February 09, 2024

Episode 218

18 minutes

Overview

AppArmor unprivileged user namespace restrictions are back on the agenda this

week as we survey the latest improvements to this hardening feature in the

upcoming Ubuntu 24.04 LTS, plus we discuss SMTP smuggling in Postfix, runC

container escapes and Qualys’ recent disclosure of a privilege escalation

exploit for GNU libc and more.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-6591-2] Postfix update (00:48)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2023-51764

On 18th December (during the holiday break), SEC Consult published a report

about a new technique for email spoofing, which they dubbed SMTP Smuggling

Similar to HTTP Request Smuggling - relies on exploiting differences in how

SMTP protocol is interpreted by outbound (originating) vs inbound

(receiving) SMTP servers. In particular the end-of-data sequence

. gets interpreted loosely so that it is possible to include

extra SMTP commands within the message data which would then go on to be

interpreted as an additional SMTP commands to be executed by the receiving

server and to cause it to receive two emails when only one was sent in the

first place, and where the usual SPF checks get bypassed for this second

email - so can bypass SPF/DMARC policies to spoof emails from various

domains

Affected a number of projects including postfix - Upstream postfix released

version 3.8.4 with an initial fix on 22nd December

We then released USN-6591-1 with that fix

Then on 21st January released a more robust fix with an additional config

option to increase interoperability whilst still preventing SMTP smuggling

This second update includes the reworked fix

[USN-6619-1] runC vulnerability (03:22)

1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-21626

“Internal file descriptor leak” - using a specially crafted container image,

allows an attacker to cause a newly spawned container to have a working

directory within the host filesystem namespace which in turn can allow the

attacker to escape the container - various ways this can be attacked, full

details on the upstream advisory

https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

[USN-6620-1] GNU C Library vulnerabilities (04:17)

3 CVEs addressed in Mantic (23.10)

CVE-2023-6780

CVE-2023-6779

CVE-2023-6246

Latest round of vulnerabilities from Qualys

Affect the syslog() system call

Heap buffer overflow, off-by-one buffer overflow and integer overflow

Of these the heap buffer overflow is the most severe - Qualys were able to

demonstrate they could exploit and up-to-date default install of Fedora 38 to

escalate privileges from a local unprivileged user to root.

uses the value of argv[0] in a call to snprintf() into a fixed size buffer

allocated on the stack - snprintf() won’t overflow this but will return a

value larger than the fixed size buffer - as a result a heap buffer to then

contain this string would only get allocated with a size of 1 byte but then

the full expected data would get copied into it - and since the attacker

controls this value they can write arbitrary data to the heap by just using

a crafted program name (which is easy to do via the the exec command built

in to bash etc)

Various setuid binaries like /usr/bin/su call syslog() internally and so can

be abused in this way

[USN-6587-4] X.Org X Server regression (07:14)

6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2024-21886

CVE-2024-21885

CVE-2024-0409

CVE-2024-0408

CVE-2024-0229

CVE-2023-6816

[USN-6621-1] ImageMagick vulnerability (07:28)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2023-5341

ImageMagick is in universe, so these updates are available via Ubuntu Pro

Heap UAF in BMP decoder - likely DoS but possible code-execution via a

crafted BMP file

[USN-6622-1] OpenSSL vulnerabilities (08:07)

4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-0727

CVE-2023-6237

CVE-2023-6129

CVE-2023-5678

Two CPU-based DoS issues where OpenSSL would spend an excessive amount of

time trying to check an invalid RSA or X9.42 DH keys

NULL ptr deref when parsing a malicious PKCS12 file

Issue specific to PowerPC (ppc64el arch in Ubuntu) - possible to corrupt

application state since the POLY1305 MAC implementation (hand-coded assembly)

saves the contents of the vector registers in a different order than when they

get restored - so some registers will be corrupted when returning to the

caller

Only relevant on newer PowerPC processors which support the PowerISA 2.07

instructions

[USN-6592-2] libssh vulnerabilities (09:27)

