Sign up to save your podcasts
Or
Share Episode 188
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 188
Overview
This week the common theme is vulnerabilities in setuid-root binaries and their
use of environment variables, so we take a look at a great blog post from the
Trail of Bits team about one such example in the venerable chfn plus we look at
some security vulnerabilities in, and updates for the Linux kernel, Go Text, the
X Server and more, and finally we cover the recent announcement of Ubuntu
22.04.2 LTS.
This week in Ubuntu Security Updates
75 unique CVEs addressed
[USN-5872-1] NSS vulnerabilities [00:57]
[USN-5874-1] Linux kernel vulnerabilities
[USN-5877-1] Linux kernel (GKE) vulnerabilities [01:06]
handshake likely can allow an unprivileged remote attacker within bluetooth
range to crash kernel / leak contents of memory or get RCE - or even a local
unprivileged user could use this to try and escalate their privileges by
turning on bluetooth then attacking the machine via it
sysctl which is normally only available to root - but also can be used by root
within a user namespace - so if have unprivileged user namespaces enabled then
a local unpriv user can use this to either crash the kernel or possibly
execute arbitrary code within the kernel -> EoP
[USN-5875-1] Linux kernel (GKE) vulnerabilities [03:20]
[USN-5876-1] Linux kernel vulnerabilities
[USN-5878-1] Linux kernel (Azure) vulnerabilities
[USN-5879-1] Linux kernel (HWE) vulnerabilities
[USN-5873-1] Go Text vulnerabilities [03:54]
application - often used for parsing of HTTP headers
package - quirk of the way Go packages are packaged in Debian and hence
Ubuntu - since go binaries are generally statically compiled, another package
will use the -dev package to build and get statically linked against this - so
the security team has to then rebuild all the other packages in the archive
that use this -dev package
[USN-5880-1] Firefox vulnerabilities [07:15]
allowing to bypass restrictions etc
[USN-5881-1] Chromium vulnerabilities
etc
[USN-5778-2] X.Org X Server vulnerabilities [08:15]
overflows etc -> local user could then possibly get EoP when X server is
running as root (as it is on these older releases - only on 18.04 and onwards
does X run as the unprivileged user)
[USN-5807-2] libXpm vulnerabilities [09:01]
files - would call out to external binaries to decompress these - so if a
malicious user could influence the PATH environment variable could get it to
execute their binaries instead - particularly could be an issue if a setuid()
binary uses libxpm - and this is mentioned in the glibc manual around tips for
writing setuid programs
Goings on in Ubuntu Security Community
Readline crime: exploiting a SUID logic bug [10:06]
implemented by the util-linux package - used the readline library for input
handling by many CLI applications - as a result, able to be abused to read the
contents of a root-owned SSH private key
privileged components
finding
from Qualys, started out looking for setuid binaries that used environment
variables as part of their operation - since this often allows an unprivileged
user to set that env var and then run the setuid binary which then runs as
root - if it then can be influenced by the value of that env var can possibly
then go further to cause other effects as root (EoP?)
/etc/shadow) would use the readline library just to read input from the user -
by default readline will parse its configuration from the INPUTRC environment
variable
configuration which are invalid
set INPUTRC to point to that file and execute chfn and it will then go parse
that - however, the file first has to appear close to the format which is
expected - and it just so happens that SSH private keys fit this bill
standalone passwd package, not util-linux - and the chfn from passwd didn’t
use readline
explicit things the security team does when auditing packages as part of the MIR security review process
Ubuntu 22.04.2 LTS released [14:55]
running 22.04 LTS with updates enabled you will already have it
was only Livepatch, but can now enable any of the Ubuntu Pro offerings as
soon as you log in for the first time.
initial setup wizard and choose which elements - esm-infra / esm-apps /
livepatch and even FIPS and USG (Ubuntu Security Guide for CIS and DISA-STIG
compliance and auditing)
deny-listed in latest shim due to having signed a version of grub2 which is
now known to have various vulnerabilities that could enable a local attacker
to bypass secure boot restrictions (Boot Hole v3 v4?)
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week the common theme is vulnerabilities in setuid-root binaries and their
use of environment variables, so we take a look at a great blog post from the
Trail of Bits team about one such example in the venerable chfn plus we look at
some security vulnerabilities in, and updates for the Linux kernel, Go Text, the
X Server and more, and finally we cover the recent announcement of Ubuntu
22.04.2 LTS.
This week in Ubuntu Security Updates
75 unique CVEs addressed
[USN-5872-1] NSS vulnerabilities [00:57]
[USN-5874-1] Linux kernel vulnerabilities
[USN-5877-1] Linux kernel (GKE) vulnerabilities [01:06]
handshake likely can allow an unprivileged remote attacker within bluetooth
range to crash kernel / leak contents of memory or get RCE - or even a local
unprivileged user could use this to try and escalate their privileges by
turning on bluetooth then attacking the machine via it
sysctl which is normally only available to root - but also can be used by root
within a user namespace - so if have unprivileged user namespaces enabled then
a local unpriv user can use this to either crash the kernel or possibly
execute arbitrary code within the kernel -> EoP
[USN-5875-1] Linux kernel (GKE) vulnerabilities [03:20]
[USN-5876-1] Linux kernel vulnerabilities
[USN-5878-1] Linux kernel (Azure) vulnerabilities
[USN-5879-1] Linux kernel (HWE) vulnerabilities
[USN-5873-1] Go Text vulnerabilities [03:54]
application - often used for parsing of HTTP headers
package - quirk of the way Go packages are packaged in Debian and hence
Ubuntu - since go binaries are generally statically compiled, another package
will use the -dev package to build and get statically linked against this - so
the security team has to then rebuild all the other packages in the archive
that use this -dev package
[USN-5880-1] Firefox vulnerabilities [07:15]
allowing to bypass restrictions etc
[USN-5881-1] Chromium vulnerabilities
etc
[USN-5778-2] X.Org X Server vulnerabilities [08:15]
overflows etc -> local user could then possibly get EoP when X server is
running as root (as it is on these older releases - only on 18.04 and onwards
does X run as the unprivileged user)
[USN-5807-2] libXpm vulnerabilities [09:01]
files - would call out to external binaries to decompress these - so if a
malicious user could influence the PATH environment variable could get it to
execute their binaries instead - particularly could be an issue if a setuid()
binary uses libxpm - and this is mentioned in the glibc manual around tips for
writing setuid programs
Goings on in Ubuntu Security Community
Readline crime: exploiting a SUID logic bug [10:06]
implemented by the util-linux package - used the readline library for input
handling by many CLI applications - as a result, able to be abused to read the
contents of a root-owned SSH private key
privileged components
finding
from Qualys, started out looking for setuid binaries that used environment
variables as part of their operation - since this often allows an unprivileged
user to set that env var and then run the setuid binary which then runs as
root - if it then can be influenced by the value of that env var can possibly
then go further to cause other effects as root (EoP?)
/etc/shadow) would use the readline library just to read input from the user -
by default readline will parse its configuration from the INPUTRC environment
variable
configuration which are invalid
set INPUTRC to point to that file and execute chfn and it will then go parse
that - however, the file first has to appear close to the format which is
expected - and it just so happens that SSH private keys fit this bill
standalone passwd package, not util-linux - and the chfn from passwd didn’t
use readline
explicit things the security team does when auditing packages as part of the MIR security review process
Ubuntu 22.04.2 LTS released [14:55]
running 22.04 LTS with updates enabled you will already have it
was only Livepatch, but can now enable any of the Ubuntu Pro offerings as
soon as you log in for the first time.
initial setup wizard and choose which elements - esm-infra / esm-apps /
livepatch and even FIPS and USG (Ubuntu Security Guide for CIS and DISA-STIG
compliance and auditing)
deny-listed in latest shim due to having signed a version of grub2 which is
now known to have various vulnerabilities that could enable a local attacker
to bypass secure boot restrictions (Boot Hole v3 v4?)
Get in contact