel or privesc - would likely need a

custom H/W device to do this though

Race condition in the floppy driver -> UAF etc

[USN-5515-1] Linux kernel vulnerabilities [03:41]

10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2022-28389

CVE-2022-2380

CVE-2022-1516

CVE-2022-1353

CVE-2022-1205

CVE-2022-1204

CVE-2022-1199

CVE-2022-1198

CVE-2022-1011

CVE-2021-4197

4.15 18.04 LTS GA + clouds + devices (raspi, snapdragon etc), 16.04 ESM

HWE + clouds etc

[USN-5517-1] Linux kernel (OEM) vulnerabilities [04:04]

2 CVEs addressed in Focal (20.04 LTS)

CVE-2022-34494

CVE-2022-1679

5.14 OEM

OEM kernel contains various hardware enablement features for the

different OEM platforms which Ubuntu comes pre-installed on, these

eventually find they way back to the GA/HWE kernels

[USN-5518-1] Linux kernel vulnerabilities

6 CVEs addressed in Jammy (22.04 LTS)

CVE-2022-33981

CVE-2022-1975

CVE-2022-1974

CVE-2022-1789

CVE-2022-1734

CVE-2022-0500

5.15 GA + clouds, devices, lowlatency etc

[USN-5516-1] Vim vulnerabilities [04:18]

3 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2022-2210

CVE-2022-2207

CVE-2022-2000

vim is definitely fast becoming one of our most updated packages -

particularly in 16.04 ESM

More bugs found via fuzzing - shows what having a bug bounty can do to

shine a light on possible vulnerabilities (or does it just attract

shallow bug hunters…) - it’s hard to say for certain how much of a

security impact these different vulnerabilities have

OOB write + 2 heap buffer overflows - all classified as high priority on

the bounty platform ($95 reward apparently for each)

[USN-5520-1, USN-5520-2] HTTP-Daemon vulnerability [05:18]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-31081

Perl library implementing a simple HTTP server - not often used in

production (since would then use nginx or apache)

Request smuggling vuln through a crafted Content-Length parameter - could

then allow requests that would otherwise be rejected

[USN-5519-1] Python vulnerability [05:54]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2015-20107

Oldest vuln patched this week - fix and CVE were disclosed back in April

this year but the bug was first reported back in 2015 - at that time

there was disagreement between the reporter and the upstream developers

as to whether this was a real vuln or not - this is a bug in handling of

mailcap entries - and mailcap is designed to execute arbitrary commands -

but those defined by the user - whereas in this case, if it was used to

launch a command on a crafted filename, the filename itself could specify

the command to be executed, not what the user had thought that they had

configured via their mailcap entry

Fixed to appropriately quote the arguments

[USN-5522-1] WebKitGTK vulnerabilities [07:19]

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-26710

CVE-2022-22677

Speaking of one of the most updated packages ;)

WebKitGTK sees regular upstream security releases (similar to Firefox)

and we publish these as they are released

UAF via crafted malcious web content -> RCE

[USN-5523-1] LibTIFF vulnerabilities [08:02]

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-22844

CVE-2020-19144

CVE-2020-19131

CVE-2022-0924

CVE-2022-0909

CVE-2022-0908

CVE-2022-0907

NULL ptr deref, div by zero -> DoS

various OOB reads -> info leak / DoS

[USN-5524-1] HarfBuzz vulnerability [08:37]

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-33068

Integer overflow discovered via in-built fuzzer within HarrBuzz combined

with running HB with UBSan to detect memory corruption

Likely heap buffer overflow -> RCE / crash

[USN-5526-1] PyJWT vulnerability [08:58]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-29217

JSON web token implementation in python

Supports using various crypto algorithms for signing / validation including SSH public keys etc

Turns out an attacker could “sign” a JWT with the public half of an SSH

key pair as the key for one of the HMAC algorithms - as far as an API

user of PyJWT would see, the token would then validate the same as if it

had been actually signed by the private key of the same SSH public key

pair

Fixed to disallow the use of SSH public keys as inputs for signing keys

[USN-5527-1] Checkmk vulnerabilities [09:43]

5 CVEs addressed in Bionic (18.04 LTS)

CVE-2022-24565

CVE-2021-40906

CVE-2021-36563

CVE-2017-9781

CVE-2017-14955

system monitoring system / framework

various XSS vulns in web console, ability to read sensitive info from GUI

crash report

[USN-5525-1] Apache XML Security for Java vulnerability [09:56]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-40690

Vuln in handling of crafted XPath transform, where an attacker could read

arbitrary local XML files

Goings on in Ubuntu Security Community

22.10 mid-cycle product roadmap sprint [10:13]

This week is the 22.10 mid-cycle product roadmap sprint at Canonical

Engineering teams at Canonical work on a 6-month development cycle,

in-line with the Ubuntu release cycle - even though not all teams work on

Ubuntu

Each 6 month cycle consists of 3 week-long sprint sessions - 2 product

roadmap sprints, and 1 engineering sprint

At the start of each cycle there is an initial product roadmap sprint to

review the progress / achievements etc of the previous 6 month

development cycle and set the goals for the coming development cycle.

At the approximate mid-point of that new development cycle, 3 months

later, there is the mid-cycle product roadmap sprint to review progress

etc along the way

Generally consists of managers and senior technical team members from

each team presenting on their progress etc and reviews it with the other

teams, plus there many cross-team meetings etc

Traditionally these were in-person events but with COVID etc they all

moved to being virtual - this year has seen the resumption of in-person

sprints for the start-of-roadmap sprints but the mid-cycle ones are still

virtual

As far as the security team is concerned, we talked over various topics

like progress on FIPS certification for 22.04 LTS, as well as various

AppArmor enhancements, as well as customer specific work-items and

general progress on maintenence tasks like CVE patching, MIR security

reviews and more.

Next roadmap sprint will be at the end of October to review how this

cycle went and to set the goals for 23.04 cycle - this will also be

followed by an engineering sprint, where all members of the engineering

sprint get together for a week in-person to collaborate and hack on

whatever their team needs

That will then also be followed by a new revived Ubuntu Summit (modeled

somewhat like the old Ubuntu Developer Summits) - a chance for folks from

the community to gather in person alongside folks from Canonical to

discuss and drive forwards various features for Ubuntu and the like.

Exciting times ahead!

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings