Sign up to save your podcasts
Or
Share Episode 210
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 210
Overview
It’s the Linux Security Summit in Bilbao this week and we bring you some
highlights from our favourite talks, plus we cover the 25 most stubborn software
weaknesses, and we look at security updates for Open VM Tools, libwebp, Django,
binutils, Indent, the Linux kernel and more.
This week in Ubuntu Security Updates
88 unique CVEs addressed
[USN-6365-1] Open VM Tools vulnerability (00:45)
verifying the signature on a SAML document, failed to configure the library to
only use the X509 certificate for validation - since presumably an attacker
could intercept the SAML token, and replace the X509 cert with a different
type of signature which would then be trusted by the xmlsec library and allow
the attacker to gain access
[USN-6366-1] PostgreSQL vulnerability (01:34)
206 - one issue, which allowed an attacker to escalate their privileges
(from CREATE to being able to execute arbitrary code as a bootstrap superuser)
also affected PostgreSQL 9.5 in Ubuntu 16.04
[USN-6364-1] Ghostscript vulnerabilities (01:59)
[USN-6369-1] libwebp vulnerability (02:19)
this was actually a bug in libwebp became clear a few days later
[USN-6367-1] Firefox vulnerability (03:55)
[USN-6368-1] Thunderbird vulnerabilities (04:04)
missing .xll files from standard blocklist that warns users when downloading
executables - more of a windows issue but these are Excel add-in files -
ie. plugins for Excel, “memory safety bugs”
[USN-6370-1] ModSecurity vulnerabilities (04:42)
tens-of-thousands deep)
but if it contained an embedded NUL byte then filename would be truncated and
hence could result in a buffer overread or the ability to bypass the web
application firewall for rules which read from the FILES_TMP_CONTENT variable
[USN-6371-1] libssh2 vulnerability (06:07)
trigger - and outcome is likely a DoS
[USN-6372-1] DBus vulnerability (06:26)
is a privileged user using the in-built monitoring interface of dbus to
monitor the traffic - so low chance of being able to trigger this and the
outcome is just a DoS anyway - and will be restarted by systemd anyway
[USN-6373-1] gawk vulnerability (07:02)
[USN-6374-1] Mutt vulnerabilities (07:16)
[USN-6375-1] atftp vulnerability (07:38)
buffer overflow so could possibly be used for code execution
[USN-6376-1] c-ares vulnerability (7:50)
[USN-6377-1] LibRaw vulnerability (7:56)
read -> crash
[USN-6378-1] Django vulnerability (08:08)
algorithm would parse from start of string forwards for every invalid unicode
character - instead of just using the remainder of the string
[USN-6379-1] vsftpd vulnerability (08:47)
multi-domain certificates to redirect traffic from one subdomain to another
[USN-6381-1] GNU binutils vulnerabilities (09:07)
[USN-6380-1] Node.js vulnerabilities (09:54)
headers
[USN-6382-1] Memcached vulnerability (10:23)
[USN-6389-1] Indent vulnerability (10:30)
[USN-6339-4] Linux kernel (Intel IoTG) vulnerabilities (10:53)
kernel vulnerabilities
[USN-6383-1] Linux kernel vulnerabilities (11:15)
then write to host memory -> code execution
namespace
user namespace
[USN-6384-1] Linux kernel (OEM) vulnerabilities (12:23)
user namespace
[USN-6385-1] Linux kernel (OEM) vulnerabilities (12:37)
Timo Aaltonen from the kernel team for the most number of CVEs fixed this week
[USN-6386-1] Linux kernel vulnerabilities (13:01)
[USN-6387-1] Linux kernel vulnerabilities (13:08)
[USN-6388-1] Linux kernel vulnerabilities (13:12)
Goings on in Ubuntu Security Community
Highlights from LSS EU (13:29)
proposes an automated attestation for confidential computing
proposed that most common metrics don’t demonstrate code quality, except
possibly percentage of cognitive complex functions
tries to measure how hard to understand
cognitive complexity
measurements are no better at accurately identifying code that is hard
to understand than the more traditional methods of LOC or cyclomatic
complexity
think about in the context of the security reviews that the Ubuntu Security
does as part of the MIR process (for a good overview of this, take a step
back in time to Main inclusion review security code audits discussion with
Seth Arnold from Episode 32)
Top 25 most stubborn weaknesses (17:13)
CWE-ID
Description
2023 Rank
CWE-787
Out-of-bounds Write
1
CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
2
CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
3
CWE-416
Use After Free
4
CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
5
CWE-20
Improper Input Validation
6
CWE-125
Out-of-bounds Read
7
CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
8
CWE-352
Cross-Site Request Forgery (CSRF)
9
CWE-476
NULL Pointer Dereference
12
CWE-287
Improper Authentication
13
CWE-190
Integer Overflow or Wraparound
14
CWE-502
Deserialization of Untrusted Data
15
CWE-119
Improper Restriction of Operations within Bounds of a Memory Buffer
17
CWE-798
Use of Hard-coded Credentials
18
entry point for compromise
guarantees
(“Improper Restriction of Operations within Bounds of a Memory Buffer”) was
once ranked 1 5 years ago, is now 17. Related (but not directly memory safety
but more correctness) CWE-190 (“Integer Overflow or Wraparound”) was ranked 5,
is now 7.
that is memory safe will help avoid a lot of the most prevalent security
issues - clearly won’t help with lack of proper input validation or poor
security architecture etc - but will cut out the most dangerous and most
stubborn issues (OOB W, UAF etc)
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
It’s the Linux Security Summit in Bilbao this week and we bring you some
highlights from our favourite talks, plus we cover the 25 most stubborn software
weaknesses, and we look at security updates for Open VM Tools, libwebp, Django,
binutils, Indent, the Linux kernel and more.
This week in Ubuntu Security Updates
88 unique CVEs addressed
[USN-6365-1] Open VM Tools vulnerability (00:45)
verifying the signature on a SAML document, failed to configure the library to
only use the X509 certificate for validation - since presumably an attacker
could intercept the SAML token, and replace the X509 cert with a different
type of signature which would then be trusted by the xmlsec library and allow
the attacker to gain access
[USN-6366-1] PostgreSQL vulnerability (01:34)
206 - one issue, which allowed an attacker to escalate their privileges
(from CREATE to being able to execute arbitrary code as a bootstrap superuser)
also affected PostgreSQL 9.5 in Ubuntu 16.04
[USN-6364-1] Ghostscript vulnerabilities (01:59)
[USN-6369-1] libwebp vulnerability (02:19)
this was actually a bug in libwebp became clear a few days later
[USN-6367-1] Firefox vulnerability (03:55)
[USN-6368-1] Thunderbird vulnerabilities (04:04)
missing .xll files from standard blocklist that warns users when downloading
executables - more of a windows issue but these are Excel add-in files -
ie. plugins for Excel, “memory safety bugs”
[USN-6370-1] ModSecurity vulnerabilities (04:42)
tens-of-thousands deep)
but if it contained an embedded NUL byte then filename would be truncated and
hence could result in a buffer overread or the ability to bypass the web
application firewall for rules which read from the FILES_TMP_CONTENT variable
[USN-6371-1] libssh2 vulnerability (06:07)
trigger - and outcome is likely a DoS
[USN-6372-1] DBus vulnerability (06:26)
is a privileged user using the in-built monitoring interface of dbus to
monitor the traffic - so low chance of being able to trigger this and the
outcome is just a DoS anyway - and will be restarted by systemd anyway
[USN-6373-1] gawk vulnerability (07:02)
[USN-6374-1] Mutt vulnerabilities (07:16)
[USN-6375-1] atftp vulnerability (07:38)
buffer overflow so could possibly be used for code execution
[USN-6376-1] c-ares vulnerability (7:50)
[USN-6377-1] LibRaw vulnerability (7:56)
read -> crash
[USN-6378-1] Django vulnerability (08:08)
algorithm would parse from start of string forwards for every invalid unicode
character - instead of just using the remainder of the string
[USN-6379-1] vsftpd vulnerability (08:47)
multi-domain certificates to redirect traffic from one subdomain to another
[USN-6381-1] GNU binutils vulnerabilities (09:07)
[USN-6380-1] Node.js vulnerabilities (09:54)
headers
[USN-6382-1] Memcached vulnerability (10:23)
[USN-6389-1] Indent vulnerability (10:30)
[USN-6339-4] Linux kernel (Intel IoTG) vulnerabilities (10:53)
kernel vulnerabilities
[USN-6383-1] Linux kernel vulnerabilities (11:15)
then write to host memory -> code execution
namespace
user namespace
[USN-6384-1] Linux kernel (OEM) vulnerabilities (12:23)
user namespace
[USN-6385-1] Linux kernel (OEM) vulnerabilities (12:37)
Timo Aaltonen from the kernel team for the most number of CVEs fixed this week
[USN-6386-1] Linux kernel vulnerabilities (13:01)
[USN-6387-1] Linux kernel vulnerabilities (13:08)
[USN-6388-1] Linux kernel vulnerabilities (13:12)
Goings on in Ubuntu Security Community
Highlights from LSS EU (13:29)
proposes an automated attestation for confidential computing
proposed that most common metrics don’t demonstrate code quality, except
possibly percentage of cognitive complex functions
tries to measure how hard to understand
cognitive complexity
measurements are no better at accurately identifying code that is hard
to understand than the more traditional methods of LOC or cyclomatic
complexity
think about in the context of the security reviews that the Ubuntu Security
does as part of the MIR process (for a good overview of this, take a step
back in time to Main inclusion review security code audits discussion with
Seth Arnold from Episode 32)
Top 25 most stubborn weaknesses (17:13)
CWE-ID
Description
2023 Rank
CWE-787
Out-of-bounds Write
1
CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
2
CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
3
CWE-416
Use After Free
4
CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
5
CWE-20
Improper Input Validation
6
CWE-125
Out-of-bounds Read
7
CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
8
CWE-352
Cross-Site Request Forgery (CSRF)
9
CWE-476
NULL Pointer Dereference
12
CWE-287
Improper Authentication
13
CWE-190
Integer Overflow or Wraparound
14
CWE-502
Deserialization of Untrusted Data
15
CWE-119
Improper Restriction of Operations within Bounds of a Memory Buffer
17
CWE-798
Use of Hard-coded Credentials
18
entry point for compromise
guarantees
(“Improper Restriction of Operations within Bounds of a Memory Buffer”) was
once ranked 1 5 years ago, is now 17. Related (but not directly memory safety
but more correctness) CWE-190 (“Integer Overflow or Wraparound”) was ranked 5,
is now 7.
that is memory safe will help avoid a lot of the most prevalent security
issues - clearly won’t help with lack of proper input validation or poor
security architecture etc - but will cut out the most dangerous and most
stubborn issues (OOB W, UAF etc)
Get in contact