July 21, 2023

Episode 203

17 minutes

Overview

This week we talk about the dual use purposes of eBPF - both for security and

for exploitation, and how you can keep your systems safe, plus we cover security

updates for the Linux kernel, Ruby, SciPy, YAJL, ConnMan, curl and more.

This week in Ubuntu Security Updates

80 unique CVEs addressed

[USN-6220-1] Linux kernel vulnerabilities (00:50)

1 CVEs addressed in Lunar (23.04)

CVE-2023-35788

6.2 gcp, ibm, azure, oracle

[USN-6192-1] Linux kernel vulnerabilities for Episode 202

Off-by-one in the flower network traffic classifier

info leak via stale page table entries (INVLPG)

[USN-6234-1] Linux kernel (Xilinx ZynqMP) vulnerability (01:20)

1 CVEs addressed in Focal (20.04 LTS)

CVE-2023-35788

5.4 Xilinux ZynqMP platform

[USN-6221-1] Linux kernel vulnerabilities (01:32)

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2023-3111

CVE-2023-1990

CVE-2022-29901

CVE-2022-26373

CVE-2022-1184

CVE-2021-3753

CVE-2021-20321

4.4 Xenial ESM, Trusty ESM LTS Xenial

AWS, KVM, Generic, Low latency

[USN-6222-1] Linux kernel (Xilinx ZynqMP) vulnerabilities (02:13)

31 CVEs addressed in Focal (20.04 LTS)

CVE-2023-32269

CVE-2023-32233

CVE-2023-3161

CVE-2023-31436

CVE-2023-30456

CVE-2023-2985

CVE-2023-26545

CVE-2023-2612

CVE-2023-25012

CVE-2023-2162

CVE-2023-1998

CVE-2023-1859

CVE-2023-1829

CVE-2023-1670

CVE-2023-1513

CVE-2023-1380

CVE-2023-1281

CVE-2023-1118

CVE-2023-1079

CVE-2023-1078

CVE-2023-1077

CVE-2023-1076

CVE-2023-1075

CVE-2023-1074

CVE-2023-1073

CVE-2023-0459

CVE-2023-0458

CVE-2022-4129

CVE-2022-3903

CVE-2022-3707

CVE-2022-3108

[USN-6223-1] Linux kernel (Azure CVM) vulnerabilities (02:25)

9 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-35788

CVE-2023-2985

CVE-2023-25012

CVE-2023-1998

CVE-2023-1859

CVE-2023-1670

CVE-2023-1079

CVE-2023-1077

CVE-2023-1076

[USN-6224-1, USN-6228-1] Linux kernel vulnerabilities (02:36)

2 CVEs addressed in Lunar (23.04)

CVE-2023-2176

CVE-2023-2124

6.2 Oracle, Azure, GCP, IBM, Raspi, AWS, KVM, Low latency

[USN-6231-1] Linux kernel (OEM) vulnerabilities (02:53)

5 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-3212

CVE-2023-3141

CVE-2023-31084

CVE-2023-3090

CVE-2023-2124

6.1 OEM

OOB write due to uninitialized memory in packet control buffer for IP-VLAN

network driver

[USN-6235-1] Linux kernel (OEM) vulnerabilities (03:17)

8 CVEs addressed in Jammy (22.04 LTS)

CVE-2023-35788

CVE-2023-2430

CVE-2023-2176

CVE-2023-2124

CVE-2023-1073

CVE-2023-0597

CVE-2023-0459

CVE-2022-4842

6.0 OEM

Flower, missing lock in io_uring

[USN-6192-1] Linux kernel vulnerabilities from Episode 202

[USN-6219-1] Ruby vulnerabilities (03:32)

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-36617

CVE-2023-28755

ReDoS in URI parser - only one issue really but fix for first was incomplete

[USN-6216-1] lib3mf vulnerability (04:09)

1 CVEs addressed in Focal (20.04 LTS)

CVE-2021-21772

UAF

[USN-6225-1] Knot Resolver vulnerability (04:14)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2022-40188

CPU-based DoS due to high algorithmic complexity - requires an authoritative

server to return large address sets - fixed by adding a limit to various lookups etc

[USN-6226-1] SciPy vulnerabilities (04:45)

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

CVE-2023-29824

CVE-2023-25399

2 issues in reference count handling - both appear to be disputed by

upstream - first, as it would only be able to triggered by first

deterministicly exhausting memory, the other since the only way to trigger it

would be to first be able to execute arbitrary Python code. Both were reported

by the same user who discovered them via static analysis

[USN-6227-1] SpiderMonkey vulnerabilities (05:47)

2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-37211

CVE-2023-37202

mozjs102 (102.13.0) - memory mishandling in JS engine

[USN-6229-1] LibTIFF vulnerabilities (06:00)

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2023-3316

CVE-2023-26966

CVE-2023-26965

CVE-2023-25433

2 heap buffer overflows, one OOB read, one NULL ptr deref

[USN-6230-1] PostgreSQL vulnerability (06:24)

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-2454

[USN-6104-1] PostgreSQL vulnerabilities from Episode 197

[USN-6184-2] CUPS vulnerability (06:34)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2023-34241

[USN-6184-1] CUPS vulnerability from Episode 201

[USN-6078-2] libwebp vulnerability (06:43)

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-1999

[USN-6078-1] libwebp vulnerability from Episode 195

[USN-6183-2] Bind vulnerability (06:46)

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2023-2911

CVE-2023-2828

[USN-6183-1] Bind vulnerabilities from Episode 201

[USN-6233-1] YAJL vulnerabilities (06:56)

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2023-33460

CVE-2022-24795

CVE-2017-16516

Yet Another JSON library - used by i3, mpd, uwsgi, modsecurity, libvirt and others

Memory leak, buffer overflow on unicode parsing, integer overflow -> heap

buffer overflow when handling inputs larger than 2GB

[USN-6236-1] ConnMan vulnerabilities (07:33)

9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)

CVE-2023-28488

CVE-2022-32293

CVE-2022-32292

CVE-2022-23098

CVE-2022-23097

CVE-2022-23096

CVE-2021-26676

CVE-2021-33833

CVE-2021-26675

a number of issues in internal gdhcp client - stack buffer overflow, OOB read

(info leak) - requires an attacker to run a malicious DHCP server - think

public wifi etc

UAF in WISPR HTTP handling (MiTM)

Heap buffer overflow gweb component - RCE

2 different OOB read in DNS proxy component - crash / info leak

Also an infinite loop in DNS proxy

[USN-6237-1] curl vulnerabilities (08:45)

3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)

CVE-2023-32001

CVE-2023-28322

CVE-2023-28321

Improperly matched wildcard patterns when doing certificate validation - in

particular could match a punycode-encoded IDN against an ascii wildcard of x*

as punycode names always start with xn--

Logic error where would use the read callback to ask a remote client to ask

for data to send even if the same handle had been used previously for a PUT

request - unexpected behaviour for applications using curl, so could result in

potentially sending the wrong data (info leak) or a UAF etc.

Race condition on fopen() - used to save cookies etc to files - would first

check that file is a real file before opening - local attacker could race to

say replace it with a symlink instead to then get cookies written to a

different file etc.

The dual use of eBPF as both a tool for malware and a tool for detecting malware (10:34)

Interesting write-up on the use of eBPF by malware authors for hooking into

libpam to steal credentials

https://blog.aquasec.com/detecting-ebpf-malware-with-tracee

pamspy - uses eBPF uprobes - way of hooking into userspace functions from the

kernel using user-level return probe

requires to be root in the first place to be able to create a uretprobe

through /sys/kernel/debug/tracing/uprobe_events but once done, allows to then

have a BPF program executed every time the specified function within a

specified library / binary is executed - so by hooking libpam can then log the

credentials used by any user when logging in / authenticating for sudo etc.

More traditional approach would have been to use say LD_PRELOAD to hook into

the functions - but this requires that binaries get executed with this

environment set so is harder to achieve

But uretprobes have their own problems - implementation is based on

breakpoints so potentially be detected by the program which is being traced by

examining its own code (.text section) to look for breakpoint opcode (0xCC) or

it could look for the special memory mapping [uprobes] in /proc/self/maps

https://blog.quarkslab.com/defeating-ebpf-uprobe-monitoring.html

Potentially more easy to find that they are being used on a system as well by

just looking at the contents of /sys/kernel/debug/tracing/uprobe_events -

which lists all the uretprobes currently in use on the system

Interesting to see that (not surprisingly) each new technology can be used in

multiple ways - BPF+uprobes is a great way to do tracing of userspace code for

developers / sysadmins etc when debugging - but is also a great way for

malware authors to do the same

Also interesting to see the aquasec team mention the use of eBPF for system

monitoring / instrumentation to detect malware - ie. using an eBPF program to

detect malicious use of eBPF

but perhaps the best solution is to disable the use of eBPF by unprivileged

/ untrusted users and use seccomp or similar (via systemd units) to restrict

the use of eBPF to only those applications which really need it

then the only way for malware to use eBPF would be to compromise something

which already has access to eBPF - ie. the kernel itself or a privileged

process - ie. reducing the attack surface

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings