March 22, 2024

Episode 223

17 minutes

Overview

This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2Own

Vancouver 2024, plus news of malicious themes in the KDE Store and we cover

security updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash and

more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6681-3] Linux kernel vulnerabilities (00:54)

8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51780

CVE-2023-51779

CVE-2023-4244

CVE-2023-22995

CVE-2021-44879

5.4 - IBM, Oracle

UAF due to a race-condition in netfilter - underflow a reference counter ->

UAF

[USN-6686-2] Linux kernel vulnerabilities (01:42)

9 CVEs addressed in Jammy (22.04 LTS)

CVE-2024-0607

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51779

CVE-2023-46862

CVE-2023-46343

CVE-2023-4134

CVE-2023-22995

5.15 - Raspi, Lowlatency

[USN-6699-1] Linux kernel vulnerabilities (01:52)

3 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2024-24855

CVE-2023-4921

CVE-2023-30456

3.13 - generic, lowlatency, server, virtual

KVM mishandling of control registers for nested guest VMs

[USN-6123-1] Linux kernel (OEM) vulnerabilities from Episode 197

UAF in Quick Fair Queuing network packet scheduler

Local privesc, reported to Google’s kCTF

[USN-6700-1] Linux kernel vulnerabilities (02:40)

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2024-24855

CVE-2024-1086

CVE-2024-0775

CVE-2023-51781

CVE-2023-39197

CVE-2023-34256

CVE-2022-20567

4.4 - generic, kvm, lowlatency, virtual, aws (14.04 only)

UAF in nftables - also originally reported to kCTF

[USN-6701-1] Linux kernel vulnerabilities

12 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2024-24855

CVE-2024-1086

CVE-2024-0775

CVE-2023-6121

CVE-2023-51781

CVE-2023-46838

CVE-2023-4132

CVE-2023-39197

CVE-2023-34256

CVE-2023-3006

CVE-2023-23000

CVE-2023-2002

4.15 - oracle, kvm, aws, generic, lowlatency

UAF in nftables from above and UAF in AppleTalk network driver - [USN-6648-1]

Linux kernel vulnerabilities from Episode 220

[USN-6680-3] Linux kernel (AWS) vulnerabilities

7 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-25744

CVE-2024-0607

CVE-2023-6560

CVE-2023-6121

CVE-2023-51782

CVE-2023-51779

CVE-2023-46343

6.5 - aws

[USN-6681-4] Linux kernel (AWS) vulnerabilities

8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51780

CVE-2023-51779

CVE-2023-4244

CVE-2023-22995

CVE-2021-44879

5.4 - aws

UAF in netfilter discussed earlier

[USN-6686-3] Linux kernel (Oracle) vulnerabilities

9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2024-0607

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51779

CVE-2023-46862

CVE-2023-46343

CVE-2023-4134

CVE-2023-22995

5.15 - oracle

[USN-6702-1] Linux kernel vulnerabilities

4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

CVE-2024-24855

CVE-2024-1086

CVE-2023-23004

CVE-2023-23000

5.4 - iot, ibm, bluefield, gkeop, kvm, oracle, gcp, generic, lowlatency, oem

Second netfilter UAF above

[USN-6587-5] X.Org X Server vulnerabilities (03:34)

7 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2024-21886

CVE-2024-21885

CVE-2024-0409

CVE-2024-0408

CVE-2024-0229

CVE-2023-6816

CVE-2023-6478

Previous updates for X now available in 14.04 ESM

Most issues either OOB R/W - impact is then can crash X Server or potentially

get code execution - nowadays X runs unprivileged but in 14.04 still runs as

root so these vulns are more severe in the older releases

[USN-6673-2] python-cryptography vulnerability (04:21)

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-50782

[USN-6673-1] python-cryptography vulnerabilities from Episode 220

[USN-6695-1] TeX Live vulnerabilities (04:28)

3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-25262

CVE-2023-32668

CVE-2019-18604

Heap buffer overflow via a crafted TTF file

LuaTeX specific issue - allowed a document to make arbitrary network requests

since it didn’t disable access to the underlying lua socket library

Misused sprint() resulting in a buffer overflow in the axohelp - helper

program for the LaTeX axodraw2 package when used with pdflatex

[USN-6694-1] Expat vulnerabilities (05:24)

2 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-28757

CVE-2023-52425

C library for parsing xml

used by many other applications like gdb, dbus, audacity, git, python,

polkit, squid and more

CPU/memory-based DoS since would do many full reparsings of a document in some cases

XML Entity Expansion attack

billion laughs attack / XML bomb - 10 entities which each comprise 10 of the

previous entity with the document containing a single instance of the

largest entity - 1 billion copies of the original entity

[USN-6696-1] OpenJDK 8 vulnerabilities (06:40)

6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-20952

CVE-2024-20945

CVE-2024-20926

CVE-2024-20921

CVE-2024-20919

CVE-2024-20918

[USN-6660-1, USN-6661-1] OpenJDK 11 & 17 vulnerabilities from Episode 220

[USN-6697-1] Bash vulnerability (07:01)

1 CVEs addressed in Jammy (22.04 LTS)

CVE-2022-3715

Heap buffer overflow on a valid parameter transformation - can then

unexpectedly lead to possible code execution

[USN-6698-1] Vim vulnerability (07:30)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-22667

stack buffer overflow when parsing a crafted command file - ie. the user has

to load a crafted file to be sourced by vim

[USN-6703-1] Firefox vulnerabilities (07:48)

11 CVEs addressed in Focal (20.04 LTS)

CVE-2024-2613

CVE-2024-2612

CVE-2024-2610

CVE-2024-2608

CVE-2024-2607

CVE-2024-2606

CVE-2023-5388

CVE-2024-2615

CVE-2024-2614

CVE-2024-2611

CVE-2024-2609

124.0

Goings on in Ubuntu Security Community

Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 (08:05)

https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results

The DEVCORE Team was able to execute their LPE attack against Ubuntu

Linux. However, the bug they used was previously known. They still earn

$10,000 and 1 Master of Pwn points.

https://youtube.com/shorts/fXUrMIM2KYc?si=VIR7YKIt86NGEceU

Kyle Zeng from ASU SEFCOM used an ever tricky race condition to escalate

privileges on Ubuntu Linux desktop. This earns him him $20,000 and 20 Master

of Pwn points.

https://www.youtube.com/shorts/HSIasEbEkXY

https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results

STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu

desktop. However, they used a bug that was previously reported. They still

earn $5,000 and 1 Master of Pwn point.

The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a

bug that was previously know to escalate privileges on Ubuntu desktop. He

still wins $5,000 and 1 Master of Pwn point.

Reports of malicious themes in KDE Store (10:27)

https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/

https://floss.social/@kde/112128243960545659

https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

March 22, 2024

Episode 223

17 minutes

Overview

This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2Own

Vancouver 2024, plus news of malicious themes in the KDE Store and we cover

security updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash and

more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6681-3] Linux kernel vulnerabilities (00:54)

8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51780

CVE-2023-51779

CVE-2023-4244

CVE-2023-22995

CVE-2021-44879

5.4 - IBM, Oracle

UAF due to a race-condition in netfilter - underflow a reference counter ->

UAF

[USN-6686-2] Linux kernel vulnerabilities (01:42)

9 CVEs addressed in Jammy (22.04 LTS)

CVE-2024-0607

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51779

CVE-2023-46862

CVE-2023-46343

CVE-2023-4134

CVE-2023-22995

5.15 - Raspi, Lowlatency

[USN-6699-1] Linux kernel vulnerabilities (01:52)

3 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2024-24855

CVE-2023-4921

CVE-2023-30456

3.13 - generic, lowlatency, server, virtual

KVM mishandling of control registers for nested guest VMs

[USN-6123-1] Linux kernel (OEM) vulnerabilities from Episode 197

UAF in Quick Fair Queuing network packet scheduler

Local privesc, reported to Google’s kCTF

[USN-6700-1] Linux kernel vulnerabilities (02:40)

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2024-24855

CVE-2024-1086

CVE-2024-0775

CVE-2023-51781

CVE-2023-39197

CVE-2023-34256

CVE-2022-20567

4.4 - generic, kvm, lowlatency, virtual, aws (14.04 only)

UAF in nftables - also originally reported to kCTF

[USN-6701-1] Linux kernel vulnerabilities

12 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

CVE-2024-24855

CVE-2024-1086

CVE-2024-0775

CVE-2023-6121

CVE-2023-51781

CVE-2023-46838

CVE-2023-4132

CVE-2023-39197

CVE-2023-34256

CVE-2023-3006

CVE-2023-23000

CVE-2023-2002

4.15 - oracle, kvm, aws, generic, lowlatency

UAF in nftables from above and UAF in AppleTalk network driver - [USN-6648-1]

Linux kernel vulnerabilities from Episode 220

[USN-6680-3] Linux kernel (AWS) vulnerabilities

7 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-25744

CVE-2024-0607

CVE-2023-6560

CVE-2023-6121

CVE-2023-51782

CVE-2023-51779

CVE-2023-46343

6.5 - aws

[USN-6681-4] Linux kernel (AWS) vulnerabilities

8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51780

CVE-2023-51779

CVE-2023-4244

CVE-2023-22995

CVE-2021-44879

5.4 - aws

UAF in netfilter discussed earlier

[USN-6686-3] Linux kernel (Oracle) vulnerabilities

9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

CVE-2024-0607

CVE-2024-0340

CVE-2023-6121

CVE-2023-51782

CVE-2023-51779

CVE-2023-46862

CVE-2023-46343

CVE-2023-4134

CVE-2023-22995

5.15 - oracle

[USN-6702-1] Linux kernel vulnerabilities

4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)

CVE-2024-24855

CVE-2024-1086

CVE-2023-23004

CVE-2023-23000

5.4 - iot, ibm, bluefield, gkeop, kvm, oracle, gcp, generic, lowlatency, oem

Second netfilter UAF above

[USN-6587-5] X.Org X Server vulnerabilities (03:34)

7 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2024-21886

CVE-2024-21885

CVE-2024-0409

CVE-2024-0408

CVE-2024-0229

CVE-2023-6816

CVE-2023-6478

Previous updates for X now available in 14.04 ESM

Most issues either OOB R/W - impact is then can crash X Server or potentially

get code execution - nowadays X runs unprivileged but in 14.04 still runs as

root so these vulns are more severe in the older releases

[USN-6673-2] python-cryptography vulnerability (04:21)

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2023-50782

[USN-6673-1] python-cryptography vulnerabilities from Episode 220

[USN-6695-1] TeX Live vulnerabilities (04:28)

3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-25262

CVE-2023-32668

CVE-2019-18604

Heap buffer overflow via a crafted TTF file

LuaTeX specific issue - allowed a document to make arbitrary network requests

since it didn’t disable access to the underlying lua socket library

Misused sprint() resulting in a buffer overflow in the axohelp - helper

program for the LaTeX axodraw2 package when used with pdflatex

[USN-6694-1] Expat vulnerabilities (05:24)

2 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-28757

CVE-2023-52425

C library for parsing xml

used by many other applications like gdb, dbus, audacity, git, python,

polkit, squid and more

CPU/memory-based DoS since would do many full reparsings of a document in some cases

XML Entity Expansion attack

billion laughs attack / XML bomb - 10 entities which each comprise 10 of the

previous entity with the document containing a single instance of the

largest entity - 1 billion copies of the original entity

[USN-6696-1] OpenJDK 8 vulnerabilities (06:40)

6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-20952

CVE-2024-20945

CVE-2024-20926

CVE-2024-20921

CVE-2024-20919

CVE-2024-20918

[USN-6660-1, USN-6661-1] OpenJDK 11 & 17 vulnerabilities from Episode 220

[USN-6697-1] Bash vulnerability (07:01)

1 CVEs addressed in Jammy (22.04 LTS)

CVE-2022-3715

Heap buffer overflow on a valid parameter transformation - can then

unexpectedly lead to possible code execution

[USN-6698-1] Vim vulnerability (07:30)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

CVE-2024-22667

stack buffer overflow when parsing a crafted command file - ie. the user has

to load a crafted file to be sourced by vim

[USN-6703-1] Firefox vulnerabilities (07:48)

11 CVEs addressed in Focal (20.04 LTS)

CVE-2024-2613

CVE-2024-2612

CVE-2024-2610

CVE-2024-2608

CVE-2024-2607

CVE-2024-2606

CVE-2023-5388

CVE-2024-2615

CVE-2024-2614

CVE-2024-2611

CVE-2024-2609

124.0

Goings on in Ubuntu Security Community

Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 (08:05)

https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results

The DEVCORE Team was able to execute their LPE attack against Ubuntu

Linux. However, the bug they used was previously known. They still earn

$10,000 and 1 Master of Pwn points.

https://youtube.com/shorts/fXUrMIM2KYc?si=VIR7YKIt86NGEceU

Kyle Zeng from ASU SEFCOM used an ever tricky race condition to escalate

privileges on Ubuntu Linux desktop. This earns him him $20,000 and 20 Master

of Pwn points.

https://www.youtube.com/shorts/HSIasEbEkXY

https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results

STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu

desktop. However, they used a bug that was previously reported. They still

earn $5,000 and 1 Master of Pwn point.

The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a

bug that was previously know to escalate privileges on Ubuntu desktop. He

still wins $5,000 and 1 Master of Pwn point.

Reports of malicious themes in KDE Store (10:27)

https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/

https://floss.social/@kde/112128243960545659

https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@[email protected], @ubuntu_sec on twitter

...more

Share Episode 223

Sign up to save your podcasts

Episode 223

Episode 223