Sign up to save your podcasts
Or
Share Episode 211
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 211
Overview
After a well-deserved break, we’re is back looking at the recent Ubuntu 23.10
release and the significant security technologies it introduces along with a
call for testing of unprivileged user namespace restrictions, plus the details
of security updates for curl, Samba, iperf3, CUE and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-6429-2, USN-6429-3] curl vulnerability (00:51)
potentially load cookies from a crafted file on disk - allowing a local
attacker to inject arbitrary cookies into a connection - although requires the
application to use the curl_easy_duphandle() function
proxy, if the specified hostname was longer than 255 bytes
[USN-6425-3] Samba vulnerabilities (02:38)
being able to truncate read-only files, or cause Samba to stop responding and
hence DoS through to the ability to obtain all domain secrets
[USN-6425-2] Samba regression (03:06)
when handling the %U directive in smb.conf - if specified a path to be shared
like /home/%U/FILES the %U would seemingly be ignored and not replaced with
the username as expected - and hence the share would fail - this same issue
actually occurred previously in January this year - have now added a
regression test specifically to try and ensure we do not introduce this same
issue in the future again
[USN-6430-1] FFmpeg vulnerabilities (04:25)
[USN-6431-1, USN-6431-2, USN-6431-3] iperf3 vulnerabilities (05:12)
parsing a frame, would allocate memory for the frame, plus 1 extra byte for a
trailing NUL - if frame length was MAX_UINT adding 1 then wraps the integer
around back to zero - and so no memory gets allocated - and when copying into
the subsequent memory get a buffer overflow
to hang indefinitely on crafted input as well - reported this upstream and
included that fix here as well
[USN-6432-1] Quagga vulnerabilities (06:26)
[USN-6436-1] FRR vulnerabilities (06:38)
[USN-6394-2] Python vulnerability (06:52)
[USN-6423-2] CUE vulnerability (07:04)
RCE on GNOME desktop due to the use of libcue by tracker - when a crafted CUE
file is downloaded, will get automatically indexed by tracker and hence parsed
by libcue triggering this bug -> RCE
the impact for this kind of issue (ie restricting what the exploit could do)
but Kevin found a way to bypass this since the seccomp filter was only applied
to the thread used to parse the file - not the main thread - so Kevin could
simply delegate the code execution to the main thread to bypass this
the sandbox, and so worked to ensure this is then applied to all threads
within tracker, not just the one spawned to parse the particular file
[USN-6433-1] Ghostscript vulnerability (10:18)
specified IJS server parameter binary to execute some other binary instead
[USN-6396-3] Linux kernel (Azure) vulnerabilities (10:55)
classifier and bluetooth subsystems, recent speculative execution vulns in AMD
and Intel processors and more
[USN-6434-1] PMIx vulnerability (11:24)
API used in HPC environments
various files but would follow symlinks when doing this - so if a user could
race it to swap a symlink out then could get it to set the ownership of a root
owned file to themselves and gain the ability to read it etc
Goings on in Ubuntu Security Community
Ubuntu 23.10 (Mantic Minotaur) Released (12:41)
strong focus on raising the bar for security, and setting the stage for the
next LTS (24.04)
namespace restrictions via AppArmor
Call for testing of Unprivileged User Namespace Restrictions on Mantic
The hope is to get this enabled by default in 24.04 LTS - but we need as much
testing as we can get to find anything else which is not working as expected
beforehand - easy to do via a new sysctl
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
create a file /etc/sysctl.d/60-apparmor.conf with the following contents:
kernel.apparmor_restrict_unprivileged_userns = 1
Then if you do find something which is not working as expected, you can create
a simple AppArmor profile which will allow it to use unprivileged user
namespaces without any additional restrictions, e.g:
abi ,
include
/opt/google/chrome/chrome flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
additional sysctl to ensure that anything which is unconfined can’t just abuse
these profiles by aa-exec‘ing themselves via that profile - so then also need
to enable the kernel.apparmor_restrict_unprivileged_unconfined = 1 sysctl too
issues, is currently disabling this automatically at startup - so for now you
have to keep manually re-enabling this restriction until the LXD devs land a
change to stop this https://github.com/canonical/lxd-pkg-snap/pull/187
issues since the chromium sandbox uses unprivileged user namespaces by
default - we have already created profiles for the various ones in the Ubuntu
archive that we are aware of, and for some third party ones too (Brave,
Vivaldi etc) but we expect there will be others - in that case, let us know
