September 30, 2022

Episode 179

16 minutes

Overview

Finer grained control for unprivileged user namespaces is on the horizon for

Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS,

Squid and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-5626-2] Bind vulnerabilities [00:40]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-38177

CVE-2022-2795

[USN-5626-1] Bind vulnerabilities from Episode 178

[USN-5627-1] PCRE vulnerabilities [01:01]

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-1587

CVE-2022-1586

2 OOB read with crafted regexes - possible info leak

[USN-5628-1] etcd vulnerabilities [01:19]

4 CVEs addressed in Focal (20.04 LTS)

CVE-2020-15114

CVE-2020-15113

CVE-2020-15112

CVE-2020-15106

distributed key/value store used by kubernetes

all these vulns come from a security audit conducted by Trail of Bits in January of 2020.

performed both manual and automated review -> go-sec, errcheck, ineffassign etc

also fuzzed the WAL file handling (write-ahead logging - used to record

transactions that have been committed but not yet applied to the main

database)

2 issues in WAL file handling (crash), plus one in handling of directory

permissions for a directory that may already exist (info leak) and one in

setup of endpoints that could allow a DoS

[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2022-36946

CVE-2022-2503

CVE-2022-1729

CVE-2022-32296

CVE-2022-1012

CVE-2021-33655

5.4 Raspi HWE 18.04 LTS / Azure CVM 20.04 LTS

Same set of vulnerabilities covered in last weeks episode - [USN-5622-1] Linux kernel vulnerabilities

[USN-5633-1, USN-5635-1, USN-5640-1, USN-5644-1] Linux kernel vulnerabilities [03:09]

11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-36946

CVE-2022-34495

CVE-2022-34494

CVE-2022-33744

CVE-2022-33743

CVE-2022-33742

CVE-2022-33741

CVE-2022-33740

CVE-2022-26365

CVE-2022-2318

CVE-2021-33655

5.15 Raspi + GKE/GCP + Oracle + GCP (20.04)

[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]

1 CVEs addressed in Jammy (22.04 LTS)

CVE-2022-36946

5.17 OEM

netfilter remote DoS via crafted packet with a very short payload

[USN-5632-1] OAuthLib vulnerability [03:40]

1 CVEs addressed in Jammy (22.04 LTS)

CVE-2022-36087

OAuth implementation for Python3 - used by various other applications like

keystone, django, duplicity

DoS via a malicious redirect URL specifying an IPv6 address - could trigger an

exception -> application crash -> DoS

[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]

4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2021-46822

CVE-2020-35538

CVE-2020-17541

CVE-2018-11813

Various issues in handling of crafted JPEG/PPM files - stack buffer overflow,

heap buffer overflow, NULL pointer dereference, resource consumption based DoS

in cjpeg utility - crafted file with a valid Targa header but incomplete

data - would keep trying pixel after reaching EOF - internally used getc()

which returns the special value EOF when the end of file is reached - this is

actually -1 but requires the caller to check for this special value - if not,

would interpret this as pixel data (all bits set -> 255,255,255 -> white)

resulting in JPEG file that was possibly thousands of times bigger than the

input file - fixed to use existing input routines to read the data which

already check for EOF condition

[USN-5629-1] Python vulnerability [05:54]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2021-28861

Open redirect in http.server through a URI which has multiple / at the

beginning - a URI such as //path gets treated as an absolute URI rather than a

path - could then end up sending a 301 location header with a misleading target

Upstream dispute this - state that it should not be used in production as it

only implements basic security checks

[USN-5636-1] SoS vulnerability [06:39]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-2806

sosreport - used to gather details of a system etc for debug/analysis

Redacts passwords - previously used a hardcoded list of possible things that

could contain passwords - instead now looks for anything with the name

password and redacts that

[USN-5637-1] libvpx vulnerability [07:45]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2020-0034

OOB read -> info leak / crash

[USN-5638-1] Expat vulnerability [07:55]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2022-40674

UAF with crafted XML content -> crash / RCE

[USN-5641-1] Squid vulnerabilities [08:06]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-41318

CVE-2022-41317

Failed to properly handle ACLs for cache manager, allowing a trusted client to

read other client ids / credentials and internal network structure

Integer overflow -> buffer overread when using SSPI/SMB authentication helpers

for NTLM authentication - since this is in handling of credentials, could

allow an attacker to read decrypted user credentials or other memory regions

from Squid

[USN-5642-1] WebKitGTK vulnerabilities [08:57]

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-32886

Buffer overflow when handling malicious web content -> RCE

[USN-5643-1] Ghostscript vulnerabilities [09:18]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2022-2085

CVE-2020-27792

2 issues in PDF file handling

NULL pointer dereference -> DoS

heap buffer overflow -> DoS / RCE

Goings on in Ubuntu Security Community

Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]

https://lists.ubuntu.com/archives/ubuntu-announce/2022-September/000284.html

Includes details on how to upgrade - as per when we covered the Ubuntu 22.04.1

release - if you do want to upgrade to the beta, and you are using 22.04

desktop, then first log out, switch to a virtual console (Ctrl-Alt-F2) and run

it from there as less chance that it takes down your whole graphical session

and hence the upgrade process partway through

Will cover in more detail when the final release comes out in a few weeks

Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]

Often has been a source of increased attack surface for the kernel

Disabling of unpriv userns has often been recommended to mitigate various

kernel vulns

This is done via sysctl in Ubuntu:

sudo sysctl kernel.unprivileged_userns_clone=0

Big hammer - either on or off

Various applications have legitimate uses of unpriv userns

flatpak / bubblewrap etc

some of these ship a helper application which is setuid root so they can

still use user namespaces but this then creates another attack surface - the

setuid-root binary

instead it would be better to have a way to only allow particular

applications to use unprivileged user namespaces and then deny it to others

would provide much finer grained control to this potentially risky feature

AppArmor developers have added support for just this

all unconfined applications would be denied and only confined applications

which have the userns permission would be allowed

For now, it is planned to have this disabled by default for 22.10

AppArmor will have a sysctl to enable it so can be tested

Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle

With any luck, 23.04 will ship with this enabled along with AppArmor

confinement for things like bubblewrap etc that require this capability

Snaps will get it for free since they are confined by AppArmor out of the box

John Johansen is working with the kernel team to land this in the kernel for 22.10

Georgia Garcia is working on the userspace side to add support for creating

policy that specifies the userns permission in apparmor package too

Hopefully can all land both via the FeatureFreezeException (FFe) process

Ubuntu Security Podcast on break for 1 week

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings