Sign up to save your podcasts
Or
Share Episode 207
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 207
Overview
This week we cover reports of “fake” CVEs and their impact on the FOSS security
ecosystem, plus we look at security updates for PHP, Fast DDS, JOSE for C/C++,
the Linux kernel, AMD Microcode and more.
This week in Ubuntu Security Updates
83 unique CVEs addressed
[USN-6305-1] PHP vulnerabilities (00:53)
XML handling which maintains global state for things like whether XML external
entities should be loaded. However PHP also uses ImageMagick for image
handling, which also uses libxml (for say SVG parsing etc). As such,
ImageMagick may end up configuring XML EE to be enabled, which then in turn
enables it for all of PHP and so allows XML EE attacks - which can then be
used to read and disclose the contents of local files.
turns off XML EE handling rather than relying on the global context
[USN-6306-1] Fast DDS vulnerabilities (02:28)
components, used in various contexts like Adaptive AUTOSAR in the automotive
industry and others
authentication requests
and a couple heap buffer overflows for good measure too
[USN-6307-1] JOSE for C/C++ vulnerability (03:33)
standard
provided in the JWE header rather than the fixed length of 16 as
specified. Attacker could then provide a crafted JWE header with a shorter
authentication tag to trigger a buffer overflow on the receiver -> crash ->
DoS / info leak
[USN-6308-1] Libqb vulnerability (04:25)
messages
[USN-6309-1] Linux kernel vulnerabilities (04:48)
impl, virtual terminal drivers and netfilter network packet classifier; OOB
write in QFS network scheduler
write
[USN-6311-1] Linux kernel vulnerabilities (06:07)
[USN-6312-1] Linux kernel vulnerabilities (06:22)
[USN-6314-1] Linux kernel vulnerabilities (06:33)
(now owned by NVIDIA))
[USN-6315-1] Linux kernel vulnerabilities (06:58)
HWE for 20.04 + some OEM specific kernels too
Gather Data Sampling ([USN-6286-1] Intel Microcode vulnerabilities from
Episode 205)
fixes - for Zenbleed this enables a workaround if the microcode is not
available (since for some CPUs this is only available as a BIOS update, not
via microcode in Ubuntu), whilst for GDS this simply provides kernel support
to help identify if the mitigation is in place or not - if no microcode is
available, can disable AVX entirely by setting clearcpuid=avx on the kernel
command-line (but this will have a decent performance impact)
[USN-6316-1] Linux kernel (OEM) vulnerabilities (09:02)
[USN-6317-1] Linux kernel vulnerabilities (09:10)
[USN-6318-1] Linux kernel vulnerabilities (09:20)
[USN-6310-1] json-c vulnerability (09:41)
can allow code execution but that is the first time I have heard an OOB read
can allow code execution
[USN-6313-1] FAAD2 vulnerabilities (10:08)
[USN-6319-1] AMD Microcode vulnerability (10:33)
another variant of a speculative execution attack using the branch prediction
buffer to cause an incorrectly speculated return to be executed which can then
be inferred from a cache timing attack to read kernel memory
[USN-6320-1] Firefox vulnerabilities (11:13)
[USN-6263-2] OpenJDK regression (11:24)
etc - would fail to be decompressed
Goings on in Ubuntu Security Community
Reports of “Fake” CVEs being assigned by MITRE (12:07)
week ago (22nd August 2023) against a heap of open source projects - cURL,
PostgreSQL, Python, nasm, ImageMagick and a heap more
mentions a fix for seemingly real vulnerability (“buffer overflow”, “use after
free” etc)
vulnerabilities, and some have come out to expressly disavow them - PostgreSQL
on CVE-2020-21469 and cURL on CVE-2020-19909
root - and have access to the PostgreSQL superuser etc
vulnerability - there is no privilege boundary being crossed etc
if you specify a really large value of seconds, cURL will multiply this by
1000 to convert it to ms and hence overflow
retry delay - ie. it will only wait for say a few seconds rather than the
billion odd seconds originally specified - again, there is no security
impact here
they are the CNA of last resort - https://cveform.mitre.org/
assigning a CVE
maintainer) to reject the CVE
mentioned by Risky Biz) but for all the downstreams like Ubuntu and other
distros
whether the require immediate fixing etc - this takes time for everyone
involved
sense - ie. they are not fradualent, they have been issued by the official
custodians of CVEs - MITRE - but it is just that they are not actual
vulnerabilities
(and hence to get kernel security fixes you need to get all kernel bug fixes
as you won’t know which are the real vulns) to the opposite extreme - all bugs
are security bugs and hence should get CVEs?
that will likely put the whole system in jeopardy since whilst CVEs have many
shortcomings, they are the global defacto for vulnerability tracking
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
This week we cover reports of “fake” CVEs and their impact on the FOSS security
ecosystem, plus we look at security updates for PHP, Fast DDS, JOSE for C/C++,
the Linux kernel, AMD Microcode and more.
This week in Ubuntu Security Updates
83 unique CVEs addressed
[USN-6305-1] PHP vulnerabilities (00:53)
XML handling which maintains global state for things like whether XML external
entities should be loaded. However PHP also uses ImageMagick for image
handling, which also uses libxml (for say SVG parsing etc). As such,
ImageMagick may end up configuring XML EE to be enabled, which then in turn
enables it for all of PHP and so allows XML EE attacks - which can then be
used to read and disclose the contents of local files.
turns off XML EE handling rather than relying on the global context
[USN-6306-1] Fast DDS vulnerabilities (02:28)
components, used in various contexts like Adaptive AUTOSAR in the automotive
industry and others
authentication requests
and a couple heap buffer overflows for good measure too
[USN-6307-1] JOSE for C/C++ vulnerability (03:33)
standard
provided in the JWE header rather than the fixed length of 16 as
specified. Attacker could then provide a crafted JWE header with a shorter
authentication tag to trigger a buffer overflow on the receiver -> crash ->
DoS / info leak
[USN-6308-1] Libqb vulnerability (04:25)
messages
[USN-6309-1] Linux kernel vulnerabilities (04:48)
impl, virtual terminal drivers and netfilter network packet classifier; OOB
write in QFS network scheduler
write
[USN-6311-1] Linux kernel vulnerabilities (06:07)
[USN-6312-1] Linux kernel vulnerabilities (06:22)
[USN-6314-1] Linux kernel vulnerabilities (06:33)
(now owned by NVIDIA))
[USN-6315-1] Linux kernel vulnerabilities (06:58)
HWE for 20.04 + some OEM specific kernels too
Gather Data Sampling ([USN-6286-1] Intel Microcode vulnerabilities from
Episode 205)
fixes - for Zenbleed this enables a workaround if the microcode is not
available (since for some CPUs this is only available as a BIOS update, not
via microcode in Ubuntu), whilst for GDS this simply provides kernel support
to help identify if the mitigation is in place or not - if no microcode is
available, can disable AVX entirely by setting clearcpuid=avx on the kernel
command-line (but this will have a decent performance impact)
[USN-6316-1] Linux kernel (OEM) vulnerabilities (09:02)
[USN-6317-1] Linux kernel vulnerabilities (09:10)
[USN-6318-1] Linux kernel vulnerabilities (09:20)
[USN-6310-1] json-c vulnerability (09:41)
can allow code execution but that is the first time I have heard an OOB read
can allow code execution
[USN-6313-1] FAAD2 vulnerabilities (10:08)
[USN-6319-1] AMD Microcode vulnerability (10:33)
another variant of a speculative execution attack using the branch prediction
buffer to cause an incorrectly speculated return to be executed which can then
be inferred from a cache timing attack to read kernel memory
[USN-6320-1] Firefox vulnerabilities (11:13)
[USN-6263-2] OpenJDK regression (11:24)
etc - would fail to be decompressed
Goings on in Ubuntu Security Community
Reports of “Fake” CVEs being assigned by MITRE (12:07)
week ago (22nd August 2023) against a heap of open source projects - cURL,
PostgreSQL, Python, nasm, ImageMagick and a heap more
mentions a fix for seemingly real vulnerability (“buffer overflow”, “use after
free” etc)
vulnerabilities, and some have come out to expressly disavow them - PostgreSQL
on CVE-2020-21469 and cURL on CVE-2020-19909
root - and have access to the PostgreSQL superuser etc
vulnerability - there is no privilege boundary being crossed etc
if you specify a really large value of seconds, cURL will multiply this by
1000 to convert it to ms and hence overflow
retry delay - ie. it will only wait for say a few seconds rather than the
billion odd seconds originally specified - again, there is no security
impact here
they are the CNA of last resort - https://cveform.mitre.org/
assigning a CVE
maintainer) to reject the CVE
mentioned by Risky Biz) but for all the downstreams like Ubuntu and other
distros
whether the require immediate fixing etc - this takes time for everyone
involved
sense - ie. they are not fradualent, they have been issued by the official
custodians of CVEs - MITRE - but it is just that they are not actual
vulnerabilities
(and hence to get kernel security fixes you need to get all kernel bug fixes
as you won’t know which are the real vulns) to the opposite extreme - all bugs
are security bugs and hence should get CVEs?
that will likely put the whole system in jeopardy since whilst CVEs have many
shortcomings, they are the global defacto for vulnerability tracking
Get in contact