Sign up to save your podcasts
Or
Share Episode 205
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 205
Overview
We’re back after unexpectedly going AWOL last week to bring you the latest in
Ubuntu Security including the recently announced Downfall and GameOver(lay)
vulnerabilities, plus we look at security updates for OpenSSH and GStreamer and
we detail plans for using AppArmor to restrict the use of unprivileged user
namespaces as an attack vector in future Ubuntu releases.
This week in Ubuntu Security Updates
143 unique CVEs addressed
[USN-6268-1, USN-6269-1] GStreamer Base and Good Plugins vulnerabilities (01:07)
ZDI (ZDI-CAN-20775, ZDI-CAN-20994)
(even has a default plugin providing integration with Apple Video Trailers and
others) - so could possibly be used for remote exploitation
copying -> heap buffer overflow -> RCE
[USN-6270-1] Vim vulnerabilities (02:49)
researchers - would be interesting to know what kind of bounties are payed out
for these “vulns” since most require the user to run vim with a crafted set of
commands against a crafted input file - if you can get someone to do that, you
can probably just write arbitrary shell code for them to execute as well…
[USN-6271-1] MaraDNS vulnerabilities (03:55)
[USN-6272-1] OpenJDK 20 vulnerabilities
[USN-5064-3] GNU cpio vulnerability (04:08)
heap buffer overflow if using untrusted pattern files
[USN-6275-1] Cargo vulnerability
[USN-6273-1] poppler vulnerabilities
[USN-6274-1] XMLTooling vulnerability
[USN-6276-1] unixODBC vulnerability
[USN-6267-2] Firefox regressions
[USN-6277-1, USN-6277-2] Dompdf vulnerabilities
[USN-6278-1, USN-6278-2] .NET vulnerabilities (04:41)
[USN-6279-1] OpenSSH update (04:53)
which is a low priority vulnerability where it is possible for a person in the
middle to determine if a client already has knowledge of the server’s host
key. This could be used to then attack clients which do not have this
knowledge (since they then will be prompted to accept and trust the host key
which is offered on first connection) and offer them an attacker chosen host
key to cause them to authenticate to a host controlled by the attacker and
therefore intercept their connection etc
client does already have the server’s host key, it will still preserve the
original algorithm ordering sent to the server and so not leak this
information.
use-cases of the original vuln.
[USN-4336-3] GNU binutils vulnerabilities
[USN-6243-2] Graphite-Web regression
[USN-6281-1] Velocity Engine vulnerability
[USN-6282-1] Velocity Tools vulnerability
[USN-6283-1] Linux kernel vulnerabilities (07:34)
[USN-6284-1] Linux kernel vulnerabilities
[USN-6285-1] Linux kernel (OEM) vulnerabilities (07:50)
14 CVEs addressed in Jammy (22.04 LTS)
6.1 kernel
8 different high priority vulns - most mentioned previously - does include
“GameOver(lay)” which we haven’t covered yet - reported by WizResearch and is
specific to Ubuntu kernels
OverlayFS is a union filesystem which allows multiple filesystems to be
mounted at the same time, and presents a single unified view of the
filesystems. In 2018 we introduced some changes to OverlayFS as SAUCE patches
to handle extended attributes in overlayfs. Then in 2020 we backported commits
to fix CVE-2021-3493 - in the process this also added support for extended
attributes in OverlayFS so now there were two code paths, each using different
implementations for extended attributes. One was protected against the vuln in
CVE-2021-3493 whilst the other was not.
This vulnerability is exploiting that same vulnerability in the unprotected
implementation.
In this case, the vulnerability is in the handling of extended attributes in
OverlayFS - the vulnerability is that it is possible to create a file with
extended attributes which are not visible to the user, and then mount that
file in a way which allows the extended attributes to be visible to the user
remounting it with suid option. This allows the user to then execute arbitrary
code as root. NOTE: requires the user to have the ability to have
CAP_SYS_ADMIN but this is easy with unprivileged user namespaces.
Even more reason to keep pursuing the effort to restrict the use of
unprivileged user namespaces in upcoming Ubuntu 23.10
[USN-6286-1] Intel Microcode vulnerabilities (10:59)
vulnerability - the last one we saw was Zenbleed from Episode 103 in AMD Zen2 CPUs
https://www.blackhat.com/us-23/briefings/schedule/#single-instruction-multiple-data-leaks-in-cutting-edge-cpus-aka-downfall-31490
set (single instruction, multiple data) - these instructions are used to
perform the same operation on multiple data elements simultaneously
(e.g. adding two vectors of 4 32-bit integers together) which is very useful
for things like video encoding/decoding, image processing, etc.
SIMD Gather instruction which is used to load data into a vector register from
a memory location specified by an index vector register. Essentially this
allows the efficient loading of data which is scattered across memory into a
single register to then perform further operations on, and is useful in many
applications. The vulnerability is that under speculative execution, the data
which is loaded could be stale and come from an address which is not
accessible to the current process, and the data could be used in further
operations which could then leak the contents of that inaccessible memory -
e.g. stealing cryptographic keys from another process.
speculatively executing the Gather instruction, and instead waits for the data
to be available before executing the instruction. This results in a
performance hit, which was measured at up to 50% in a small number of
use-cases (whilst in others it is negligible).
was reported to Intel on 24th August 2022 yet only fixed publicly on 8th
August 2023 - basically meaning it took a year for Intel to fix this
issue.
microcode fix to be reverted at boot by a new kernel command line option:
gather_data_sampling=off - this is useful for those who want to avoid the
performance hit, and are willing to accept the risk of the vulnerability.
within the next week (ie. week of 21st August)
[USN-6280-1] PyPDF2 vulnerability
[USN-6287-1] Go yaml vulnerabilities
[USN-4897-2] Pygments vulnerabilities
[USN-6288-1] MySQL vulnerabilities
[USN-6289-1] WebKitGTK vulnerabilities
[USN-6290-1] LibTIFF vulnerabilities
[USN-6291-1] GStreamer vulnerability
[USN-6292-1] Ceph vulnerability
[USN-6293-1] OpenStack Heat vulnerability
Goings on in Ubuntu Security Community
Ubuntu 22.04.3 LTS Released (15:47)
Ubuntu 22.10 (Kinetic Kudu) End of Life (16:32)
Unprivileged user namespace restrictions via AppArmor in Ubuntu (17:00)
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
We’re back after unexpectedly going AWOL last week to bring you the latest in
Ubuntu Security including the recently announced Downfall and GameOver(lay)
vulnerabilities, plus we look at security updates for OpenSSH and GStreamer and
we detail plans for using AppArmor to restrict the use of unprivileged user
namespaces as an attack vector in future Ubuntu releases.
This week in Ubuntu Security Updates
143 unique CVEs addressed
[USN-6268-1, USN-6269-1] GStreamer Base and Good Plugins vulnerabilities (01:07)
ZDI (ZDI-CAN-20775, ZDI-CAN-20994)
(even has a default plugin providing integration with Apple Video Trailers and
others) - so could possibly be used for remote exploitation
copying -> heap buffer overflow -> RCE
[USN-6270-1] Vim vulnerabilities (02:49)
researchers - would be interesting to know what kind of bounties are payed out
for these “vulns” since most require the user to run vim with a crafted set of
commands against a crafted input file - if you can get someone to do that, you
can probably just write arbitrary shell code for them to execute as well…
[USN-6271-1] MaraDNS vulnerabilities (03:55)
[USN-6272-1] OpenJDK 20 vulnerabilities
[USN-5064-3] GNU cpio vulnerability (04:08)
heap buffer overflow if using untrusted pattern files
[USN-6275-1] Cargo vulnerability
[USN-6273-1] poppler vulnerabilities
[USN-6274-1] XMLTooling vulnerability
[USN-6276-1] unixODBC vulnerability
[USN-6267-2] Firefox regressions
[USN-6277-1, USN-6277-2] Dompdf vulnerabilities
[USN-6278-1, USN-6278-2] .NET vulnerabilities (04:41)
[USN-6279-1] OpenSSH update (04:53)
which is a low priority vulnerability where it is possible for a person in the
middle to determine if a client already has knowledge of the server’s host
key. This could be used to then attack clients which do not have this
knowledge (since they then will be prompted to accept and trust the host key
which is offered on first connection) and offer them an attacker chosen host
key to cause them to authenticate to a host controlled by the attacker and
therefore intercept their connection etc
client does already have the server’s host key, it will still preserve the
original algorithm ordering sent to the server and so not leak this
information.
use-cases of the original vuln.
[USN-4336-3] GNU binutils vulnerabilities
[USN-6243-2] Graphite-Web regression
[USN-6281-1] Velocity Engine vulnerability
[USN-6282-1] Velocity Tools vulnerability
[USN-6283-1] Linux kernel vulnerabilities (07:34)
[USN-6284-1] Linux kernel vulnerabilities
[USN-6285-1] Linux kernel (OEM) vulnerabilities (07:50)
14 CVEs addressed in Jammy (22.04 LTS)
6.1 kernel
8 different high priority vulns - most mentioned previously - does include
“GameOver(lay)” which we haven’t covered yet - reported by WizResearch and is
specific to Ubuntu kernels
OverlayFS is a union filesystem which allows multiple filesystems to be
mounted at the same time, and presents a single unified view of the
filesystems. In 2018 we introduced some changes to OverlayFS as SAUCE patches
to handle extended attributes in overlayfs. Then in 2020 we backported commits
to fix CVE-2021-3493 - in the process this also added support for extended
attributes in OverlayFS so now there were two code paths, each using different
implementations for extended attributes. One was protected against the vuln in
CVE-2021-3493 whilst the other was not.
This vulnerability is exploiting that same vulnerability in the unprotected
implementation.
In this case, the vulnerability is in the handling of extended attributes in
OverlayFS - the vulnerability is that it is possible to create a file with
extended attributes which are not visible to the user, and then mount that
file in a way which allows the extended attributes to be visible to the user
remounting it with suid option. This allows the user to then execute arbitrary
code as root. NOTE: requires the user to have the ability to have
CAP_SYS_ADMIN but this is easy with unprivileged user namespaces.
Even more reason to keep pursuing the effort to restrict the use of
unprivileged user namespaces in upcoming Ubuntu 23.10
[USN-6286-1] Intel Microcode vulnerabilities (10:59)
vulnerability - the last one we saw was Zenbleed from Episode 103 in AMD Zen2 CPUs
https://www.blackhat.com/us-23/briefings/schedule/#single-instruction-multiple-data-leaks-in-cutting-edge-cpus-aka-downfall-31490
set (single instruction, multiple data) - these instructions are used to
perform the same operation on multiple data elements simultaneously
(e.g. adding two vectors of 4 32-bit integers together) which is very useful
for things like video encoding/decoding, image processing, etc.
SIMD Gather instruction which is used to load data into a vector register from
a memory location specified by an index vector register. Essentially this
allows the efficient loading of data which is scattered across memory into a
single register to then perform further operations on, and is useful in many
applications. The vulnerability is that under speculative execution, the data
which is loaded could be stale and come from an address which is not
accessible to the current process, and the data could be used in further
operations which could then leak the contents of that inaccessible memory -
e.g. stealing cryptographic keys from another process.
speculatively executing the Gather instruction, and instead waits for the data
to be available before executing the instruction. This results in a
performance hit, which was measured at up to 50% in a small number of
use-cases (whilst in others it is negligible).
was reported to Intel on 24th August 2022 yet only fixed publicly on 8th
August 2023 - basically meaning it took a year for Intel to fix this
issue.
microcode fix to be reverted at boot by a new kernel command line option:
gather_data_sampling=off - this is useful for those who want to avoid the
performance hit, and are willing to accept the risk of the vulnerability.
within the next week (ie. week of 21st August)
[USN-6280-1] PyPDF2 vulnerability
[USN-6287-1] Go yaml vulnerabilities
[USN-4897-2] Pygments vulnerabilities
[USN-6288-1] MySQL vulnerabilities
[USN-6289-1] WebKitGTK vulnerabilities
[USN-6290-1] LibTIFF vulnerabilities
[USN-6291-1] GStreamer vulnerability
[USN-6292-1] Ceph vulnerability
[USN-6293-1] OpenStack Heat vulnerability
Goings on in Ubuntu Security Community
Ubuntu 22.04.3 LTS Released (15:47)
Ubuntu 22.10 (Kinetic Kudu) End of Life (16:32)
Unprivileged user namespace restrictions via AppArmor in Ubuntu (17:00)
Get in contact