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2023-6918

CVE-2023-6004

Recent libssh update now also available for Ubuntu Pro users on older releases

[USN-6623-1] Django vulnerability (09:34)

1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-24680

ReDoS when using the intcomma template

[USN-6609-3] Linux kernel (Oracle) vulnerabilities (09:45)

6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2024-0193

CVE-2023-6932

CVE-2023-6931

CVE-2023-6817

CVE-2023-6606

CVE-2023-6040

Refer back to Episode 217 for most recent kernel vulns

[USN-6610-2] Firefox regressions (09:57)

14 CVEs addressed in Focal (20.04 LTS)

CVE-2024-0746

CVE-2024-0755

CVE-2024-0754

CVE-2024-0753

CVE-2024-0751

CVE-2024-0750

CVE-2024-0749

CVE-2024-0748

CVE-2024-0747

CVE-2024-0745

CVE-2024-0744

CVE-2024-0743

CVE-2024-0742

CVE-2024-0741

Similarly, last week I mentioned [USN-6610-1] Firefox vulnerabilities -

upstream 122.0 release has various minor regressions now fixed in this 122.0.1

release - including an issue if you happened to be using the Yaru-Remix theme

in Ubuntu

Goings on in Ubuntu Security Community

Updates for unprivileged user namespace restrictions in Ubuntu 24.04 LTS (10:32)

Previously mentioned this work a few times on the podcast (Call for testing of Unprivileged User Namespace Restrictions on Mantic in Episode 211 and Unprivileged user namespace restrictions via AppArmor in Ubuntu in Episode 205)

Both those times was about user namespace restrictions in Ubuntu 23.10 (the current interim release)

For those not familiar - user namespaces provide a mechanism for operating as

a different UID on a Linux system - in particular, can operate as uid 0 within

a namespace which is then constrained by the original parent namespace -

ie. as a normal unprivileged user, I could create a new user namespace and map

my UID to 0 within that namespace, which can then allow me to have say

CAP_NET_ADMIN within that namespace and so create firewall rules etc that only

affect applications within that namespace and not the host system

Can also be used for isolation etc

However, since within the namespace my unprivieleged user now has extra

privileges, exposes additional kernel attack surface - various bugs have

been found in differetn kernel subsystems that allow an unprivileged user to

exploit the kernel as a result

Want a way to provide fine grained controls over unprivileged user namespaces

Previously, used AppArmor to deny the ability to create a new user namespace

unless an application was explicitly tagged via an associated AppArmor profile

John and Georgia from the AppArmor team have made a number of enhancements, in

particular adding a new default functionality where you can define in AppArmor

policy a different AppArmor profile which an application should transition

into when it creates a user namespace

In particular, we can now do this even for the “unconfined” profile - and then

ship a default “unconfined_userns” profile which allows an application to

create a userns but to not gain any additional capabilities within that by

default

Various sandboxing frameworks behave much more sensibly with this - so instead

of just failing when they try and create the userns, they instead are able to

create one but then if they try and gain additional capabilities (like

CAP_NET_ADMIN etc as mentioned before) this is then denied

This also matches the semantics which we want to achieve since it is not

really the user namespace itself that is the original issue, it is the ability

to gain additional capabilities within that which the unprivileged user did

not have originally

In addition, Georgia has been busy testing various applications within the

archive and across the Linux ecosystem to ensure we ship any required profiles

for them out-of-the-box so as many pieces of software continue to work as

expected with these restrictions in place

AppArmor in noble is already enabling this restriction and these updates are

now in the apparmor package in noble-proposed pocket

Expect to be available in noble within the next few days once automated

testing completes

Requires some additional kernel support - Kernel Team has merged this into

their current linux-unstable kernel (available via the Kernel Team’s unstable

PPA) which will land eventually land in 24.04 proper

On track to have this additional security hardening feature enabled by default

for 24.04 LTS at release so we can close off one of the more prevalent sources

of kernel privilege escalation bugs in the past few years

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings