Sign up to save your podcasts
Or
Share Episode 216
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 216
Overview
For the final episode of 2023 we discuss creating PoCs for vulns in tar and the
looming EOL for Ubuntu 23.04, plus we look into security updates for curl,
BlueZ, Netatalk, GNOME Settings and a heap more.
This week in Ubuntu Security Updates
57 unique CVEs addressed
[USN-6535-1] curl vulnerabilities (00:54)
create so called “super cookies” that would then get passed back to more
domains that what is normally allowed - ie a site can set a cookie which is
then sent to different / unrelated sites. Depends on a feature called the
Public Suffix List which is a community initiative (led by Mozilla) to provide
an accurate list of domain name suffixes - ie. .com / .org but also .co.uk
etc - since there is no good algorithmic way of determining the highest level
at which a domain may be registered for a particular TLD as each registrar is
different
this would then get sent to every other .co.uk domain contrary to the
expectations of the PSL which lists .co.uk as a PSL domain
[USN-6463-2] Open VM Tools vulnerabilities (02:56)
Operation Privileges within a guest VM to elevate their privileges if the VM
has been assigned a more privileged Guest Alias
local user with non-root privileges that is able to hijack the /dev/uinput
file descriptor may be able to simulate user inputs
[USN-6538-1] PostgreSQL vulnerabilities (03:48)
bug fixes etc
[USN-6539-1] python-cryptography vulnerabilities (04:14)
[USN-6540-1] BlueZ vulnerability (04:57)
and inject keystrokes etc without any intervention
break some legacy input devices like PS3 controller - in which case, should
edit /etc/bluetooth/input.conf and set this back to false but then beware that
you may be vulnerable to attack from anyone within bluetooth range when your
machines is discoverable - ie. bluetooth settings panel is open
[USN-6541-1] GNU C Library vulnerabilities (06:30)
possible to still trigger
[USN-6522-2] FreeRDP vulnerabilities (07:00)
[USN-6542-1] TinyXML vulnerability (07:08)
[USN-6543-1] GNU Tar vulnerability (07:18)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
Stack buffer overflow on parsing a tar archive with an extremely large
extended attribute name/value - PAX archive format allows to store extended
attributes - on the kernel’s VFS layer these are limited to 255 bytes for the
name and 64kB for the value - but in a tar these can be basically arbitrary
When processing the archive, tar would allocate space for these on the stack -
BUT the stack is limited to a maximum size of 8MB normally - so if can specify
an xattr name of more than 8MB can overflow the entire stack memory region -
then into guard pages or even beyond, triggering a segfault or at worst a heap
corruption and hence possible RCE -> but in Ubuntu we have enabled stack clash
protection since 19.10 - which turns this into a DoS only
$ hardening-check $(which tar)
/usr/bin/tar:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: yes
Control flow integrity: yes
Speaking from experience, it is not easy to create such an archive - either
through a real xattr on disk or through specifying one on the command-line
(since you can specify arbitrary attributes be stored for files when adding
them to an archive but then you hit the maximum limit of command-line
arguments) BUT it is possible - in my case I did this though using sed to
replace the contents of a xattr name in an existing archive with a crafted one
and then doing a bunch of other hacks to fixup all the metadata of the tar
archive to match - helpfully, all these attributes in the archive are stored
as NUL-terminated strings, so can simply used sed to fix them all up assuming
you can calculate the correct values
Fixed by instead allocating these on the heap which does not have the same
arbitrary limitation as the stack
[USN-6500-2] Squid vulnerabilities (11:35)
[USN-6544-1] GNU binutils vulnerabilities (11:44)
overflows / OOB reads etc in various things like objdump etc
[USN-6545-1] WebKitGTK vulnerabilities (12:08)
various versions of iOS
[USN-6546-1] LibreOffice vulnerabilities (12:45)
do this, creates a gstreamer pipeline including the filename of the video
