Ubuntu Security Podcast

Episode 177

Listen Later
Overview

Alex talks with special guests Nishit Majithia and Matthew Ruffell about a

recent systemd regression on Ubuntu 18.04 LTS plus we cover security updates for
Dnsmasq, the Linux kernel, poppler, .NET 6, rust-regex and more.

This week in Ubuntu Security Updates

28 unique CVEs addressed

[USN-4976-2] Dnsmasq vulnerability [00:55]
  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
    • CVE-2021-3448
    • [USN-4976-1] Dnsmasq vulnerability for Episode 118
    • Failed to properly randomise source port (ie used a fixed port) when
      • forwarding queries when configured to use a specific server for a given
      network interface - could then allow a remote attacker to more easily
      perform cache poisoning attacks (ie just need to guess the transmission
      ID once know the source port to get a forged reply accepted)
      • As I said back in Episode 118, this is very similar to the issues that were
        • discovered back in 2008 by Dan Kaminsky - the whole reason source port
        randomisation was introduced as part of the DNS protocol
        [USN-5602-1] Linux kernel (Raspberry Pi) vulnerabilities [02:11]
        • 9 CVEs addressed in Jammy (22.04 LTS)
          • CVE-2022-2959
          • CVE-2022-2873
          • CVE-2022-2503
          • CVE-2022-1973
          • CVE-2022-1943
          • CVE-2022-1852
          • CVE-2022-1729
          • CVE-2022-1012
          • CVE-2021-33061
          • See [USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities from last week
            • [USN-5603-1] Linux kernel (Raspberry Pi) vulnerabilities [02:29]
            • 2 CVEs addressed in Bionic (18.04 LTS)
              • CVE-2021-33656
              • CVE-2021-33061
              • See [USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities from last week
                • [USN-5605-1] Linux kernel (Azure CVM) vulnerabilities [02:38]
                • 2 CVEs addressed in Focal (20.04 LTS)
                  • CVE-2021-33656
                  • CVE-2021-33061
                  • See [USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities from last week
                    • [USN-5523-2] LibTIFF vulnerabilities [02:45]
                    • 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
                      • CVE-2020-19144
                      • CVE-2020-19131
                      • CVE-2022-22844
                      • CVE-2022-0924
                      • CVE-2022-0909
                      • CVE-2022-0908
                      • CVE-2022-0907
                      • [USN-5523-1] LibTIFF vulnerabilities from Episode 169
                        • [USN-5604-1] LibTIFF vulnerabilities [03:13]
                        • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
                          • CVE-2022-2868
                          • CVE-2022-2869
                          • CVE-2022-2867
                            • [USN-5606-1] poppler vulnerability [03:23]
                            • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
                              • CVE-2022-38784
                              • Integer overflow in JBIG2 decoder -> heap buffer overflow via crafted PDF /
                                • JBIG2 image - very similar to CVE-2022-38171 in xpdf
                                • poppler started life as a fork of code from xpdf-3.0 but now has diverged so
                                  • much that in general a vuln in one cannot be assumed to exist in the other,
                                  hence the separate CVE IDs for these two vulns
                                  [USN-5607-1] GDK-PixBuf vulnerability [04:11]
                                  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
                                    • CVE-2021-44648
                                    • Heap buffer overflow when decoding lzw compressed stream from GIF files
                                      • [USN-5608-1] DPDK vulnerability [04:26]
                                      • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
                                        • CVE-2022-2132
                                        • Crafted Vhost header could cause a DoS
                                          • [USN-5609-1] .NET 6 vulnerability [04:39]
                                          • 1 CVEs addressed in Jammy (22.04 LTS)
                                            • CVE-2022-38013
                                            • DoS in .NET Core - “a malicious client could cause a stack overflow which may
                                              • result in a denial of service attack when an attacker sends a customized
                                              payload that is parsed during model binding”
                                            • https://devblogs.microsoft.com/dotnet/september-2022-updates/
                                            • Updates to latest upstream release 6.0.109
                                              • [USN-5583-2] systemd regression [05:16]
                                              • 1 CVEs addressed in Bionic (18.04 LTS)
                                                • CVE-2022-2526
                                                • Mentioned in passing in both the last 2 weeks episodes
                                                  • [USN-5610-1] rust-regex vulnerability
                                                  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
                                                    • CVE-2022-24713
                                                    • ReDoS in regex crate - already includes various mitigations against DoS via
                                                      • untrusted regexes (and these can be tuned by users of the crate) - however was
                                                      able to be bypassed by a regex that specified an empty subexpression that
                                                      should be matched up to say 294 million times - this then gets compiled but is
                                                      able to evade the existing mitigations since doesn’t take any memory - but it
                                                      does take a lot of CPU time
                                                    • Fixed by changing code such that it will take a fake amount of memory for each
                                                      • empty subexpression and therefore will trip the existing detection logic in a
                                                      reasonable amount of time
                                                      [USN-5611-1] WebKitGTK vulnerability [06:53]
                                                      • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
                                                        • CVE-2022-32893
                                                        • OOB write via malicious web content - Apple reported that this was being
                                                          • actively exploited for iOS users (Safari uses Webkit)
                                                          Goings on in Ubuntu Security Community
                                                          Discussion of the recent systemd regression in Ubuntu 18.04 LTS with Nishit Majithia and Matthew Ruffell [07:49]
                                                          • Gathered media attention
                                                          • https://thenewstack.io/ubuntu-linux-and-azure-dns-problem-gives-azure-fits/
                                                          • Matthew is from the Sustaining Engineering Team at Canonical - I talked about
                                                            • his blog in Analysis of the dovecat and hy4 Linux Malware - from Episode 97
                                                            Get in contact
                                                            • [email protected]
                                                            • #ubuntu-security on the Libera.Chat IRC network
                                                            • ubuntu-hardened mailing list
                                                            • Security section on discourse.ubuntu.com
                                                            • @ubuntu_sec on twitter
                                                              • ...more
                                                              View all episodesView all episodes
                                                              Download on the App Store
                                                              Ubuntu Security PodcastBy Ubuntu Security Team
                                                              • 4.8
                                                              • 4.8
                                                              • 4.8
                                                              • 4.8
                                                              • 4.8

                                                              4.8

                                                              10 ratings