https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
After a well-deserved break, we’re is back looking at the recent Ubuntu 23.10
release and the significant security technologies it introduces along with a
call for testing of unprivileged user namespace restrictions, plus the details
of security updates for curl, Samba, iperf3, CUE and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-6429-2, USN-6429-3] curl vulnerability (00:51)
potentially load cookies from a crafted file on disk - allowing a local
attacker to inject arbitrary cookies into a connection - although requires the
application to use the curl_easy_duphandle() function
proxy, if the specified hostname was longer than 255 bytes
[USN-6425-3] Samba vulnerabilities (02:38)
being able to truncate read-only files, or cause Samba to stop responding and
hence DoS through to the ability to obtain all domain secrets
[USN-6425-2] Samba regression (03:06)
when handling the %U directive in smb.conf - if specified a path to be shared
like /home/%U/FILES the %U would seemingly be ignored and not replaced with
the username as expected - and hence the share would fail - this same issue
actually occurred previously in January this year - have now added a
regression test specifically to try and ensure we do not introduce this same
issue in the future again
[USN-6430-1] FFmpeg vulnerabilities (04:25)
[USN-6431-1, USN-6431-2, USN-6431-3] iperf3 vulnerabilities (05:12)
parsing a frame, would allocate memory for the frame, plus 1 extra byte for a
trailing NUL - if frame length was MAX_UINT adding 1 then wraps the integer
around back to zero - and so no memory gets allocated - and when copying into
the subsequent memory get a buffer overflow
to hang indefinitely on crafted input as well - reported this upstream and
included that fix here as well
[USN-6432-1] Quagga vulnerabilities (06:26)
[USN-6436-1] FRR vulnerabilities (06:38)
[USN-6394-2] Python vulnerability (06:52)
[USN-6423-2] CUE vulnerability (07:04)
RCE on GNOME desktop due to the use of libcue by tracker - when a crafted CUE
file is downloaded, will get automatically indexed by tracker and hence parsed
by libcue triggering this bug -> RCE
the impact for this kind of issue (ie restricting what the exploit could do)
but Kevin found a way to bypass this since the seccomp filter was only applied
to the thread used to parse the file - not the main thread - so Kevin could
simply delegate the code execution to the main thread to bypass this
the sandbox, and so worked to ensure this is then applied to all threads
within tracker, not just the one spawned to parse the particular file
[USN-6433-1] Ghostscript vulnerability (10:18)
specified IJS server parameter binary to execute some other binary instead
[USN-6396-3] Linux kernel (Azure) vulnerabilities (10:55)
classifier and bluetooth subsystems, recent speculative execution vulns in AMD
and Intel processors and more
[USN-6434-1] PMIx vulnerability (11:24)
API used in HPC environments
various files but would follow symlinks when doing this - so if a user could
race it to swap a symlink out then could get it to set the ownership of a root
owned file to themselves and gain the ability to read it etc
Goings on in Ubuntu Security Community
Ubuntu 23.10 (Mantic Minotaur) Released (12:41)
strong focus on raising the bar for security, and setting the stage for the
next LTS (24.04)
namespace restrictions via AppArmor
Call for testing of Unprivileged User Namespace Restrictions on Mantic
The hope is to get this enabled by default in 24.04 LTS - but we need as much
testing as we can get to find anything else which is not working as expected
beforehand - easy to do via a new sysctl
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
create a file /etc/sysctl.d/60-apparmor.conf with the following contents:
kernel.apparmor_restrict_unprivileged_userns = 1
Then if you do find something which is not working as expected, you can create
a simple AppArmor profile which will allow it to use unprivileged user
namespaces without any additional restrictions, e.g:
abi ,
include
/opt/google/chrome/chrome flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
additional sysctl to ensure that anything which is unconfined can’t just abuse
these profiles by aa-exec‘ing themselves via that profile - so then also need
to enable the kernel.apparmor_restrict_unprivileged_unconfined = 1 sysctl too
issues, is currently disabling this automatically at startup - so for now you
have to keep manually re-enabling this restriction until the LXD devs land a
change to stop this https://github.com/canonical/lxd-pkg-snap/pull/187
issues since the chromium sandbox uses unprivileged user namespaces by
default - we have already created profiles for the various ones in the Ubuntu
archive that we are aware of, and for some third party ones too (Brave,
Vivaldi etc) but we expect there will be others - in that case, let us know
https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug
Get in contact