itself - this was not adequetely escaped, so could allow arbitrary code
execution if it contained shell meta characters etc
CVE-2023-2255 from [USN-6144-1] LibreOffice vulnerabilities in Episode 198
[USN-6547-1] Python vulnerability (13:46)
and was passed to os.path.normpath() it would get truncated at the NUL byte -
fixed to remove this behaviour
[USN-6550-1] PostfixAdmin vulnerabilities (14:19)
arbitrary code execution, XSS or DoS
[USN-6551-1] Ghostscript vulnerability (14:37)
[USN-6552-1] Netatalk vulnerability (14:43)
Ubuntu machine to share files with MacOS
indexer, metadata store and search engine under-the-hood
resulting in a type confusion bug and possible RCE via memory corruption -
similar to CVE-2023-34967 for Samba since the code in netatalk originated from
that code from Samba ([USN-6238-1] Samba vulnerabilities from Episode 204)
[USN-6554-1] GNOME Settings vulnerability (15:57)
sharing panel within the main settings application in Ubuntu
updated in Ubuntu to support this as well
via SSH even when it was (since it would only check the status of the
ssh.service, not ssh.socket)
service and the socket (since it is still a legitimate configuration to use
the service over the socket in recent Ubuntu releases)
there to use socket activation (although the sysadmin has to set this up
themselves)
[USN-6553-1] Pydantic vulnerability (17:49)
parsed as a date/datetime, would result in an infinite loop
[USN-6536-1] Linux kernel vulnerabilities (18:10)
[USN-6537-1] Linux kernel (GCP) vulnerabilities
[USN-6548-1] Linux kernel vulnerabilities
[USN-6549-1] Linux kernel vulnerabilities
[USN-6534-2] Linux kernel vulnerabilities
[USN-6549-2] Linux kernel (GKE) vulnerabilities
[USN-6548-2] Linux kernel vulnerabilities
Goings on in Ubuntu Security Community
Ubuntu 23.04 (Lunar Lobster) approaching EOL (18:48)
Ubuntu Security team (and rest of Canonical) on break till early January 2024 (19:33)
serious issues
something major happens (we are still wincing from Log4Shell - Log4Shell
explodes the internet from Episode 142 in late December 2022)
and someone should respond
Get in contact
View all episodes
By Ubuntu Security Team
4.8
1010 ratings
Overview
For the final episode of 2023 we discuss creating PoCs for vulns in tar and the
looming EOL for Ubuntu 23.04, plus we look into security updates for curl,
BlueZ, Netatalk, GNOME Settings and a heap more.
This week in Ubuntu Security Updates
57 unique CVEs addressed
[USN-6535-1] curl vulnerabilities (00:54)
create so called “super cookies” that would then get passed back to more
domains that what is normally allowed - ie a site can set a cookie which is
then sent to different / unrelated sites. Depends on a feature called the
Public Suffix List which is a community initiative (led by Mozilla) to provide
an accurate list of domain name suffixes - ie. .com / .org but also .co.uk
etc - since there is no good algorithmic way of determining the highest level
at which a domain may be registered for a particular TLD as each registrar is
different
this would then get sent to every other .co.uk domain contrary to the
expectations of the PSL which lists .co.uk as a PSL domain
[USN-6463-2] Open VM Tools vulnerabilities (02:56)
Operation Privileges within a guest VM to elevate their privileges if the VM
has been assigned a more privileged Guest Alias
local user with non-root privileges that is able to hijack the /dev/uinput
file descriptor may be able to simulate user inputs
[USN-6538-1] PostgreSQL vulnerabilities (03:48)
bug fixes etc
[USN-6539-1] python-cryptography vulnerabilities (04:14)
[USN-6540-1] BlueZ vulnerability (04:57)
and inject keystrokes etc without any intervention
break some legacy input devices like PS3 controller - in which case, should
edit /etc/bluetooth/input.conf and set this back to false but then beware that
you may be vulnerable to attack from anyone within bluetooth range when your
machines is discoverable - ie. bluetooth settings panel is open
[USN-6541-1] GNU C Library vulnerabilities (06:30)
possible to still trigger
[USN-6522-2] FreeRDP vulnerabilities (07:00)
[USN-6542-1] TinyXML vulnerability (07:08)
[USN-6543-1] GNU Tar vulnerability (07:18)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
