Sign up to save your podcasts
Or
Share Episode 199
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 199
Overview
For our 199th episode Andrei looks at Fuzzing Configurations of Program Options
plus we discuss Google’s findings on the io_uring kernel subsystem and we look
at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib
and more.
This week in Ubuntu Security Updates
53 unique CVEs addressed
[USN-6145-1] Sysstat vulnerabilities (00:55)
overflow - original fix was incomplete so a second CVE was issued
[USN-6146-1] Netatalk vulnerabilities (01:22)
files with macOS clients - similar to Samba for Windows
others OOB read - sadly there is no AppArmor profile for netatalk but it would
be interesting to try and create one
[USN-6147-1] SpiderMonkey vulnerability (02:21)
[USN-6149-1] Linux kernel vulnerabilities (02:52)
unprivileged user namespace (again)
[USN-6150-1, USN-6162-1] Linux kernel vulnerabilities (03:55)
[USN-6151-1] Linux kernel (Xilinx ZynqMP) vulnerabilities (04:13)
[USN-6152-1] Linux kernel (GKE) regression (04:21)
certain conditions
[USN-6153-1] Jupyter Core vulnerability (04:42)
unconditionally prepend the current working dir to the search path
[USN-6154-1] Vim vulnerabilities (04:58)
for 2023 - is this the sign that the rate of vim CVEs are decreasing?
Figure 1: Vulnerabilities by year in vim from https://www.cvedetails.com/product/14270/VIM-VIM.html?vendor_id=8218
[USN-6155-1] Requests vulnerability (05:56)
destination server when redirected by a HTTPS endpoint
[USN-6156-1] SSSD vulnerability (06:11)
ie. a certificate may contain parenthesis in say the Subject DN field - this
would then be used directly in the query and would be interpreted as
parameters in the LDAP query - could then allow a malicious client to provide
a crafted certificate which performs arbitrary LDAP queries etc - such that
when used in conjunction with FreeIPA they could elevate their privileges
[USN-6148-1] SNI Proxy vulnerability (06:54)
address longer than the maximum possible - since parses it into a fixed size
buffer
[USN-6157-1] GlusterFS vulnerability
crash -> DoS
[USN-6143-2] Firefox regressions (07:25)
to just indicate an error occurred and continue without the data
[USN-6158-1] Node Fetch vulnerability (07:45)
to the other - violation of same origin policy
[USN-6159-1] Tornado vulnerability (07:59)
will redirect the user to a different arbitrary site - can then be used to
phish the user
[USN-6160-1] GNU binutils vulnerability (08:27)
then possibly get code execution - requires the user to run objdump or similar
on an attacker controlled binary - in general binutils is expected to only be
run on trusted inputs - so if you are using objdump etc for reverse
engineering arbitrary binaries, should do this in an isolated environment - VM
[USN-6161-1] .NET vulnerabilities (09:02)
issues in the language runtime (not a lot of details provided by MS on these)
[USN-6164-1] c-ares vulnerabilities (09:24)
and more
to be tricked into writing infront of an allocated buffer - memory corruption
-> DoS / RCE
then cause the resolver to shutdown the “connection” as it sees a 0 byte
read - however that code path assumes the transport protocol is TCP - this is
not a valid assumption for UDP as UDP is connectionless
[USN-6165-1] GLib vulnerabilities (11:07)
fuzzing glib - GVariant used for on-the-wire encoding of parameters in DBus
etc - similar to protobuf’s etc
[USN-6166-1] libcap2 vulnerabilities (11:35)
handling really large strings
Goings on in Ubuntu Security Community
Google disables io_uring in ChromeOS and their production servers (12:00)
monetary rewards for researchers who find exploitable bugs in Google
Kubernetes Engine (GKE) or the underlying Linux kernel
$1m USD rewarded for io_uring submissions alone - and io_uring was used in all
submissions which bypassed their mitigations
November 2022 to increase performance of their arcvm which is used to run
Android apps on ChromeOS) but then now disabled 4 months later in Feb this
year
future will also use SELinux to restrict access even further to only select
system processes
of your GKE Kubernetes cluster
for it, it presents too much of a risk for use by untrusted applications etc
Andrei discusses Fuzzing Configurations of Program Options (15:06)
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
For our 199th episode Andrei looks at Fuzzing Configurations of Program Options
plus we discuss Google’s findings on the io_uring kernel subsystem and we look
at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib
and more.
This week in Ubuntu Security Updates
53 unique CVEs addressed
[USN-6145-1] Sysstat vulnerabilities (00:55)
overflow - original fix was incomplete so a second CVE was issued
[USN-6146-1] Netatalk vulnerabilities (01:22)
files with macOS clients - similar to Samba for Windows
others OOB read - sadly there is no AppArmor profile for netatalk but it would
be interesting to try and create one
[USN-6147-1] SpiderMonkey vulnerability (02:21)
[USN-6149-1] Linux kernel vulnerabilities (02:52)
unprivileged user namespace (again)
[USN-6150-1, USN-6162-1] Linux kernel vulnerabilities (03:55)
[USN-6151-1] Linux kernel (Xilinx ZynqMP) vulnerabilities (04:13)
[USN-6152-1] Linux kernel (GKE) regression (04:21)
certain conditions
[USN-6153-1] Jupyter Core vulnerability (04:42)
unconditionally prepend the current working dir to the search path
[USN-6154-1] Vim vulnerabilities (04:58)
for 2023 - is this the sign that the rate of vim CVEs are decreasing?
Figure 1: Vulnerabilities by year in vim from https://www.cvedetails.com/product/14270/VIM-VIM.html?vendor_id=8218
[USN-6155-1] Requests vulnerability (05:56)
destination server when redirected by a HTTPS endpoint
[USN-6156-1] SSSD vulnerability (06:11)
ie. a certificate may contain parenthesis in say the Subject DN field - this
would then be used directly in the query and would be interpreted as
parameters in the LDAP query - could then allow a malicious client to provide
a crafted certificate which performs arbitrary LDAP queries etc - such that
when used in conjunction with FreeIPA they could elevate their privileges
[USN-6148-1] SNI Proxy vulnerability (06:54)
address longer than the maximum possible - since parses it into a fixed size
buffer
[USN-6157-1] GlusterFS vulnerability
crash -> DoS
[USN-6143-2] Firefox regressions (07:25)
to just indicate an error occurred and continue without the data
[USN-6158-1] Node Fetch vulnerability (07:45)
to the other - violation of same origin policy
[USN-6159-1] Tornado vulnerability (07:59)
will redirect the user to a different arbitrary site - can then be used to
phish the user
[USN-6160-1] GNU binutils vulnerability (08:27)
then possibly get code execution - requires the user to run objdump or similar
on an attacker controlled binary - in general binutils is expected to only be
run on trusted inputs - so if you are using objdump etc for reverse
engineering arbitrary binaries, should do this in an isolated environment - VM
[USN-6161-1] .NET vulnerabilities (09:02)
issues in the language runtime (not a lot of details provided by MS on these)
[USN-6164-1] c-ares vulnerabilities (09:24)
and more
to be tricked into writing infront of an allocated buffer - memory corruption
-> DoS / RCE
then cause the resolver to shutdown the “connection” as it sees a 0 byte
read - however that code path assumes the transport protocol is TCP - this is
not a valid assumption for UDP as UDP is connectionless
[USN-6165-1] GLib vulnerabilities (11:07)
fuzzing glib - GVariant used for on-the-wire encoding of parameters in DBus
etc - similar to protobuf’s etc
[USN-6166-1] libcap2 vulnerabilities (11:35)
handling really large strings
Goings on in Ubuntu Security Community
Google disables io_uring in ChromeOS and their production servers (12:00)
monetary rewards for researchers who find exploitable bugs in Google
Kubernetes Engine (GKE) or the underlying Linux kernel
$1m USD rewarded for io_uring submissions alone - and io_uring was used in all
submissions which bypassed their mitigations
November 2022 to increase performance of their arcvm which is used to run
Android apps on ChromeOS) but then now disabled 4 months later in Feb this
year
future will also use SELinux to restrict access even further to only select
system processes
of your GKE Kubernetes cluster
for it, it presents too much of a risk for use by untrusted applications etc
Andrei discusses Fuzzing Configurations of Program Options (15:06)
Get in contact