August 12, 2022

Episode 172

21 minutes

Overview

Finally, Ubuntu 22.04.1 LTS is released and we look at how best to upgrade,

plus we cover security updates for NVIDIA graphics drivers, OpenJDK,

Django, libxml, the Linux kernel and more.

This week in Ubuntu Security Updates

52 unique CVEs addressed

[USN-5547-1] NVIDIA graphics drivers vulnerabilities [00:43]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-31608

CVE-2022-31615

CVE-2022-31607

Local priv-esc by user with basic capabilities (?) - likely memory

corruption since apparently could also DoS, perform data tampering and

info leaks

Also NULL ptr deref in kernel driver able to be triggered from “local

user with basic capabilities” -> DoS

Also shipped a DBus configuration for the Dynamic Boost component - this

is a system wide power controller which manages CPU and GPU power basd on

overall system workload to get best system performance per watt -

according to upstream documentation. Is only active when on AC power.

Is not enabled by default but shipped a DBus policy file that allowed

any process to communicate with the nvidia-powerd server and hence to

perform privileged actions through it

[USN-5546-1, USN-5546-2] OpenJDK vulnerabilities [03:09]

10 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-34169

CVE-2022-21549

CVE-2022-21541

CVE-2022-21540

CVE-2022-21496

CVE-2022-21476

CVE-2022-21443

CVE-2022-21434

CVE-2022-21426

CVE-2022-21449

openjdk-8,11,17 for Ubuntu 18.04, 20.04 & 22.04 LTS

openjdk-8 for Ubuntu 16.04 ESM

Most interesting is “Psychic Signatures” bug - described even in the

upstream advisory as an “easily exploitable vuln”, where an attacker

could forge certain SSL certificates (ie ones using ECDSA signatures) and

hence allow them to intercept or modify communications without being

detected.

When adding support for validating ECDSA signatures, failed to check the

provided signature values were not zero - a signature consists of two

values, r and s and these are used to then perform a bunch of

calculations to check it is valid - this involves comparing r against r

multiplied by a value derived from s - so if r and s are both zero you

effectively check 0 = 0

Affects anything which uses ECDSA signatures - including signed JWTs,

SAML assertions, WedAuthn messages etc

This only affected openjdk 15 though 18 since this code was rewritten in

native Java (previously was C++ which was not vulnerable) for Java 15 -

so for Ubuntu this is openjdk-17 only which is not the default JRE

(openjdk-11 is)

[USN-5549-1] Django vulnerability [06:16]

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-36359

Possible “Reflected File Download” attack - attack type first detailed at

BH Euroe in 2014 - causes a web application to “virtually” download a file from a

trusted domain - which then can get executed since is trusted

Usually involves the application failing to validate input such that an

attacker can craft header content to get reflected into the response

body - this is then the contents for a file, as well as get some content

injected in the resulting filename - and then cause the response to be

downloaded which will

In this case, if a Django application was setting the Content-Disposition

header of a FileResponse object based on a filename which is derived from

user input - fixed to escape the filename so can’t then inject content

into the Content-Disposition header

[USN-5550-1] GnuTLS vulnerabilities [07:55]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-2509

CVE-2021-4209

NULL pointer deref and double-free during verification of pkcs7

signatures -> DoS / RCE

[USN-5551-1] mod-wsgi vulnerability [08:10]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-2255

Would pass through the X-Client-IP header to WSGI applications, even when

it came from an untrusted proxy and hence could allow unintended access

to services

[USN-5548-1] libxml2 vulnerability [08:32]

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2016-3709

Possible HTML/code injection -> XSS since would fail to properly handle

escape server-side includes

Reported back in 2016 to GNOME project, was seemingly ignored until the

offending commit which introduced the vuln was reverted ~2 years ago

Later versions not affected then

CVE only assigned a few weeks ago

Interestingly the discussion in 2018 included a pointer to three

different CVEs in other XML/HTML parsing and sanitization libraries for

the same type of issue - but in this case was ignored and no CVE assigned

until now

[USN-5552-1] phpLiteAdmin vulnerability [11:29]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-46709

XSS through failure to validate the newRows parameter

[USN-5553-1] libjpeg-turbo vulnerabilities [11:42]

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2020-17541

CVE-2020-14152

CVE-2018-14498

CVE-2018-11813

Various memory corruption issues -> heap and stack buffer overflows

Logic issue and a failure to limit overall memory consumption during

decompression leading to very large memory usage -> DoS

[USN-5554-1] GDK-PixBuf vulnerability [12:06]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2021-46829

Heap buffer overflow for crafted animated GIFs -> code execution

particularly on 32-bit platforms

[USN-5555-1] GStreamer Good Plugins vulnerabilities [12:29]

7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-2122

CVE-2022-1925

CVE-2022-1924

CVE-2022-1923

CVE-2022-1922

CVE-2022-1921

CVE-2022-1920

Various integer overflows etc leading to heap buffer overflows in various

video codec handlers -> DoS / RCE

[USN-5558-1] libcdio vulnerabilities [13:00]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2017-18199

CVE-2017-18198

Audio CD read/control library

2 different memory management issues when handling crafted ISO files -

heap buffer over-read and NULL pointer dereference -> DoS

[USN-5557-1] Linux kernel vulnerabilities [13:44]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-2586

CVE-2022-2588

4.4

UAF in Network package scheduler - could create a route filter which when

removed would still be referred to by other data structures and then

allow a user to trigger access to this -> DoS / RCE

Similarly in netfilter, could have one nft object be referred to by an

nft set in another table -> UAF

[USN-5560-1, USN-5560-2] Linux kernel vulnerabilities [14:37]

13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)

CVE-2022-34918

CVE-2022-33981

CVE-2022-1975

CVE-2022-1974

CVE-2022-1734

CVE-2022-1729

CVE-2022-1679

CVE-2022-1652

CVE-2022-1195

CVE-2022-1048

CVE-2022-0494

CVE-2022-2586

CVE-2022-2588

4.15 GA for 18.04 LTS, HWE etc for 16.04 ESM, Azure for 14.04 ESM

Various vulns plus the 2 network related UAFs above

[USN-5561-1] GNOME Web vulnerabilities [14:58]

4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-29536

CVE-2021-45087

CVE-2021-45086

CVE-2021-45085

Epiphany web browser

3 different XSS issues, 1 buffer overflow via a very long page title ->

gets ellipsised but UTF-8 length of ellipsis is not properly counted so

then overflows bounds -> DoS/RCE

[USN-5559-1] Moment.js vulnerabilities [15:40]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-31129

CVE-2022-24785

Date handling library for nodejs applications

Path traversal vuln since could end up using a user provided locale

string to switch the locale which would then result in reading arbitrary

local files

Quadratic complexity algorithm due to use of regexps to parse strings to

dates - in particular rfc2822 formats which are tried by default - ReDoS

-> very large input could result in significant CPU-based DoS

Goings on in Ubuntu Security Community

Ubuntu 22.04.1 LTS released [16:43]

https://lists.ubuntu.com/archives/ubuntu-announce/2022-August/000282.html

https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668

https://www.youtube.com/watch?v=REdxblQpsDE

Includes all the various bug and security fixes that have gone into the

22.04 LTS release so far - if you are already running 22.04 LTS you don’t

have to do anything to get this- just make sure you have been installing

updates 😉

The full list of changes targeted for this release can be found at

https://discourse.ubuntu.com/t/jammy-jellyfish-point-release-changes/29835

Now is when users of 20.04 LTS desktop will start being prompted to

upgrade to 22.04 - I definitely recommend to upgrade, and to make the

process as smooth as possible, do it from a virtual terminal

This is the standard interface used for Ubuntu Server - full-screen

terminal running directly on a console - no graphical environment

as such, has a lot less processes and infrastructure running and so

there is less chance that something may crash during the upgrade

process - since libraries get swapped out from underneath various

running processes etc

Log out of your graphical session, then when at the GDM Greeter / user

chooser log in screen hit CTRL + ALT + F2

You will then be presented with a console prompt - log in with your

username and password, then you can start the upgrade process by running

sudo do-release-upgrade

This is the same way this is done for Ubuntu Server

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings