August 05, 2022

Episode 171

22 minutes

Overview

This week we dig into what community sponsored security updates are all

about, plus Ubuntu 22.04.1 LTS gets delayed by a week and we cover security

updates for MySQL, the Linux kernel, Samba, Net-SNMP and more.

This week in Ubuntu Security Updates

75 unique CVEs addressed

[USN-5535-1] Intel Microcode vulnerabilities [00:43]

10 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2021-33120

CVE-2021-33117

CVE-2022-21166

CVE-2022-21151

CVE-2022-21125

CVE-2022-21127

CVE-2022-21123

CVE-2021-0127

CVE-2021-0146

CVE-2021-0145

Latest upstream release IPU 2022.1

[USN-5486-1] Intel Microcode vulnerabilities

Includes fixes for MMIO stale data which we covered in News on latest Intel security issues in Episode 164

[USN-5537-1, USN-5537-2] MySQL vulnerabilities [01:22]

18 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-21569

CVE-2022-21553

CVE-2022-21547

CVE-2022-21539

CVE-2022-21538

CVE-2022-21537

CVE-2022-21534

CVE-2022-21531

CVE-2022-21530

CVE-2022-21529

CVE-2022-21528

CVE-2022-21527

CVE-2022-21526

CVE-2022-21525

CVE-2022-21522

CVE-2022-21517

CVE-2022-21515

CVE-2022-21509

Latest point releases from Oracle

8.0.30 for 20.04 and 22.04 LTS

5.7.39 for 18.04 LTS and 16.04 ESM

As always - includes both security and bug fixes as well as new features

and possible incompatible changes

[USN-5538-1] libtirpc vulnerability [01:59]

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2021-46828

Transport independent RPC library - Used by autofs, libvirt, nfs-utils,

python, samba, yp-tools and lots more

Failed to properly handle timeouts from idle clients - would still keep a

file descriptor open and eventually would exhaust available fds so could

then not accept new connections (since it would also not handle the case

of no available fds either and would spin in a busy loop trying to accept

new connections) - CPU-based DoS

[USN-5536-1] Firefox vulnerabilities [02:47]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-36320

CVE-2022-36319

CVE-2022-36318

CVE-2022-36316

CVE-2022-36315

CVE-2022-2505

103.0

Firefox is now a snap on 22.04 LTS so gets updated automatically by

Mozilla

[USN-5544-1] Linux kernel vulnerabilities [03:06]

4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-1652

CVE-2022-34918

CVE-2022-28893

CVE-2022-1679

5.15 22.04 LTS GA / 20.04 LTS HWE

UAF in Atheros ath9k driver when handling certain error conditions, Sun

RPC and floppy driver

Also a type confusion bug in netfilter - local user who has CAP_NET_ADMIN

(which can be done via mapping to root in an unprivileged user

namespace) -> privesc

[USN-5545-1] Linux kernel (OEM) vulnerability [03:49]

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-34918

netfilter privesc above for 5.14 and 5.17 OEM kernels in 20.04 and 22.04

LTS respectively

[USN-5539-1] Linux kernel vulnerabilities [04:11]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-33981

CVE-2022-28388

CVE-2022-1789

CVE-2022-1205

CVE-2022-1204

CVE-2022-1199

CVE-2022-1195

5.4 - NVIDIA BlueField on 20.04 LTS and GCP/GKE 18.04 LTS

6 out of 7 are various UAF bugs - 3 in the AX.25 amateur radio protocol

driver, 1 in 6pack and mkiss protocol drivers, 1 in 8 Devices USB2CAN and

1 in floppy driver

KVM hypervisor failed to handle guest TLB invalidations - guest could

then corrupt host memory

Result of all these is memory corruption -> crash / code-execution

[USN-5541-1] Linux kernel (Azure) vulnerabilities [05:04]

11 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2022-28389

CVE-2022-28388

CVE-2022-2380

CVE-2022-1516

CVE-2022-1353

CVE-2022-1205

CVE-2022-1204

CVE-2022-1199

CVE-2022-1198

CVE-2022-1011

CVE-2021-4197

4.15 azure

Most of the same vulnerabilities mentioned earlier plus some covered in

previous episodes - cgroup process migration privesc, UAF in FUSE etc

[USN-5540-1] Linux kernel vulnerabilities [05:26]

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-34918

CVE-2022-25375

CVE-2022-25258

CVE-2022-20141

4.4 - 16.04 ESM GA (lowlatency, AWS, KVM etc) + 14.04 ESM

race-condition -> UAF in IGMP protocol impl - local user -> DoS /

code-exec

Memory corruption in USB gadget driver

OOB read in RNDIS driver -> info leak / crash

netfilter privesc

[USN-5542-1] Samba vulnerabilities [06:06]

6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-32746

CVE-2022-32745

CVE-2022-32744

CVE-2022-32742

CVE-2022-2031

CVE-2021-3670

Didn’t handle MaxQueryDuration as expected

Possible privesc since restrictions were not enforced properly when

changing passwords

Separate password-based privesc since could forge a password request with

your own key that was destined for another user and therefore change

their password (including domain admin)

Memory corruption via crafted LDAP request -> DoS / info leak

Unfortunately due to the large amount of code-churn in samba from the

version used in 18.04 LTS (4.7.6) compared to the current upstream

release (4.16.x) it is not possible to backport these patches without a

reasonable risk of introducing a regression - as such users of samba in

18.04 LTS who are concerned about these vulnerabilities are advised to

upgrade to Ubuntu 20.04 LTS or newer to continue receiving security

support for samba

[USN-5543-1] Net-SNMP vulnerabilities [07:25]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-24810

CVE-2022-24809

CVE-2022-24808

CVE-2022-24807

CVE-2022-24806

CVE-2022-24805

Various memory corruption bugs (OOB reads, NULL ptr derefs, buffer

overflows) which could be triggered via crafted SNMP requests -> crash

(DoS), RCE

[USN-5463-2] NTFS-3G vulnerabilities [07:45]

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-30787

CVE-2022-30785

CVE-2022-30789

CVE-2022-30788

CVE-2022-30786

CVE-2022-30784

CVE-2022-30783

[USN-5463-1] NTFS-3G vulnerabilities - Episode 163

DoS / RCE via mounting crafted disk image, mishandling of file handles -

arbitrary memory R/W, intercept traffic between FUSE and kernel -> info

leak etc

Goings on in Ubuntu Security Community

An overview of the community security updates sponsoring process [08:20]

Ubuntu Security team supports packages in main+restricted as per standard support

Universe (and multiverse) components are supported by the community

The ideal process here is a community member files a bug on LP,

subscribes the Ubuntu Security Sponsors team and attaches a debdiff

What is a debdiff?

A debdiff is a diff of the source package between the current version

in the Ubuntu archive and the new updated version being proposed

What should the debdiff contain?

The bare minimum of changes required to patch the vulnerability

ie. a patch file derived from the original upstream project’s patch

which fixed the vulnerability, as well as a new changelog entry

describing this update

In general even though an upstream project may release a new version

of their software when patching security vulnerabilies, in Ubuntu we

will not just upgrade to this new version (in the lifetime of a

stable release) to fix the vulnerability - instead we will just

cherry-pick the minimal change required to fix the issue and apply

this ontop of the older version of the software which is maintained

for the life a given Ubuntu release

This reduces the chance of introducing a regression due to new

upstream features getting introduced etc

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

https://wiki.ubuntu.com/StableReleaseUpdates#Why

Regarding patches - most packages use Quilt to manage the set of

patches that get applied ontop of the upstream source tarball within a

debian package

Therefore the debdiff should likely be a new patch file within the

debian/patches directory as well as a corresponding entry for it in the

debian/patches/series file, and then a new debian/changelog entry

Sometimes to backport a fix other supporting commits from the upstream

project may be needed - these can then be included as additional patch

files too

What happens next?

Ubuntu Security team member reviews the debiff to make sure it conforms

to the above - in particular to check that the original upstream patch

was used and no other changes were introduced (again to make sure we

keep the risk of regression low and so we have provenance of the code

which has been introduced)

Will usually do a local build of the package and then upload it to the

Ubuntu Security Proposed PPA - this is a publicly accessible PPA which

allows the resulting candidate packages to be tested by the Security

Team member as well as the community member

Once testing looks good, the package can be published to the Ubuntu

archive along with an associated USN

A recent examples of this is in

https://bugs.launchpad.net/ubuntu/+source/spip/+bug/1971185 which

corresponded to USN-5482-1 - SPIP for bionic

The team maintains a lot of documentation on how we set up our local

build and testing environments to make the process a lot easier - in

particular the umt tool which can be used for managing most of these

steps (ie. downloading source packages, adding a new changelog entry,

building the package locally in a schroot, testing the package locally in

a VM etc)

Ubuntu 22.04.1 release delayed [17:00]

https://discourse.ubuntu.com/t/jammy-jellyfish-22-04-1-lts-point-release-status-tracking/29102

Delayed until 11th August - can see test status on the ISO tracker -

essentially was a bug in snapd when being installed in OEM mode

Used by OEMs to install Ubuntu on machines so that when first powered

on by the end user they are offered to setup the machine (create a

local user account, set timezone/language etc)

Bug is that firefox wouldn’t run

As earlier, Firefox is now a snap in 22.04 LTS - and the bug is that all

snaps which are seeded (ie. shipped on the ISO and installed OOTB) would

not run

only 2 applications fit this - firefox and snap-store - but both are

crucial applications (ie web browser and app store)

snaps are squashfs images that get mounted on boot as systemd mount units

like many systemd units, they specify as WantedBy=multi-user.target - ie

the multi-user target wants them which ensures they are mounted during

normal boot (equivalent to runlevel 2 - ie. not a rescue shell or

shutdown etc) - so basically any normal boot of the system and they

should be mounted

During OEM mode though, on that first boot by the user, the OEM installer

has set the boot target to it’s own oem-config.target so it can run first

(to create a new user etc) - and then once it is done it sets the target

to the usual graphical.target which includes multi-user.target

Everything then should work though as we do eventually hit the right target

Current thinking is that the new snapd-desktop-integration which is used

to try and automatically install theme snaps and the like to match the

system theme - gets started as part of the oem-config and it then

pokes the snapd.socket which causes snapd.service to be started - yet the

snap mount units are not in place, so snapd can’t see any of the expected

snaps, as such it fails to correctly generate their state information

when they do go to be run, they have none of their expected interfaces

defined or connected and so cannot access anything and fail - and even a

reboot doesn’t help as the old invalid state is still kept even though

the snaps are now mounted correctly

requires a fix in snapd so that the mount units specify not just

multi-user.target but default.target so they get mounted no matter what

target is being booted into

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings