Sign up to save your podcasts
Or
Share Episode 204
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 204
Overview
This week we look at the recent Zenbleed vulnerability affecting some AMD
processors, plus we cover security updates for the Linux kernel, a high
profile OpenSSH vulnerability and finally Andrei is back with a deep dive into
recent academic research around how to safeguard machine learning systems when
used across distributed deployments.
This fortnight in Ubuntu Security Updates
123 unique CVEs addressed
[USN-6238-1] Samba vulnerabilities [01:15]
signing (as it was not properly enforced), couple issues in the Spotlight
protocol implementation (used to enable MacOS clients to search the Samba
share via Finder) - DoS via a possible infinite loop when processing RPC
packets which specified 0 elements in an array-like structure, plus info leak
where full server-side path of resources would be returned in results
[USN-6237-2] curl regression
[USN-6239-1] ECDSA Util vulnerability [02:13]
[USN-5546-1, USN-5546-2] OpenJDK vulnerabilities
from Episode 172 - basically would fail to first check if the provided
exponents in the signature were zero - since if they are, then an all-zero
signature would be considered as valid - so could easily forge a signature
[USN-6232-1] wkhtmltopdf vulnerability
[USN-6241-1] OpenStack vulnerability
[USN-6240-1] FRR vulnerability
[USN-6242-1, USN-6242-2] OpenSSH vulnerability [03:08]
PKCS#11 module in ssh-agent
socket to a remote machine, then the remote machine could cause your local
ssh-agent to execute arbitrary code - it does this by causing the PKCS#11
module in ssh-agent to load an attacker controlled library from /usr/lib on
your local machine
be on your machine in this privileged location - BUT there are a bunch of
seemingly innocuous libraries in say standard Ubuntu that can be abused to
cause malicious actions and get arbitrary code execution. This is exactly
what Qualys did to demonstrate the impact of this vuln -
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
libraries (such as the ability to make the stack executable or register
signal handlers just by dlopen()‘ing a module) - chain these together to
then get code execution
discouraged, and instead you should probably use an jump host - this is even
mentioned in the man page for ssh
expected symbols and if not abort etc)
[USN-6243-1] Graphite-Web vulnerabilities
[USN-6203-2] Django vulnerability
[USN-6129-2] Avahi vulnerability
[USN-6244-1] AMD Microcode vulnerability [05:57]
ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
execution - but unlike Spectre etc, speculative execution is not used as the
attack primitive - instead for Zenbleed, the processor fails to properly clean
up state after speculatively executing a particular vector register
instruction - which then allows an attacker thread / process to read this data
from the vector register - all comes about because these registers are not
like the normal physical registers in the CPU, but instead are shared as a
“Register File” - this sharing means that when one instruction gets
speculatively executed, but which turns out to not actually be needed, it
fails to properly clean up - and then leaks this data via the shared register
file which can be read by another process which is executing at the same time
language intructions and so it is not clear if this could be exploited
remotely say via JS running a web-browser - but it definitely can be exploited
by local users to spy on all other processes in the system (that use vector
registers), including root / VMs etc
glibc implements functions like strlen() using them - and this is a very
common operation in all kinds of code
could snoop on passwords etc
EPYC line of processors (code named “Rome”) - so in that case all you need to
do is install this microcode update and reboot and you are good.
according to their advisory they will release BIOS firmware updates for other
affected processors later in the year
as I can tell) instructs it to not execute this particular instruction
out-of-order (ie not speculatively execute it) - AMD haven’t actually said
what this does but that is the assumption. As such, this does have an effect
on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
chicken-bit if the associated microcode update is not present - for Ubuntu we
plan to include this fix in the next round of kernel security updates, due on
21st August
[LSN-0096-1] Linux kernel vulnerability [11:47]
well - both require CAP_NET_ADMIN to exploit - but can get this in an
unprivileged user namespace -> privesc
unprivileged user namespace
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
—
96.2
—
96.2
—
aws-hwe
—
—
—
96.2
—
azure
96.3
96.2
—
96.2
—
azure-5.4
—
—
96.2
—
—
gcp
96.3
96.2
—
96.2
—
gcp-4.15
—
—
96.2
—
—
gcp-5.15
—
96.3
—
—
—
gcp-5.4
—
—
96.2
—
—
generic-4.15
—
—
96.2
96.2
—
generic-4.4
—
—
—
96.2
96.2
generic-5.15
—
96.3
—
—
—
generic-5.4
—
96.2
96.2
—
—
gke
96.3
96.2
—
—
—
gke-5.15
—
96.3
—
—
—
gke-5.4
—
—
96.2
—
—
gkeop
—
96.2
—
—
—
gkeop-5.4
—
—
96.2
—
—
ibm
96.3
96.2
—
—
—
ibm-5.4
—
—
96.2
—
—
linux
96.3
—
—
—
—
lowlatency-4.15
—
—
96.2
96.2
—
lowlatency-4.4
—
—
—
96.2
96.2
lowlatency-5.15
—
96.3
—
—
—
lowlatency-5.4
—
96.2
96.2
—
—
[USN-6246-1] Linux kernel vulnerabilities
[USN-6247-1] Linux kernel (OEM) vulnerabilities
[USN-6248-1] Linux kernel (OEM) vulnerabilities
[USN-6249-1] Linux kernel (OEM) vulnerabilities
[USN-6250-1] Linux kernel vulnerabilities
[USN-6251-1] Linux kernel vulnerabilities
[USN-6252-1] Linux kernel vulnerabilities
[USN-6254-1] Linux kernel vulnerabilities
[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities
[USN-6256-1] Linux kernel (IoT) vulnerabilities
[USN-6260-1] Linux kernel vulnerabilities
[USN-6261-1] Linux kernel (IoT) vulnerabilities
[USN-6245-1] Trove vulnerabilities
[USN-5807-3] libXpm vulnerability
[USN-6253-1] libvirt vulnerability
[USN-6257-1] Open VM Tools vulnerability
[USN-6258-1] LLVM Toolchain vulnerabilities
[USN-5193-3] X.Org X Server vulnerabilities
[USN-6259-1] Open-iSCSI vulnerabilities
[USN-6262-1] Wireshark vulnerabilities
[USN-6265-1] RabbitMQ vulnerability
[USN-6264-1] WebKitGTK vulnerabilities
[USN-6263-1] OpenJDK vulnerabilities
[USN-6266-1] librsvg vulnerability [13:55]
include element that specifies say - simple PoC provided by
the upstream reporter
[USN-6267-1] Firefox vulnerabilities [14:47]
Goings on in Ubuntu Security Community
Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we look at the recent Zenbleed vulnerability affecting some AMD
processors, plus we cover security updates for the Linux kernel, a high
profile OpenSSH vulnerability and finally Andrei is back with a deep dive into
recent academic research around how to safeguard machine learning systems when
used across distributed deployments.
This fortnight in Ubuntu Security Updates
123 unique CVEs addressed
[USN-6238-1] Samba vulnerabilities [01:15]
signing (as it was not properly enforced), couple issues in the Spotlight
protocol implementation (used to enable MacOS clients to search the Samba
share via Finder) - DoS via a possible infinite loop when processing RPC
packets which specified 0 elements in an array-like structure, plus info leak
where full server-side path of resources would be returned in results
[USN-6237-2] curl regression
[USN-6239-1] ECDSA Util vulnerability [02:13]
[USN-5546-1, USN-5546-2] OpenJDK vulnerabilities
from Episode 172 - basically would fail to first check if the provided
exponents in the signature were zero - since if they are, then an all-zero
signature would be considered as valid - so could easily forge a signature
[USN-6232-1] wkhtmltopdf vulnerability
[USN-6241-1] OpenStack vulnerability
[USN-6240-1] FRR vulnerability
[USN-6242-1, USN-6242-2] OpenSSH vulnerability [03:08]
PKCS#11 module in ssh-agent
socket to a remote machine, then the remote machine could cause your local
ssh-agent to execute arbitrary code - it does this by causing the PKCS#11
module in ssh-agent to load an attacker controlled library from /usr/lib on
your local machine
be on your machine in this privileged location - BUT there are a bunch of
seemingly innocuous libraries in say standard Ubuntu that can be abused to
cause malicious actions and get arbitrary code execution. This is exactly
what Qualys did to demonstrate the impact of this vuln -
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
libraries (such as the ability to make the stack executable or register
signal handlers just by dlopen()‘ing a module) - chain these together to
then get code execution
discouraged, and instead you should probably use an jump host - this is even
mentioned in the man page for ssh
expected symbols and if not abort etc)
[USN-6243-1] Graphite-Web vulnerabilities
[USN-6203-2] Django vulnerability
[USN-6129-2] Avahi vulnerability
[USN-6244-1] AMD Microcode vulnerability [05:57]
ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
execution - but unlike Spectre etc, speculative execution is not used as the
attack primitive - instead for Zenbleed, the processor fails to properly clean
up state after speculatively executing a particular vector register
instruction - which then allows an attacker thread / process to read this data
from the vector register - all comes about because these registers are not
like the normal physical registers in the CPU, but instead are shared as a
“Register File” - this sharing means that when one instruction gets
speculatively executed, but which turns out to not actually be needed, it
fails to properly clean up - and then leaks this data via the shared register
file which can be read by another process which is executing at the same time
language intructions and so it is not clear if this could be exploited
remotely say via JS running a web-browser - but it definitely can be exploited
by local users to spy on all other processes in the system (that use vector
registers), including root / VMs etc
glibc implements functions like strlen() using them - and this is a very
common operation in all kinds of code
could snoop on passwords etc
EPYC line of processors (code named “Rome”) - so in that case all you need to
do is install this microcode update and reboot and you are good.
according to their advisory they will release BIOS firmware updates for other
affected processors later in the year
as I can tell) instructs it to not execute this particular instruction
out-of-order (ie not speculatively execute it) - AMD haven’t actually said
what this does but that is the assumption. As such, this does have an effect
on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
chicken-bit if the associated microcode update is not present - for Ubuntu we
plan to include this fix in the next round of kernel security updates, due on
21st August
[LSN-0096-1] Linux kernel vulnerability [11:47]
well - both require CAP_NET_ADMIN to exploit - but can get this in an
unprivileged user namespace -> privesc
unprivileged user namespace
Kernel type
22.04
20.04
18.04
16.04
14.04
aws
—
96.2
—
96.2
—
aws-hwe
—
—
—
96.2
—
azure
96.3
96.2
—
96.2
—
azure-5.4
—
—
96.2
—
—
gcp
96.3
96.2
—
96.2
—
gcp-4.15
—
—
96.2
—
—
gcp-5.15
—
96.3
—
—
—
gcp-5.4
—
—
96.2
—
—
generic-4.15
—
—
96.2
96.2
—
generic-4.4
—
—
—
96.2
96.2
generic-5.15
—
96.3
—
—
—
generic-5.4
—
96.2
96.2
—
—
gke
96.3
96.2
—
—
—
gke-5.15
—
96.3
—
—
—
gke-5.4
—
—
96.2
—
—
gkeop
—
96.2
—
—
—
gkeop-5.4
—
—
96.2
—
—
ibm
96.3
96.2
—
—
—
ibm-5.4
—
—
96.2
—
—
linux
96.3
—
—
—
—
lowlatency-4.15
—
—
96.2
96.2
—
lowlatency-4.4
—
—
—
96.2
96.2
lowlatency-5.15
—
96.3
—
—
—
lowlatency-5.4
—
96.2
96.2
—
—
[USN-6246-1] Linux kernel vulnerabilities
[USN-6247-1] Linux kernel (OEM) vulnerabilities
[USN-6248-1] Linux kernel (OEM) vulnerabilities
[USN-6249-1] Linux kernel (OEM) vulnerabilities
[USN-6250-1] Linux kernel vulnerabilities
[USN-6251-1] Linux kernel vulnerabilities
[USN-6252-1] Linux kernel vulnerabilities
[USN-6254-1] Linux kernel vulnerabilities
[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities
[USN-6256-1] Linux kernel (IoT) vulnerabilities
[USN-6260-1] Linux kernel vulnerabilities
[USN-6261-1] Linux kernel (IoT) vulnerabilities
[USN-6245-1] Trove vulnerabilities
[USN-5807-3] libXpm vulnerability
[USN-6253-1] libvirt vulnerability
[USN-6257-1] Open VM Tools vulnerability
[USN-6258-1] LLVM Toolchain vulnerabilities
[USN-5193-3] X.Org X Server vulnerabilities
[USN-6259-1] Open-iSCSI vulnerabilities
[USN-6262-1] Wireshark vulnerabilities
[USN-6265-1] RabbitMQ vulnerability
[USN-6264-1] WebKitGTK vulnerabilities
[USN-6263-1] OpenJDK vulnerabilities
[USN-6266-1] librsvg vulnerability [13:55]
include element that specifies say - simple PoC provided by
the upstream reporter
[USN-6267-1] Firefox vulnerabilities [14:47]
Goings on in Ubuntu Security Community
Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]
Get in contact