June 30, 2023

Episode 201

20 minutes

Overview

This week we look at the top 25 most dangerous vulnerability types, as well as

the announcement of the program for LSS EU, and we cover security updates for

Bind, the Linux kernel, CUPS, etcd and more.

This week in Ubuntu Security Updates

36 unique CVEs addressed

[USN-6183-1] Bind vulnerabilities (00:53)

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-2911

CVE-2023-2828

Two DoS issues - when bind was configured as a recursive resolver, possible to

cause the configured cache size to be exceeded by a remote attacker by

performing queries in a particular manner (as this would then evade the normal

cache cleaning algorithm) - DoS due to excessive memory usage -> OOM killer

etc

The other was due to a recursive algorithm that could be triggered in a

pathological way when particular configuration options were used - eventually

would exhaust the available stack space -> killed by stack protections -> DoS

[USN-6185-1] Linux kernel vulnerabilities (01:52)

8 CVEs addressed in Focal (20.04 LTS)

CVE-2023-2985

CVE-2023-25012

CVE-2023-1998

CVE-2023-1859

CVE-2023-1670

CVE-2023-1079

CVE-2023-1077

CVE-2023-1076

5.4 - IBM, GCP, GKEOP, raspi2, Azure, AWS, Bluefield, KVM, Oracle

type confusion in real-time scheduler -> DoS

few different UAF in various USB device drivers (and even PCMCIA) - could all

be triggered by a local attacker with physical access

UAF in HFS+ file-system + Xen 9P file-system protocol impl

[USN-6187-1] Linux kernel (IBM) vulnerabilities (02:49)

9 CVEs addressed in Kinetic (22.10)

CVE-2023-2985

CVE-2023-25012

CVE-2023-1998

CVE-2023-1859

CVE-2023-1670

CVE-2023-1079

CVE-2023-1077

CVE-2023-1076

CVE-2022-4269

5.19 IBM

All of the above plus a possible deadlock in the network traffic control

subsystem that could be triggered by a local attacker -> DoS

[USN-6186-1] Linux kernel vulnerabilities (03:06)

20 CVEs addressed in Lunar (23.04)

CVE-2023-33288

CVE-2023-33203

CVE-2023-30772

CVE-2023-28866

CVE-2023-28466

CVE-2023-2612

CVE-2023-2235

CVE-2023-2194

CVE-2023-1990

CVE-2023-1989

CVE-2023-1859

CVE-2023-1855

CVE-2023-1670

CVE-2023-1611

CVE-2023-1583

CVE-2022-4269

CVE-2023-1380

CVE-2023-30456

CVE-2023-31436

CVE-2023-32233

All interesting CVEs discussed previously - [USN-6130-1] Linux kernel vulnerabilities in Episode 198

netfilter race condition able to be triggered by a local attacker -> UAF -> DoS/RCE

OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver

KVM mishandling of control registers for nested guest VMs

OOB write in network queuing scheduler - able to be triggered though an

unprivileged user namespace (again)

[USN-6184-1] CUPS vulnerability (03:55)

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-34241

UAF since would log details of a connection after closing the connection (and

hence freeing the memory associated with the connection) - since was in the

logging code, would only happen if the log level was set to warn or higher -

could then either cause a crash (SEGV etc) or could potentially end up logging

sensitive info if that was then present in that memory location

[USN-6188-1] OpenSSL vulnerability (04:43)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2023-2650

[USN-6119-1] OpenSSL vulnerabilities from Episode 197

CPU-based DoS when parsing crafted ASN.1 object identifiers

[USN-6161-2] .NET regression (05:02)

5 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-33128

CVE-2023-32032

CVE-2023-29337

CVE-2023-29331

CVE-2023-24936

[USN-6161-1] .NET vulnerabilities from Episode 199

New upstream point release to address a regression in the previous release -

would fail to import PKCS12 blobs where the private keys were protected by a

null password (apparently this was non-deterministic which sounds like it was

due to an uninitialised local variable…?)

[USN-6189-1] etcd vulnerability (05:55)

1 CVEs addressed in Kinetic (22.10), Lunar (23.04)

CVE-2021-28235

Leaked credentials into the debug log which could then be accessed by a remote

attacker via the debug API endpoint

Goings on in Ubuntu Security Community

MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses published (06:20)

Rank

Name

Score

CVEs in KEV

CWE-787

Out-of-bounds Write

63.72

CWE-79

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

45.54

CWE-89

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

34.27

CWE-416

Use After Free

16.71

CWE-78

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

15.65

CWE-20

Improper Input Validation

15.50

CWE-125

Out-of-bounds Read

14.60

CWE-22

Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

14.11

CWE-352

Cross-Site Request Forgery (CSRF)

11.73

CWE-434

Unrestricted Upload of File with Dangerous Type

10.41

CWE-862

Missing Authorization

6.90

CWE-476

NULL Pointer Dereference

6.59

CWE-287

Improper Authentication

6.39

CWE-190

Integer Overflow or Wraparound

5.89

CWE-502

Deserialization of Untrusted Data

5.56

CWE-77

Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

4.95

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

4.75

CWE-798

Use of Hard-coded Credentials

4.57

CWE-918

Server-Side Request Forgery (SSRF)

4.56

CWE-306

Missing Authentication for Critical Function

3.78

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

3.53

CWE-269

Improper Privilege Management

3.31

CWE-94

Improper Control of Generation of Code (‘Code Injection’)

3.30

CWE-863

Incorrect Authorization

3.16

CWE-276

Incorrect Default Permissions

3.16

https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html

MITRE (operates the US Homeland Security Systems Engineering and Development

Institute) released the 2023 CWE Top 25 Most Dangerous Software Weaknesses

Calculated by analysing the previous 2 years worth of public vulnerability

data from NVD for their various root-causes and ranking those

Also incorporates updates weakness data for the CVEs that form CISA’s (US

Cybersecurity & Infrastructure Security Agency) known exploited

vulnerabilities catalog (KEV)

root-causes - CWE - common weakness enumeration - list of software and

hardware weakness types

Looked at CVEs published in 2021 and 2022 and used those where the CWEs could

be mapped to the simplified collection of 130 weakness types which are the

most common set

Each CVE published by NVD has associated CWEs that identify the root-case for

the vulnerability - these are generally chosen by the CNA who assigns the CVE

(as they are most familiar with the product and vulnerability in question) or

by an NVD analyst - multiple CWEs can be assigned for a CVE since they can

often be part of chain

Score was calculated as the frequency of the CWE compared to other CWEs in the

dataset, multiplied by the average CVSS score for all CVEs that had the CWE

Have spoken in the past about perceived inaccuracies in CVSS scores and how

they are not necessarily a good fit for determining the risk of a given

CVE - but in this case, using them as the basis for this calculation is

perhaps not awful as they are the only real objective measure of the

potential severity of a CVE - and this is a noisy measure anyway

Looking at the top 10, OOB writes come in way at the top with a score of 63.7,

then XSS (45.5), SQLi (34.3) after which follows a long tail of CWEs with

scores in the teens - UAF (16.7), OS Command Injection (15.6), Improper Input

Validation (15.5), OOB Read (14.6), Path Traversal (14.11), CSRF (11.73) and

finally Unrestricted Upload of File with Dangerous Type (10.4)

Interesting to see the top 3 have a much higher score (all over 34) where as

the rest are half this - below 16

They also quote the number of CVEs that featured in the KEV list (known

exploited vulns) - OOB W (70) yet XSS (4) + SQLi (6) - so just because there

are more of a given type of vuln, doesn’t mean that they get exploited more -

e.g. OOB reads are #7 yet only 2 in the list of KEV, and CSRF #9 yet none in

the KEV list

What does this mean for Ubuntu Security? Ultimately it is interesting and

seems to back up our more traditional approach to CVE priority assignment

compared to trying to use CVSS as a priority (again this is a severity score

but doesn’t really indicate risk, which is what our traditional priority score

is based on) - but perhaps is more interesting from an industry point of

view - memory corruption vulns (OOB Writes) still most prevalent and

impactful - static / dynamic analysis still very important to try and find

these - but ultimately the move to memory safe languages (Rust, Go etc) is

where we will finally see a shift away from this dominance

Even then, will still be security bugs (XSS + SQLi, OS Command Injection,

Improper Input Validation, Path Traveral, CSRF etc)

Linux Security Summit EU Schedule Published (17:16)

https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/

20-21 September - in Bilbao Spain alongside the Open Source Summit

Still chance to get Early Bird Registration (closes 6th July)

BPF, exploit detection, estimating security risk of a given OSS project,

OP-TEE (ARM Trust-Zone) usage, novel project using CHERI hardware architecture

to protect security sensitive parts of the kernel, using TPM for per-process

secret storage, secure boot, LSM Updates + LandLock and some more

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings