Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

October 01, 2021Episode 133
Overview
This week we look at a Wifi lookalike attack dubbed “SSID stripping” plus
updates for ca-certificates, EDK II, Apache, the Linux kernel and even vim!
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-5086-1] Linux kernel vulnerability [00:50]
Affecting Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
s390x BPF JIT verifier bypass - no CVE assigned
[USN-5085-1] SQL parse vulnerability [01:33]
1 CVEs addressed in Hirsute (21.04)
CVE-2021-32839
ReDoS via exponential backtracking with a large amount of
carriage-return, newline combinations
[USN-5087-1] WebKitGTK vulnerabilities [02:18]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-30858
UAF in underlying webkit - originally reported by Apple against their
various operating systems - not actually against webkit directly…
[USN-5088-1] EDK II vulnerabilities [02:46]
4 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-38575
CVE-2021-3712
CVE-2021-23840
CVE-2019-11098
mix of issues in the embedded openssl in EDK-II plus 2 issues specific to
EDK-II itself - one in the handling of Intel Boot Guard which is designed
to detect attacks against the static root of trust, in particualr
modifification of the initial boot block - an attacker with physical
access to the SPI flash chip, could get code execution after the IBB has
been validated by then injecting SPI transactions to modify the contents
of the IBB in memory
[USN-5089-1, USN-5089-2] ca-certificates update [04:34]
Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
To also support older devices which don;t have that root cert and when
LetsEncrypt started they got their issuing / intermediate cert (R3)
signed by IdenTrust’s “DST Root CA X3” root certificate -
“cross-signature”
DST Root CA X3 cert expired yesterday (30th Sept 2021)
So if you only had that then any HTTPS connections to a site using a
LetsEncrypt cert would fail
Also to support various older Android devices which aren’t getting any
updates anymore, IdenTrust issued an updated cross-signature expiring in
Sept 2024 so that those Android devices would continue to trust the
issuing cert
Nowadays LetsEncrypt has their own root cert “ISRG Root X1” - which is
trusted by ca-certificates - this is present on all Ubuntu back to 12.04
But older versions of openssl (1.0.x - xenial, trusty, precise!?!) and
gnutls etc would see the cross-signature with an expiry in the future and
so return this as a valid chain to validate against - but then when
validating the full chain, it would fail as the DST Root CA X3 cert at
the root is now expired
Would cause connections to fail still
Solution is to blacklist the DST Root CA X3 as this then ensures the
cross-signature is seen as invalid and instead the shorter chain back to
LetsEncrypt’s own root cert is used to do the validation
[USN-5090-1, USN-5090-2, USN-5090-3, USN-5090-4] Apache HTTP Server vulnerabilities + regression [07:41]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-40438
CVE-2021-39275
CVE-2021-34798
CVE-2021-36160
CVE-2021-33193
HTTP/2 specific issue - crafted method would bypass validation and be
forwarded by mod_proxy - so could lead to request splitting / cache
poising
NULL pointer dereference triggerable via crafted request
OOB read in mod_proxy_uwsgi - crash / info leak
OOB write in ap_escape_quotes() if given malicious input - modules in
apache itself don’t pass untrusted input to this but other 3rd party
modules might
crafted request to mod_proxy - forward the request to an origin server as
specified in the request - SSRF
fix for this resulted in more stricter interpretation of SetHandler
config option for mod_proxy that broke various configurations using
unix sockets - these got interpreted more like URIs and so would be
seen as invalid - broke Plesk and others - upstream then issued further
fixes which we released in a follow-up
[USN-5091-1] Linux kernel vulnerabilities [09:44]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-38204
CVE-2021-38199
CVE-2021-38160
CVE-2021-37576
CVE-2021-3679
CVE-2021-33624
5.4 (focal / bionic hwe)
[USN-5092-1, USN-5092-2] Linux kernel vulnerabilities [09:56]
12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-38205
CVE-2021-38204
CVE-2021-38201
CVE-2021-38199
CVE-2021-38160
CVE-2021-37576
CVE-2021-37159
CVE-2021-3679
CVE-2021-35477
CVE-2021-34556
CVE-2021-33624
CVE-2021-41073
5.11 (hirsute, focal hwe)
io_uring (5.1) - unprivileged user - trigger free of other kernel
memory - code execution
3 issues in BPF verifier - spectre-like side-channel attacks to leak
kernel memory
KVM guest could corrupt host memory on PowerPC - crash / code exec
[USN-5094-1] Linux kernel vulnerabilities [10:39]
6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-38205
CVE-2021-38204
CVE-2021-37576
CVE-2021-3732
CVE-2021-3679
CVE-2021-22543
4.15 (bionic, xenial hwe, trusty azure)
[USN-5093-1] Vim vulnerabilities [10:57]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3796
CVE-2021-3778
CVE-2021-3770
Possible code-execution through 2 different heap buffer overflows and 1
UAF
Goings on in Ubuntu Security Community
SSID stripping attack against various OSes including Ubuntu [11:37]
https://aireye.tech/2021/09/13/the-ssid-stripping-vulnerability-when-you-dont-see-what-you-get/
Combination of lookalike AP name attacks and possible format-string vulns
against Windows, MacOS, iOS, Android and Ubuntu
Lookalike SSIDs uses non-printable chars so that user only sees a chosen
part of the SSID name rather than the entire thing so gets confused
Similar to domain-name lookalike attacks often used in phishing etc - not
really a new problem
No real details on what in Ubuntu is affected (wpa_supplicant,
NetworkManager, gnome-shell etc)
Best remediation would be to try and display all chars in some
representable format to users but then could still get lookalike names
that use these placeholder chars
Hard problem to solve well but given that this doesn’t allow to capture
credentials anyway (assuming are using WPA2-PSK since 4-way handshake
makes both the client and AP prove they know the PSK without revealing it
to each other) then is not really much of a risk
Only relevant then to unsecured networks but if you are connecting to
an unsecured network then there is no security anyway
Hiring [15:54]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Security Product Manager
https://canonical.com/careers/2278145/security-product-manager-remote
1 week break for the Ubuntu Security Podcast
Back in your feed in 2 weeks in the middle of October
Farewell Ubuntu Podcast
https://ubuntupodcast.org
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
September 24, 2021Episode 132
Overview
Extended Security Maintenance gets an extension, Linux disk encryption and
authentication goes under the microscope and we cover security updates for
libgcrypt, the Linux kernel, Python, and more.
This week in Ubuntu Security Updates
20 unique CVEs addressed
[USN-5078-2] Squashfs-Tools vulnerabilities [01:02]
2 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-41072
CVE-2021-40153
Episode 131
[USN-5080-1, USN-5080-2] Libgcrypt vulnerabilities [01:43]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-40528
CVE-2021-33560
Side-channel attacks against the various ElGamal implementations in
OpenPGP - https://eprint.iacr.org/2021/923 - researchers from IBM
Research Europe
Patent free public key encryption scheme - popular in OpenPGP - 1 in 6
registered OpenPGP keys have an ElGamal subkey
Various implementations of ElGamal are used in different OpenPGP
implementations - Go stdlib, Crypto++ and gcrypt
libgcrypt has previously had other side-channel vulns found and was used
in the development of FLUSH+RELOAD attack against GnuPG
This attack exploits the different configurations used in the various
implementations to use timing differences to be able to recover plaintext
Fixed to remove support for smaller key lengths and add exponent blinding
(combining the exponent with randomness to avoid it being inferred by
timing analysis)
[USN-5071-2] Linux kernel (HWE) vulnerabilities [04:11]
5 CVEs addressed in Bionic (18.04 LTS)
CVE-2021-3612
CVE-2021-22543
CVE-2020-36311
CVE-2021-3653
CVE-2021-3656
AMD nested virtualisation vulns (Episode 130, Episode 131)
2 other KVM vulns - UAF
OOB write in joystick subsystem via a malicious ioctl()
requires a joystick device to be present
snaps joystick interface is not auto-connected by default
[USN-5071-3] Linux kernel (Raspberry Pi) vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3612
CVE-2021-22543
[USN-5082-1] Linux kernel (OEM) vulnerabilities
3 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3609
CVE-2021-3653
CVE-2021-3656
CAN BCM UAF (Episode 121), AMD nested virtualisation
[USN-5073-2] Linux kernel (GCP) vulnerabilities
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-38160
CVE-2021-3612
CVE-2021-34693
CVE-2021-3653
CVE-2021-3656
[USN-5073-3] Linux kernel (Raspberry Pi) vulnerabilities
3 CVEs addressed in Bionic (18.04 LTS)
CVE-2021-38160
CVE-2021-3612
CVE-2021-34693
[USN-5079-3] curl vulnerabilities [06:34]
3 CVEs addressed in Bionic (18.04 LTS)
CVE-2021-22947
CVE-2021-22946
CVE-2021-22945
Episode 131
[USN-5081-1] Qt vulnerabilities [06:49]
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2021-38593
CVE-2020-17507
2 issues in graphics / image handling
crafted XBM trigger OOB read -> crash
OOB write when rendering SVG or other crafted vector content
[USN-5083-1] Python vulnerabilities [07:22]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2021-3737
CVE-2021-3733
ReDOS - a malicious HTTP server which would send a crafted response for
BasicAuth which would cause high CPU usage in trying to match the header
value via a regex - fixed to use a simpler regex
Malicious server could cause a client to hang even if the client had set
a timeout - server sends a ‘100 Continue’ response and the client would
sit there waiting to receive more input which would never arrive (since
server is malicious)
[USN-5084-1] LibTIFF vulnerability [08:32]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-19143
Buffer overflow via crafted TIFF file
[USN-5079-4] curl regression [08:42]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2021-22947
CVE-2021-22946
Mistake in backporting patch would cause STARTTLS to fail when used for
SMTP only - thanks for tuaris for metioning this on
https://ubuntuforums.org/showthread.php?t=2467177 but next time please
file a LP bug directly as you will get our attention much faster (and
more reliably)
Goings on in Ubuntu Security Community
Authenticated boot and disk encryption on Linux [09:28]
http://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
systemd focused review of existing FDE in general purpose Linux distros
with pointers to proposed mechanisms to implement authenticated FDE etc
Laments lack of authenticated initrd, use of TPMs etc
Proposal is quite different than traditional distros - immutable,
authenticated /usr, encrypted, authenticated /etc, /var and per-user
/home/user encryption using their own login password
UC20 already does TPM backed FDE with authentication
Ubuntu 14.04 and 16.04 ESM extended [14:16]
https://ubuntu.com/blog/ubuntu-14-04-and-16-04-lifecycle-extended-to-ten-years
Total of 10 years of support (5 LTS, 5 ESM)

RELEASE
RELEASE DATE
END OF LIFE*

Ubuntu 14.04 (Trusty Tahr)
April 2014
April 2024(from April 2022)

Ubuntu 16.04 (Xenial Xerus)
April 2016
April 2026(from April 2024)

Ubuntu 18.04 (Bionic Beaver)
April 2018
April 2028(unchanged)

Ubuntu 20.04 (Focal Fossa)
April 2020
April 2030(unchanged)
Use extra time to plan upgrades
Hiring [15:48]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Security Product Manager
https://canonical.com/careers/2278145/security-product-manager-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
September 17, 2021Episode 131
Overview
OWASP Top 10 gets updated for 2021 and we look at security vulnerabilities
in the Linux kernel, Ghostscript, Git, curl and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-5069-2] mod-auth-mellon vulnerability [00:43]
1 CVEs addressed in Hirsute (21.04)
CVE-2021-3639
Episode 130 - failed to properly handle crafted redirect links -> open
redirect
[USN-5070-1] Linux kernel vulnerabilities
10 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-38207
CVE-2021-38206
CVE-2021-38200
CVE-2021-38198
CVE-2021-3612
CVE-2021-34693
CVE-2021-22543
CVE-2020-26541
CVE-2021-3653
CVE-2021-3656
[USN-5071-1] Linux kernel vulnerabilities
5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3612
CVE-2021-22543
CVE-2020-36311
CVE-2021-3653
CVE-2021-3656
[USN-5072-1] Linux kernel vulnerabilities
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3653
CVE-2021-3656
[USN-5073-1] Linux kernel vulnerabilities [00:56]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-38160
CVE-2021-3612
CVE-2021-34693
CVE-2021-3653
CVE-2021-3656
2 different AMD specific issue in KVM subsystem with nested
virtualisation - 1 mentioned last week in Episode 130 - would fail to
validate particular operations which could be performed by a guest VM -
in this case would allow a guest to enable the Advanced Virtual Interrupt
Controller for a nested VM (ie L2 VM) - this would then allow the L2 VM
to write to host memory -> code execution on the host
The other - L1 guest could disable interception of both VMLOAD/VMSAVE
calls for a L2 guest - L2 guest could then read/write portions of host
physical memory - code-exec on host
[LSN-0081-1] Linux kernel vulnerability [01:56]
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-33909
CVE-2021-22555
CVE-2021-3656
CVE-2021-3653
(Episode 124) seq_file vuln - this virt file-system contained an unsigned integer
conversion error - would result in a local user being able to cause an
OOB write and hence possible code-exec in the kernel -> privesc
(Episode 127) netfilter setsockopt() - OOB write
AMD nested virtualisation issues above
[USN-5074-1] Firefox vulnerabilities [02:53]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-38494
CVE-2021-38493
CVE-2021-38491
Memory safety bugs -> possible memory corruption, possible bypass in
mixed content blocking (ie http content on a https page)
[USN-5075-1] Ghostscript vulnerability [03:36]
1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3781
Trivial bypass of sandbox - exploit was apparently known about since
March and publicly available since end of August but only reported to GS
upstream on 8th August - fix available since 9th, updates for Ubuntu
published on 10th (rare Friday publication)
[USN-5076-1] Git vulnerability [04:55]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-40330
Possible cross-protocol requests by embedding a newline in the URL when
cloning
[USN-5077-1, USN-5077-2] Apport vulnerabilities [05:34]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3710
CVE-2021-3709
Arbitrary file reads in apport crash handling - reads certain file when
apps crash, can be tricked to read other files and include these in the
crash report which can then be seen by the user, uploaded to
errors.ubuntu.com etc
[USN-5078-1] Squashfs-Tools vulnerability [06:46]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-41072
Similar to Episode 129 - symlink and file of same name - when unsquash,
write out symlink, then write out file traversing the symlink ->
arbitrary file overwrite
[USN-5079-1, USN-5079-2] curl vulnerabilities [07:48]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-22947
CVE-2021-22946
CVE-2021-22945 (non-ESM only)
MQTT OOB write (malicious MQTT server) (non-ESM)
Possible to cause to not upgrade to TLS even when specified -> info leak
STARTTLS -> could inject responses / intercept comms etc
Goings on in Ubuntu Security Community
OWASP Top 10 updated after 4 years [08:55]
https://owasp.org/Top10/
Last updated in Nov 2017
Increasing complexity of web-apps means vulns are now at the edges -
ie. when combining two components, misconfigure one of them -> vuln in
combination due to accidential misuse by the other component
Hiring [13:11]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
15min
September 10, 2021Episode 130
Overview
This week we discuss compiler warnings as build errors in the Linux kernel,
plus we look at security updates for HAProxy, GNU cpio, PySAML2,
mod-auth-mellon and more.
This week in Ubuntu Security Updates
15 unique CVEs addressed
[USN-5051-4] OpenSSL regression [00:51]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-3712
Episode 129
Original backport of patch contained a typo which introduced a regression
where ASN1_STRINGs would fail to print in some cases
[USN-5062-1] Linux kernel vulnerability [01:20]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2021-3653
AMD specific issue in KVM subsystem with nested virtualisation - would
fail to validate particular operations which could be performed by a
guest VM - in this case would allow a guest to enable the Advanced
Virtual Interrupt Controller for a nested VM (ie L2 VM) - this would then
allow the L2 VM to write to host memory -> code execution on the host
[USN-5063-1] HAProxy vulnerabilities [02:40]
1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-40346
Integer overflow in handling of header name lengths - most significant
bit of header name length could slip into the LSB of header value
length - could then craft a valid request that would inject a dummy
content-length on input, this would then be reproduced on the output as
well as the original correct header length - can then get a “blind”
request smuggling attack since the extra request bypasses ACL checking
etc
[USN-5064-1] GNU cpio vulnerability [04:13]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-38185
Integer overflow -> heap buffer overflow in the handling of pattern
files - this allows to specify a file which contains a list of patterns
to match against filenames in the cpio archive which should be
extracted - is not clear if can easily abuse this as a remote attacker
since would need to be able to supply a crafted pattern file and have
this get used but these are not often used in practice
[USN-5065-1] Open vSwitch vulnerability [05:08]
1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-36980
UAF in decoding of RAW_ENCAP actions - remote attacker could craft one ->
crash / RCE..?
[USN-5066-1, USN-5066-2] PySAML2 vulnerability [05:39]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-21239
pysaml2 uses xmlsec1 binary to validate cryptographic signatures on SAML
documents
By default xmlsec will accept any type of key found in the document to
verify the signature - so an attacker could embed their own signature
using just a HMAC and this would get validated as correct without even
consulting the X509 cert which should be used to validate the document -
simple fix to just change the CLI arguments to xmlsec1 to specify that it
should validate based on x509 certs
[USN-5067-1] SSSD vulnerabilities [07:06]
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3621
CVE-2019-3811
CVE-2018-16838
CVE-2018-10852
Possible shell command injection via the sssctl binary using the
logs-fetch and cache-expire subcommands - if could trick root into
running crafted commands could then get root… - was as a result of
using the system() syscall which evaluates a string to the shell - so
allows shell command injection directly - was fixed to instead use
fork() + execvp() on an array of arguments - which doesn’t go via the
shell to run the specified subcommand
common pattern for security vulns, something we specifically look for
when auditing packages as part of the security review for MIRs
[USN-5069-1] mod-auth-mellon vulnerability [08:54]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3639
SAML2 auth module for Apache
Failed to filter URLS that start with /// - an attacker could craft a URL
that specified a particular URL via the ReturnTo parameter and this would
then automatically redirect the user to that crafted URL - so could be
used for phishing attacks that look more trustworthy. ie. an attacker
creates a phishing site that copies the victim site at their own
domain. they then send an email to a user asking them to login and they
specify a URL to the real victim site but with the ReturnTo parameter set
to their own site - a user looking at this URL will see it specifies the
real site so won’t be concerned - when they visit it they get
automatically redirected to the victim site - so if they don’t then check
the URL they will start logging into the fake phishing site and not the
real one - fixed to just reject these URLs so they don’t get abused by
the redirect process
[USN-5068-1] GD library vulnerabilities [10:24]
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-38115
CVE-2021-40145
CVE-2021-381
CVE-2017-6363
Crafted image files -> OOB read / write - crash / code exec
One in TGA handling but others in the proprietary GD/GD2 formats which
upstream say is now deprecated so shouldn’t get a CVE - recommend if you
are processing GD/GD2 image files from untrusted sources that you stop as
upstream may stop issuing updates for these / may not get CVEs
Goings on in Ubuntu Security Community
Linux kernel enables -Werror [11:33]
Initially enabled by default, in response to patches from Kees Cook @
Google which introduced a bunch of new warnings - Linus wants a clean
build
Lots of push back since this then immediately broke a heap of CI systems
as there a lots of existing bits of kernel code that generates warnings -
and depending on what config options you enable you compile different
bits of code so can see or not see various warnings - and hence different
architectures etc - even having a different locale / LANG setting can
result in different compiler warnings as Kees found due to the nature of
some of the tests
Given the huge codebase with so many different configurations is almost
impossible to test them all and find all the various warnings, let alone
actually fix them
For years folks have been trying to drive down the warnings but is still
a hard and ongoing effort
As such, ended up changing this to a suggestion from Marco Elver (also at
Google) to enable this when COMPILE_TEST is enabled - this used as a flag
to tell the kernel to compile everything even if it is not being used -
and is then often used by CI systems / developers which explicitly want
to compile everything who work on detecting new warnings
Is a lofty goal and is very useful from a security PoV and is
illustrative of many real world efforts that try and introduce static
analysis etc for an existing codebase
Immediately get a high number of ’errors’ now that need to be addressed -
was fine before? - so how to introduce these in a way that doesn’t impose
a huge upfront cost but still incentivizes fixing them over time and
allows to detect new issues
Is good to see a focus on this in a more tangible way from upstream as
compiler warnings are there for a reason and should not be ignored
Hiring
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
19min
September 03, 2021Episode 129
Overview
This week we look at a malware campaign associated with the popular Krita
painting application, plus we cover security updates for MongoDB, libssh,
Squashfs-Tools, Thunderbird and more.
This week in Ubuntu Security Updates
17 unique CVEs addressed
[USN-5037-2] Firefox regression [00:47]
Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
91.0.2 - upstream bug where as part of their advanced privacy protection,
would purge cookies associated with ad trackers etc - but this would then
clear authentication data as well and so would lose your master password
for Lockwise - and hence prompt the re-enter it seemingly randomly.
[USN-5052-1] MongoDB vulnerability [01:31]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2019-2386
Failed to invalidate existing sessions of users who are logged in and
their account is then deleted - so if the account is recreated before
they perform some action, the session gets reassociated with the new
account of the same name which may have higher privileges.
[USN-5051-2, USN-5051-3] OpenSSL vulnerability [02:14]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-3712
Episode 128 - ASN.1 string handling vuln
[USN-5053-1] libssh vulnerability [02:42]
1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3634
Small SSH lib - used by libcurl, remmina and others
Heap buffer overflow when re-keying - so a malicious client / server
could cause crash / RCE on other side
[USN-5055-1] GNOME grilo vulnerability [03:22]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-39365
GNOME media discovery framework
Failed to enable TLS certificate verification - so when connecting to a
remote media source, an attacker could replace the TLS cert with their
own self-signed one or similar and hence be able to intercept all
encrypted comms - simple change to specify to the underlying network
request library (libsoup) to check TLS certificate when making the
connection
[USN-5056-1] APR vulnerability [04:18]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Hirsute (21.04)
CVE-2021-35940
abstraction layer library across platform specific services / APIs
used by apache2, subversion and others
OOB read in time handling functions - would fail to validate parameters
were within expected range (ie only 12 months in a year but uses a signed
int to represent this)
[USN-5054-1] uWSGI vulnerability [05:38]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-11984
Buffer overflow in handling of large HTTP request headers - protocol
represents header name/values and overall length in a uint16_t = so can
only handle up to 16K headers so if more than that would cause an integer
overflow and hence a buffer overread where it would read other memory
instead of the actual request body
[USN-5057-1] Squashfs-Tools vulnerability [06:34]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-40153
Failed to reject filenames in squashfs image containing relative path
components - using a crafted mksquashfs could create such an image and
then unsquashfs would happy create that file, outside of the extracted
directory - path traversal vuln
[USN-5058-1] Thunderbird vulnerabilities [08:14]
10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-30547
CVE-2021-29989
CVE-2021-29988
CVE-2021-29986
CVE-2021-29985
CVE-2021-29984
CVE-2021-29980
CVE-2021-29976
CVE-2021-29970
CVE-2021-29969
78.13
STARTTLS vuln - would accept IMAP responses received before had finished
STARTTLS handshake - PiTM inject content etc - plus various vulns from
Firefox re web rendering etc
[USN-5060-1, USN-5060-2] NTFS-3G vulnerabilities [09:51]
Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
A heap of vulns - 21 in total - integer overflows, buffer overflows etc -
code execution, DoS etc - unlike say EXT4 and other drivers, this is FUSE
so impact is limited to only user-level code execution, not root /
in-kernel
Goings on in Ubuntu Security Community
Krita Ransomware Email Campaign [11:17]
Emails sent to popular youtubers / facebook / instagrammers purportedly
from Krita asking to collaborate on a paid advertising and a link to
download some media pack - proposed videos to show on your youtube
channel etc
The link is to krita.app or perhaps krita.io - not the official
“krita.org” domain - looks the same as the real krita.org but is only
just the homepage, other pages have redirects to the real krita.org
Download contains an encrypted zip file (alarm bell**)
Video part has 3 seeming videos - 2 .mp4.scr files and one actual mp4 -
(second alarm bell**) .scr is really an exe - and a few vendors on VT
already detects these as malicious - but a lot don’t
Interesting to see an open source app being used to target content
creators - seems both krita.app / krita.io now redirect to krita.org and
the mediabank.zip is now longer up either
https://krita.org/en/item/warning-scam-mails-about-krita-and-youtube-coming-from-krita-io/
Hiring [15:50]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
17min
August 27, 2021Episode 128
Overview
This week we dive into Trend Micro’s recent Linux Threat Report and the
release of Ubuntu 20.04.3 LTS, plus we detail security updates for
Inetutils telnetd, the Linux kernel and OpenSSL.
This week in Ubuntu Security Updates
9 unique CVEs addressed
[USN-5048-1] Inetutils vulnerability [00:45]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-10188
Buffer overflow in inetutils telnetd - originally CVE was found in netkit
telnetd - but subsequently the GNU inetutils version was also found to
contain basically the same vulnerable function. Very detailed blog post
re exploiting this on Fedora, great example if you are interested in vuln
hunting etc - patched but why run telnetd?
https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
[USN-5050-1] Linux kernel vulnerabilities [02:03]
6 CVEs addressed in Focal (20.04 LTS)
CVE-2021-38208
CVE-2021-3573
CVE-2021-3564
CVE-2021-28691
CVE-2021-0129
CVE-2020-26558
2 bluetooth HCI UAFs, NFC NULL ptr deref, Xen PV UAF from guest->host, 2
other bluetooth vulns - info leak - all covered in previous episodes
[USN-5051-1] OpenSSL vulnerabilities [02:49]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3712
CVE-2021-3711
High profile vuln in SM2 algorithm impl in openssl - (Chinese and later
ISO standard elliptic curve algo used for both signature and encryption)
Usual scheme is to call the API function EVP_PKEY_decrypt() twice - call
first time to get the required buffer size to hold the decrypted
plaintext - second time to do the actual decryption passing a buffer of
the specified length to hold the result
Bug meant the returned length in first call would be smaller than
required -> up to 62 byte buffer overflow using attacker controlled data
Depending on application, could be heap or stack buffer
Possible RCE
Buffer overread in handling of ASN.1 strings
ASN1 strings in openssl are represented as the bytes plus a length -
unlike normal C strings, bytes array of the string is NOT NUL
terminated in general
However some internal functions would actually add a NUL byte - and
other functions ended up assuming ASN1 strings would all be NUL
terminated - plus various functions to parse ASN1 data would also add
NUL terminators too - so if had an application that was manually
constructing ASN1 strings without adding a NUL terminator, this could
result in a buffer overread if these were passed to a function which
expected a NUL (ie functions which print the contents etc)
Again depends on application that uses OpenSSL - so not all will be
vulnerable - but fixed to ensure all internal functions which handle
ASN1 strings in OpenSSL respect the length field and not assume is NUL
terminated
Goings on in Ubuntu Security Community
Ubuntu 20.04.3 LTS released [05:58]
https://lists.ubuntu.com/archives/ubuntu-announce/2021-August/000271.html
Desktop installer uses HWE stack by default - Server uses GA but can
select HWE during install process
Includes all security etc updates so less to download during / after
install
Flavours have also updated
If already running 20.04 then no need to do anything - you already have
this :)
Trend Micro Linux Threat Report 2021 1H [07:20]
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations
Report which collates data from Trend Micro™ Smart Protection Network™
(SPN) (data lake) - collects data across all Trend Micro products plus
various honeypots and other sensors etc - measure of real-world malware
prevalence and vuln exploitation in enterprises
Linux makes up 61% of Cloud One users - cloud native product for
protection of cloud deployments
Ubuntu makes up 16% of that (RH 30%, AWS Linux 18%)
Top threats:
Coinminers, Web shells, Ransomware, Trojans, other
For systems which contained these:
51% CentOS, 31% CloudLinux, 10% Ubuntu, 3% RHEL
Intrusion Protection System (IPS) hits:
36% Amazon Linux, 23% RHEL 7, 8% CentOS 7, 7% RHEL 6, Amazon Linux, Ubuntu 18.04, 4% Ubuntu 20.04, 16.04
Top 15 vulns with known exploits:
5 were in Apache Struts2 - incl. vuln used in Equifax breach in 2017
1 each in Drupal, Oracle WebLogic, WordPress file manager plugin,
vBulletin, Eclipse Jetty, Alibaba Nacos, Atlassian Jira, NginX, Liferay
Most of these are not shipped in Ubuntu but clearly orgs are
deploying these sorts of applications on Ubuntu/RHEL etc
Of 20k vulns from 2020, only ~200 were observed with known public exploits
roughly the same as above but more of the sorts of things we ship and
support in Ubuntu
struts, netty, drupal, dnsmasq, JIRA, WebLogic, Wordpress, nginx,
apache httpd, ISC BIND, openssl, tomcat
76% are attacks against web apps
Looking at OWASP top 10 - of all attack by volume, only 21% fit into
OWASP top 10 - ie. SQL injection, command injection, XSS, insecure
deserialisation, XML EE,
Looking at attacks outside OWASP top 10
Brute force ~40% of all attacks
Directory traversal 21%
Request smuggling
Also briefly mentions how to secure Linux but only talks technologies -
iptables, seccomp, AppArmor, SELinux etc - and on practical guidance
mentions Antimalware (ie Trend 😉), IPS/IDS, application whitelisting,
vuln patching, activity monitoring etc
Plus looks a bit at containers - ranks vulns in 15 most popular official
docker images - Python comes in on top with 482 vulns, Node 470,
Wordpress 402, Golang 288, nginx 118, postgres 86, influxdb 85, apache
httpd 84, mysql 76…
Not surprising perhaps that the more general purpose images have more
vulns - more code, more vulns, also perhaps a larger attack surface etc
too
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
August 20, 2021Episode 127
Overview
This week we look at security updates for Firefox, PostgreSQL, MariaDB,
HAProxy, the Linux kernel and more, plus we cover some current openings on
the team - come join us ☺
This week in Ubuntu Security Updates
35 unique CVEs addressed
[USN-5037-1] Firefox vulnerabilities [00:39]
10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-29990
CVE-2021-29989
CVE-2021-29988
CVE-2021-29987
CVE-2021-29986
CVE-2021-29985
CVE-2021-29984
CVE-2021-29982
CVE-2021-29981
CVE-2021-29980
91.0
Better support for clearing cookies to stop possible hidden data leaks as part of the Total Cookie Protection
Private browsing to use attempt HTTPS by default than fallback to HTTP
Various security fixes:
race condition on DNS resolution specific to Linux -> memory
corruption -> crash / RCE
also specific to Linux - subsequent permissions dialogs would accept
input in the location of the original one - so could possibly trick a
user into accepting a permission without their direct knowledge
various other memory corruption issues in JIT etc
[USN-3809-2] OpenSSH regression [02:54]
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2016-10708
CVE-2018-15473
Episode 11 - possible user enumeration since as a result of patching
CVE-2018-15473 the behaviour when trying to log in changed depending on
whether the specific user account existed or not - due to a mistake made
when backporting the upstream patch
[USN-5038-1] PostgreSQL vulnerabilities [03:38]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3449
CVE-2021-3677
2 possible remote crasher bugs - one through just sending a crafted TLS
ClientHello message -> NULL ptr deref -> crash, the other via the planner
which is used to try and optimise SQL queries - possible OOB read
[USN-5022-2] MariaDB vulnerabilities [04:19]
2 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-2389
CVE-2021-2372
Episode 124 in MySQL - only 2 of these also were relevant to MariaDB
Like MySQL, update to latest point release in each series - 10.5.12 for
hirsute, 10.3.31 for focal - includes both bug and security fixes
[USN-5042-1] HAProxy vulnerabilities [05:07]
Affecting Focal (20.04 LTS), Hirsute (21.04)
HTTP/2 handling issues in HAProxy
Researchers investigated HTTP/2 handling in various gateway / proxies and
found multiple issues - HTTP/2 desync attacks - allow to possibly hijack
clients, poison caches, and steal credentials
Initially HAProxy upstream thought they were safe but then found after
more analysis they were vulnerable to a few of the possible issues
Can be mitigated by disabling HTTP/2 or just install these updates :)
[USN-5043-1] Exiv2 vulnerabilities [06:04]
11 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-37623
CVE-2021-37621
CVE-2021-37619
CVE-2021-37618
CVE-2021-37616
CVE-2021-37615
CVE-2021-34335
CVE-2021-37622
CVE-2021-37620
CVE-2021-34334
CVE-2021-32815
Slew of issues discovered by Kevin Backhouse from Github security team
C++ - so usual mix of issues - OOB read, NULL ptr deref, floating point
exception (div/0), infinte loop, assertion failure - all DoS
[USN-5039-1] Linux kernel vulnerability [06:49]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2021-22555
netfilter setsockopt()
[LSN-0080-1] Linux kernel vulnerability [07:08]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-22555
[USN-5044-1] Linux kernel vulnerabilities [07:39]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-3587
CVE-2021-3573
CVE-2021-3564
4.15 bionic + ESM HWE
2 bluetooth UAF and 1 NFC NULL ptr deref
[USN-5045-1] Linux kernel vulnerabilities [08:06]
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3587
CVE-2021-3573
CVE-2021-3564
CVE-2021-34693
5.4 focal + bionic hwe
same as above plus CAN BCM uninitialised memory - info leak to local
attacker
[USN-5046-1] Linux kernel vulnerabilities [08:31]
6 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3587
CVE-2021-3573
CVE-2021-3564
CVE-2021-28691
CVE-2021-0129
CVE-2020-26558
5.11 hirsute + focal hwe
bluetooth UAF, NFC NULL ptr deref, access control issue in bluetooth -
could allow a local attacker in range to expose info, xen PV issue -
attacker in guest could DoS/RCE on host
Goings on in Ubuntu Security Community
Hiring [09:10]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
11min
August 13, 2021Episode 126
Overview
This week Ubuntu 20.04 LTS was FIPS 140-2 certified plus the AppArmor
project made some point releases, and we released security updates for
Docker, Perl, c-ares, GPSd and more.
This week in Ubuntu Security Updates
2 unique CVEs addressed
[USN-5031-1] openCryptoki vulnerability [00:54]
Affecting Hirsute (21.04)
PKCS#11 daemon
Bug fix that was deemed to have security implications - so was going to
be done via SRU for 21.04 but instead we published via -security to
ensure all users received it
Thanks to Simon Chopin from Foundations team for preparing this update
[USN-5032-1, USN-5032-2] Docker vulnerabilities [02:29]
Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
Backport of the 20.10.7 version from 21.10 to older releases - this
includes a bunch of security fixes as well
Unfortunately as this is a version upgrade there are some changes that
may break existing containers - in particular, drops support for the aufs
storage driver so if you were using this you should upgrade your
configuration to use the overlayfs2 storage driver instead -
https://docs.docker.com/storage/storagedriver/overlayfs-driver/ - this is
a bit involved since you need to export your images, switch the storage
driver, then load the images back one after another
Thanks for Lucas Kanashiro from Server team for preparing this update
[USN-5033-1] Perl vulnerability [03:32]
1 CVEs addressed in Hirsute (21.04)
CVE-2021-36770
Perl Encode library could end up running arbitrary Perl code from the
current working directory - was introduced by a change in Encode 3.05 in
perl 5.32/5.34 so only affected >= 21.04
[USN-5034-1, USN-5034-2] c-ares vulnerability [03:59]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3672
Lib for async name resolution
Failed to properly validate certain hostnames returned from DNS servers -
could allow a remote attacker to possibly perform domain hijacking
attacks
[USN-5035-1] GPSd vulnerability [04:28]
Affecting Focal (20.04 LTS), Hirsute (21.04)
incorrectly handled certain leap second events which would result in the
time jumping back 1024 weeks on 2021-10-31
Upstream don’t consider this a security issue per-se but given how
pervasive gpsd is used for handling GPS receivers which are often used
for high precision timing or positioning systems (self-driving cars?) -
this could have real-world security implications
Backported the fix from upstream - note this only affected gpsd >= 3.20
so older versions in 18.04 LTS etc were not affected
https://lwn.net/Articles/865044/
Goings on in Ubuntu Security Community
AppArmor 3.0.2 / 3.0.3 released [06:39]
Includes bug fixes for various issues plus updates to the policies for
things like PHP 8, widevine DRM in firefox, support reading of crypto
policies for SSL-using applications
Expected to land 3.0.3 for Ubuntu 21.10 (impish) before FF next week
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.2
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.3
FIPS 140-2 certification for Ubuntu 20.04 LTS! [07:44]
Enables organisations to run and develop applications and solutions for
the US public sector and Federal government including regulated
industries such as healthcare and finance
FIPS 140-2, Level 1 certification crypto modules in Ubuntu 20.04 LTS,
including OpenSSL 1.1.1
Linux kernel (crypto subsystem)
OpenSSL
Libgcrypt (used for LUKS for FDE so provides fully certified FDE
implementation)
StrongSwan (IPsec based VPN) *under validation
Available through Ubuntu Advantage and Ubuntu Pro - On public clouds,
Ubuntu Pro for AWS and Ubuntu Pro for Azure include subscriptions to
Canonical’s FIPS 140-2 repositories, alongside expanded security and
hardening.
Future is FIPS 140-3 - aligns with ISO/IEC 19790 (Security requirements
for cryptographic modules)
Existing certifications under FIPS 140-2 have a sunset date of five
years from the validation date
Canonical is preparing Ubuntu for the new certification, and intends
to provide FIPS 140-3 certified cryptographic packages on a future
release of Ubuntu.
https://ubuntu.com/blog/fips-certification-ubuntu-20-04-lts
Full list of certifications at https://ubuntu.com/security/certifications
Ubuntu 20.04.3 LTS release delayed until August 26th [10:11]
Next point release for 20.04 LTS series - respin of install media with
latest security updates etc - includes newest shim - this is now unified
across various Ubuntu releases - installation media with this new version
fails to boot on certain Dell and Sony Vaio machines - fix for this is in
progress, plus the current RISC-V HWE kernel build PANIC’s under certain
scenarios
Release team decided to delay the release by 1 week to ensure these bugs
can be fixed and new media spun up and tested adequetly before the
release
https://discourse.ubuntu.com/t/focal-fossa-20-04-3-lts-point-release-status-tracking/22948
Hiring [11:27]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
August 06, 2021Episode 125
Overview
This week we discuss new kernel memory hardening and security development
proposals from Ubuntu Security Alumnus Kees Cook, plus we look at details
of security updates for WebKitGTK, libsndfile, GnuTLS, exiv2 and more.
This week in Ubuntu Security Updates
22 unique CVEs addressed
[USN-5024-1] WebKitGTK vulnerabilities [00:57]
13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-30799
CVE-2021-30797
CVE-2021-30795
CVE-2021-30758
CVE-2021-30749
CVE-2021-30744
CVE-2021-30734
CVE-2021-30720
CVE-2021-30689
CVE-2021-30665
CVE-2021-30663
CVE-2021-21779
CVE-2021-21775
Every 5-10 weeks so time for another one
Usual web / js engine issues - XSS, DoS, RCE etc
[USN-4944-2] MariaDB regression [01:30]
Affecting Focal (20.04 LTS)
Update announced back in Episode 115 - MariaDB intends to be compatible
with MySQL but failed to include the caching_sha2_password.so module
which is the standard module used to authenticate in MySQL - as such
clients would not be able to connect since they expect to use this method
to authenticate by default. Upstream MariaDB fixed this in newer versions
and this update backports that fix to the version in Ubuntu 20.04
[USN-5025-1, USN-5025-2] libsndfile vulnerability [02:25]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-3246
Heap buffer overflow in wav decoder - possible RCE / DoS - found by
OSSFuzz
[USN-5026-1, USN-5026-2] QPDF vulnerabilities [02:58]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-36978
CVE-2018-18020
DoS due to recursive parsing in the face of errors - fixed to instead
bail out if encounters too many successive errors as PDF is damaged in
this case anyway
Heap buffer overflow from crafted PDF - also found by OSSFuzz
[USN-5027-1, USN-5027-2] PEAR vulnerability [03:50]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-32610
Symlink path traversal in handling of tar archives in the Archive_Tar
module - since PEAR uses this directly when handling archives, it was
also vulnerable so could be made to overwrite arbitrary local files on
archive extraction and hence get code execution
[USN-5029-1] GnuTLS vulnerabilities [04:22]
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-20232
CVE-2021-20231
2 possible UAF in certain scenarious - hard to exploit as need to be able
to predict the behaviour of glibc’s memory allocator as well as GnuTLS’s
own internal allocator but could possibly be used for RCE
[USN-5028-1] Exiv2 vulnerability [04:57]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-31291
More exiv2 (last seen in Episode 115 and Episode 117)
Heap buffer overflow in handling of jpeg image metadata - DoS / RCE
[USN-5030-1] Perl DBI module vulnerabilities [05:24]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14393
CVE-2014-10402
Incomplete fix for previous Perl DBI CVE-2014-10401 - would allow access
to files outside the original data source directory - was still
potentially vulnerable - fixed to parse attributes more strictly to avoid
this
Possible stack buffer overflow if using a really long perl package name
as a database driver - unlikely to actually be triggered in practice -
used a fixed size stack buffer and memcpy()’d into it without checking
bounds - fixed to allocate the buffer on the heap to the exact required
size
Goings on in Ubuntu Security Community
Upstream kernel memcpy() hardening [06:31]
https://lwn.net/Articles/864521/
Ubuntu Security Alumnus Kees Cook
Aiming to make memcpy() within the kernel detect when
overwriting following structure members
Current kernel memcpy() is able to already detect when writing outside
the bounds of a given structure (when the structure size can be known at
either compile or run-time) - but can’t handle detecting overwriting of
extra members within a structure
Uses the built-in features of GCC plus some C macro smarts to actually
allow this to be done in certain circumstances without triggering
warnigns - ie in some cases want to actually overwrite following
structure members like when handling network packets etc
Most cases are only able to be detected at runtime and since it is not
easy to statically determine all these call sites, for now this proposal
is warn-only - but in the future the hope is to make it enforcing so it
can actually stop possible buffer overflows
Also had this been present it would have detected the 11 previously known
memcpy() overflows so shows likely real-world promise as an extra
defensive measure
Linux kernel security done right [09:29]
https://security.googleblog.com/2021/08/linux-kernel-security-done-right.html
More from Kees
Makes a strong case for having vendors track either latest released
kernel or one of the stable trees - instead of each manually backporting
patches etc - duplicated work
Then could devote engineers to working more upstream on testing,
hardening etc - which benefit everyone - ie by working upstream on a
common platform this reduces duplicated efforts and gains many
efficiencies
Hiring [11:50]
Linux Cryptography and Security Engineer
https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote
Security Engineer - Ubuntu
https://canonical.com/careers/2925180/security-engineer-ubuntu-remote
Security - Product Manager
https://canonical.com/careers/2278145/security-product-manager-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
July 30, 2021Episode 124
Overview
It’s another week when too many security updates are never enough as we
cover 240 CVE fixes across Avahi, QEMU, the Linux kernel, containerd,
binutils and more, plus the Ubuntu 20.10 Groovy Gorilla end-of-life.
This week in Ubuntu Security Updates
240 unique CVEs addressed
[USN-5008-1, USN-5008-2] Avahi vulnerabilities [00:36]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-3502
CVE-2021-3468
2 DoS via local users - first via abusing the Avahi daemon’s unix socket -> hang
second by calling asking the avahi daemon to resolve a crafted domain
name either via the DBus API or the local socket - assert() -> crash
[USN-5006-2] PHP vulnerabilities [01:12]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2021-21705
CVE-2021-21704
CVE-2021-21702
CVE-2020-7071
CVE-2020-7068
Episode 123
[USN-5009-1] libslirp vulnerabilities [01:31]
6 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-3595
CVE-2021-3594
CVE-2021-3593
CVE-2021-3592
CVE-2020-29130
CVE-2020-29129
TCP/IP emulation library using by QEMU etc
Info leaks from the host to the guest via buffer over-reads in handling
of various network packet types (UDP etc)
[USN-5010-1] QEMU vulnerabilities [02:07]
21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-3595
CVE-2021-3594
CVE-2021-3593
CVE-2021-3592
CVE-2021-3608
CVE-2021-3607
CVE-2021-3582
CVE-2021-3546
CVE-2021-3545
CVE-2021-3544
CVE-2021-3527
CVE-2021-3416
CVE-2021-3409
CVE-2021-20257
CVE-2021-20221
CVE-2020-35517
CVE-2021-3392
CVE-2020-35505
CVE-2020-35504
CVE-2020-29443
CVE-2020-15469
Usual mix of vulns in emulation of various devices etc - generally allows
a malicious guest to cause QEMU to crash on the host -> DoS
MMIO, ATAPI, SCSI, ARM Generic Interrupt Controller, e1000
Mishandling in virtio-fs shared filesystem daemon allows malicious guest
to read/write host devices
A few others possibly result on code-exec on the host as the QEMU daemon
BUT on Ubuntu QEMU is confined via AppArmor by default so this limits the
possible impact
[LSN-0078-1] Linux kernel vulnerability [03:14]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3609
Livepatch for CAN BCM UAF -> arbitrary code exec (Episode 121)
[USN-5014-1] Linux kernel vulnerability [03:49]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Hirsute (21.04)
CVE-2021-33909
high priority respin
seq_file vuln - this virt file-system contained an unsigned integer
conversion error - would result in a local user being able to cause an
OOB write and hence possible code-exec in the kernel -> privesc
[USN-5015-1] Linux kernel (OEM) vulnerabilities [04:28]
5 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3587
CVE-2021-3573
CVE-2021-3564
CVE-2021-28691
CVE-2021-33909
5.10 oem
seq_file vuln plus a couple UAF in bluetooth, NULL ptr deref in NFC, UAF
in Xen networking - guest to host crash/code-exec etc
[USN-5016-1] Linux kernel vulnerabilities [04:54]
5 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3506
CVE-2021-33034
CVE-2021-32399
CVE-2021-23134
CVE-2021-33909
5.8 - hirsute, focal hwe
seq_file vuln plus, NFC UAF, Bluetooth UAFs, F2FS OOB read
[USN-5017-1] Linux kernel vulnerabilities [05:26]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-0129
CVE-2020-26558
CVE-2021-33909
5.4 - focal, bionic hwe, oem, aws, azure, gcp, gke etc
seq_file vuln plus a few bluetooth info leaks
[USN-5018-1] Linux kernel vulnerabilities [05:49]
12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-33034
CVE-2021-32399
CVE-2021-31829
CVE-2021-23134
CVE-2021-0129
CVE-2020-26558
CVE-2020-26147
CVE-2020-26139
CVE-2020-24587
CVE-2020-24586
CVE-2021-33200
CVE-2021-33909
4.15 - bionic, xenial hwe, trusty azure
seq_file vuln plus various other fixes from recent kernels - eBPF
privesc, Wifi FRAGATTACKs fixes, bluetooth info leaks and UAFs and NFC
UAF
[LSN-0079-1] Linux kernel vulnerability [06:21]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-33909
CVE-2021-3600
seq_file vuln plus eBPF codeexec
[USN-5019-1] NVIDIA graphics drivers vulnerabilities [06:43]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-1095
CVE-2021-1094
CVE-2021-1093
2 DoS - one by triggering an assert(), the other by dereferencing an
untrusted pointer - kernel crash in either case
OOB array access (OOB read) - info leak or crash -> DoS
[USN-5012-1] containerd vulnerabilities [07:23]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-32760
When extracting a container image, would try and set the
owner/permissions on the resulting extracted files - if these files were
symlinks pointing to existing files on the host then would change perms
of those files instead - fixed to ensure it does not follow symlinks when
applying this permissions changes
[USN-5013-1, USN-5013-2] systemd vulnerabilities [08:00]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2020-13529
CVE-2021-33910
When parsing mount paths, would allocate memory for the path on the
stack - if a local attacker can mount a file-system with a very long path
name, would overflow the entire stack memory and cause systemd to crash -
as systemd is PID1 this effectively crashes the whole system
Remote attacker could cause sytemd DHCP client to force assign a
different address and hence could cause a networking DoS against a remote
server on the same network by making it unroutable etc
[USN-4336-2] GNU binutils vulnerabilities [09:12]
147 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2019-9077
CVE-2019-9075
CVE-2019-9074
CVE-2019-9073
CVE-2019-9071
CVE-2019-9070
CVE-2019-17451
CVE-2019-17450
CVE-2019-14444
CVE-2019-14250
CVE-2019-12972
CVE-2018-9138
CVE-2018-8945
CVE-2018-7643
CVE-2018-7642
CVE-2018-7569
CVE-2018-7568
CVE-2018-7208
CVE-2018-6759
CVE-2018-6543
CVE-2018-6323
CVE-2018-20671
CVE-2018-20623
CVE-2018-20002
CVE-2018-19932
CVE-2018-19931
CVE-2018-18701
CVE-2018-18700
CVE-2018-18607
CVE-2018-18606
CVE-2018-18605
CVE-2018-18484
CVE-2018-18483
CVE-2018-18309
CVE-2018-17985
CVE-2018-17794
CVE-2018-17360
CVE-2018-17359
CVE-2018-17358
CVE-2018-13033
CVE-2018-12934
CVE-2018-12700
CVE-2018-12699
CVE-2018-12698
CVE-2018-12697
CVE-2018-12641
CVE-2018-10535
CVE-2018-10534
CVE-2018-10373
CVE-2018-10372
CVE-2018-1000876
CVE-2017-9954
CVE-2017-9756
CVE-2017-9755
CVE-2017-9754
CVE-2017-9753
CVE-2017-9752
CVE-2017-9751
CVE-2017-9750
CVE-2017-9749
CVE-2017-9748
CVE-2017-9747
CVE-2017-9746
CVE-2017-9745
CVE-2017-9744
CVE-2017-9742
CVE-2017-9044
CVE-2017-9042
CVE-2017-9041
CVE-2017-9040
CVE-2017-9039
CVE-2017-9038
CVE-2017-8421
CVE-2017-8398
CVE-2017-8397
CVE-2017-8396
CVE-2017-8395
CVE-2017-8394
CVE-2017-8393
CVE-2017-7614
CVE-2017-7302
CVE-2017-7301
CVE-2017-7300
CVE-2017-7299
CVE-2017-7227
CVE-2017-7226
CVE-2017-7225
CVE-2017-7224
CVE-2017-7223
CVE-2017-7210
CVE-2017-7209
CVE-2017-6969
CVE-2017-6966
CVE-2017-6965
CVE-2017-17125
CVE-2017-17124
CVE-2017-17123
CVE-2017-17121
CVE-2017-17080
CVE-2017-16832
CVE-2017-16831
CVE-2017-16828
CVE-2017-16827
CVE-2017-16826
CVE-2017-15996
CVE-2017-15939
CVE-2017-15938
CVE-2017-15225
CVE-2017-15025
CVE-2017-15024
CVE-2017-15022
CVE-2017-15021
CVE-2017-15020
CVE-2017-14940
CVE-2017-14939
CVE-2017-14938
CVE-2017-14932
CVE-2017-14930
CVE-2017-14529
CVE-2017-14333
CVE-2017-14130
CVE-2017-14129
CVE-2017-14128
CVE-2017-13710
CVE-2017-12967
CVE-2017-12799
CVE-2017-12459
CVE-2017-12458
CVE-2017-12457
CVE-2017-12456
CVE-2017-12455
CVE-2017-12454
CVE-2017-12453
CVE-2017-12452
CVE-2017-12451
CVE-2017-12450
CVE-2017-12449
CVE-2017-12448
CVE-2016-6131
CVE-2016-4493
CVE-2016-4492
CVE-2016-4491
CVE-2016-4490
CVE-2016-4489
CVE-2016-4488
CVE-2016-4487
CVE-2016-2226
Most CVEs fixed in a single update?
binutils gets a lot of CVEs which are generally low priority -
ie. objdump could crash or get code-exec if run on untrusted input - but
since is installed in a lot of common developer scenarious we often get
requests about these CVEs - even though they are unlikely to actually be
able to be exploited in most scenarios
Thanks to Leo on our team (and Marc for the original backport of a lot of
these patches)
[USN-5020-1] Ruby vulnerabilities [10:24]
3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-32066
CVE-2021-31810
CVE-2021-31799
RCE, port scans / banner extractions, interpose on connections to bypass
TLS
[USN-5021-1] curl vulnerabilities [10:46]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-22924
CVE-2021-22925
CVE-2021-22898
Failed to initialise data when handling TELNET connections - if these
structures happened to contain sensitive info -> info leak
Could reuse connections from the connection pool in the wrong
circumstances, leading to reusing wrong connection and sending data to
wrong host
[USN-5022-1] MySQL vulnerabilities [11:36]
31 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2021-2441
CVE-2021-2440
CVE-2021-2437
CVE-2021-2429
CVE-2021-2427
CVE-2021-2426
CVE-2021-2425
CVE-2021-2424
CVE-2021-2422
CVE-2021-2418
CVE-2021-2417
CVE-2021-2410
CVE-2021-2402
CVE-2021-2399
CVE-2021-2390
CVE-2021-2389
CVE-2021-2387
CVE-2021-2385
CVE-2021-2384
CVE-2021-2383
CVE-2021-2374
CVE-2021-2372
CVE-2021-2370
CVE-2021-2367
CVE-2021-2357
CVE-2021-2356
CVE-2021-2354
CVE-2021-2352
CVE-2021-2342
CVE-2021-2340
CVE-2021-2339
8.0.26 (focal, hirsute)
5.7.35 (bionic)
[USN-5023-1] Aspell vulnerability [12:00]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04)
CVE-2019-25051
Heap buffer overflow - fixed to actually validate size before using
Goings on in Ubuntu Security Community
Ubuntu 20.10 Groovy Gorilla EOL [12:25]
as of July 22, 2021, Ubuntu 20.10 is no longer supported.
No more package updates will be accepted to 20.10
Will be archived to old-releases.ubuntu.com in the coming weeks
Upgrade to Hirsute - https://help.ubuntu.com/community/HirsuteUpgrades
https://lists.ubuntu.com/archives/ubuntu-security-announce/2021-July/006117.html
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
15min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.