Stack buffer overflow on parsing a tar archive with an extremely large
extended attribute name/value - PAX archive format allows to store extended
attributes - on the kernel’s VFS layer these are limited to 255 bytes for the
name and 64kB for the value - but in a tar these can be basically arbitrary
When processing the archive, tar would allocate space for these on the stack -
BUT the stack is limited to a maximum size of 8MB normally - so if can specify
an xattr name of more than 8MB can overflow the entire stack memory region -
then into guard pages or even beyond, triggering a segfault or at worst a heap
corruption and hence possible RCE -> but in Ubuntu we have enabled stack clash
protection since 19.10 - which turns this into a DoS only
$ hardening-check $(which tar)
/usr/bin/tar:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Stack clash protection: yes
Control flow integrity: yes
Speaking from experience, it is not easy to create such an archive - either
through a real xattr on disk or through specifying one on the command-line
(since you can specify arbitrary attributes be stored for files when adding
them to an archive but then you hit the maximum limit of command-line
arguments) BUT it is possible - in my case I did this though using sed to
replace the contents of a xattr name in an existing archive with a crafted one
and then doing a bunch of other hacks to fixup all the metadata of the tar
archive to match - helpfully, all these attributes in the archive are stored
as NUL-terminated strings, so can simply used sed to fix them all up assuming
you can calculate the correct values
Fixed by instead allocating these on the heap which does not have the same
arbitrary limitation as the stack
[USN-6500-2] Squid vulnerabilities (11:35)
[USN-6544-1] GNU binutils vulnerabilities (11:44)
overflows / OOB reads etc in various things like objdump etc
[USN-6545-1] WebKitGTK vulnerabilities (12:08)
various versions of iOS
[USN-6546-1] LibreOffice vulnerabilities (12:45)
do this, creates a gstreamer pipeline including the filename of the video
itself - this was not adequetely escaped, so could allow arbitrary code
execution if it contained shell meta characters etc
CVE-2023-2255 from [USN-6144-1] LibreOffice vulnerabilities in Episode 198
[USN-6547-1] Python vulnerability (13:46)
and was passed to os.path.normpath() it would get truncated at the NUL byte -
fixed to remove this behaviour
[USN-6550-1] PostfixAdmin vulnerabilities (14:19)
arbitrary code execution, XSS or DoS
[USN-6551-1] Ghostscript vulnerability (14:37)
[USN-6552-1] Netatalk vulnerability (14:43)
Ubuntu machine to share files with MacOS
indexer, metadata store and search engine under-the-hood
resulting in a type confusion bug and possible RCE via memory corruption -
similar to CVE-2023-34967 for Samba since the code in netatalk originated from
that code from Samba ([USN-6238-1] Samba vulnerabilities from Episode 204)
[USN-6554-1] GNOME Settings vulnerability (15:57)
sharing panel within the main settings application in Ubuntu
updated in Ubuntu to support this as well
via SSH even when it was (since it would only check the status of the
ssh.service, not ssh.socket)
service and the socket (since it is still a legitimate configuration to use
the service over the socket in recent Ubuntu releases)
there to use socket activation (although the sysadmin has to set this up
themselves)
[USN-6553-1] Pydantic vulnerability (17:49)
parsed as a date/datetime, would result in an infinite loop
[USN-6536-1] Linux kernel vulnerabilities (18:10)
[USN-6537-1] Linux kernel (GCP) vulnerabilities
[USN-6548-1] Linux kernel vulnerabilities
[USN-6549-1] Linux kernel vulnerabilities
[USN-6534-2] Linux kernel vulnerabilities
[USN-6549-2] Linux kernel (GKE) vulnerabilities
[USN-6548-2] Linux kernel vulnerabilities
Goings on in Ubuntu Security Community
Ubuntu 23.04 (Lunar Lobster) approaching EOL (18:48)
Ubuntu Security team (and rest of Canonical) on break till early January 2024 (19:33)
serious issues
something major happens (we are still wincing from Log4Shell - Log4Shell
explodes the internet from Episode 142 in late December 2022)
and someone should respond
Get in contact