Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

November 17, 2023Episode 213
Overview
As we ease back into regular programming, we cover the various activities the
team got up to over the past few weeks whilst away in Riga for the Ubuntu Summit
and Ubuntu Engineering Sprint.
Goings on in Ubuntu Security Community
Ubuntu Security team at the Ubuntu Summit (00:48)
Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint from Episode 212
In the last episode we previewed a couple talks by different folks from the
Ubuntu Security Team - recordings for these will be available but currently
there is only the livestreams from the main plenary room - as such, right now
you can go watch Tobias’ talk “From Asahi Linux to Ubuntu: Running Linux on
Apple Silicon”
https://youtu.be/XIGxKyekvBQ?list=PL-qBHd6_LXWZqbxr3542fZs_IMn0gAb2B&t=20272
Andrei publishes The Open Source Fortress (01:41)
https://discourse.ubuntu.com/t/the-open-source-fortress-is-now-live/40183
Back in August, Andrei put out a call for topic suggestions for a
vulnerability discovery workshop that he was putting together, with a
particular focus on open source code bases
He presented this in a 90 minute session 2 weeks ago on the final day of the
Ubuntu Summit
He covered a number of topics with a focus on practical application of each
using dedicated tooling, e.g.:
Threat modelling with OWASP Threat Dragon
Secret scanning with Gitleaks
Dependency scanning with OSV-Scanner
Linting with Bandit and flawfinder
Code querying with Semgrep
Fuzzing with AFL++
Symbolic execution with KLEE
So not only did participants learn about a given technique, such as what
fuzzing is etc, but also how they can easily apply it with standard tooling to
find real world problems
Due to the success of the workshop, he has decided to make the contents
publicly available
Online wiki https://ossfortress.io/
Presentation from the Summit
Github repository with example projects to run the various tools against
Pre-built docker images for the various tools used in the workshop
Designed to be worked through in your own time
UbuCTF at the Ubuntu Engineering Sprint (04:15)
Emi, Nishit, Andei, Amir and David from the team organised and held the first
UbuCTF at the Engineering Sprint the week after the Ubuntu Summit
Organised around a story of cyber crime fighting against a criminal gang in Riga
5 days, 26 challenges, 64 players
Challenges covered a variety of topics
Networking
Web
Crypto(graphy)
Reverse engineering
Pwning
Vulnerability Patching
Gave experience using tools like Wfuzz, Pwntools, cutter / rizin / radare2,
Ghidra, Wireshark, insomnia and more
457 flags submitted (110 correct), 47 patches submitted
Result was very close - won by Anton Troyanov (Senior Engineer on the MAAS team)
Ubuntu Security team members were barred from competing as we had previously
worked on these challenges - BUT shout out to Sudhakar Verma who just joined
our team only 4 weeks ago and so didn’t have any prior experience with this
CTF - managed to solve every single challenge 💪💪💪
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
10min
October 27, 2023Episode 212
Overview
With the Ubuntu Summit just around the corner, we preview a couple talks by the
Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP,
AOM, ncurses, the Linux kernel and more.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-6437-1] VIPS vulnerabilities (00:35)
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Jammy (22.04 LTS)
CVE-2023-40032
CVE-2021-27847
CVE-2020-20739
CVE-2019-6976
CVE-2018-7998
Image processing library / CLI tool
NULL ptr derefs + divide by zero -> crash -> DoS
info leak since would fail to clear memory and leak this in the generated image
[USN-6435-1] OpenSSL vulnerabilities (01:26)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-3817
CVE-2023-3446
CPU-based DoS via an execssively large DH modulus (p parameter) value (over 10,000 bits)
OpenSSL by default will try and validate if the modulus over 10,000 bits and
raise an error - but before the error is raised it would still check other
aspects of the supplied key / parameters which in turn could use the p value
and hence take an excessive amount of time - fixed by checking this earlier
and erroring out in that case
Then was found that the q parameter could also be abused in the same way -
since the size of this has to be less than p was fixed by just checking it
against this
[USN-6450-1] OpenSSL vulnerabilities
4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
CVE-2023-3817
CVE-2023-3446
CVE-2023-2975
CVE-2023-5363
Two CPU-based DoS issues above plus
Possible truncation / overrun during the initialisation of various ciphers if
the key or IV lengths differ compared to when initially established - some
ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that
an application will use a non-standard IV length during the use of the cipher
compared to when they initialise it
The API for this was only “recently” introduced (3.x) - and in general not a
lot of applications will be affected
Issue specific to the AES-SIV (mode of AES that provides deterministic
nonce-less key wrapping - used for key wrapping when transporting
cryptographic keys; as well as nonce-based authenticated encryption that is
resistant to nonce reuse)
AES-SIV allows to perform authentication of data - and to do this the
relevant OpenSSL API’s should be called with an input buffer length of 0
and a NULL ptr for the output buffer - BUT if the associated data to be
authenticated was empty, in this case, OpenSSL would return success
without doing any authentication
In practice this is unlikely to be an issue since it doesn’t not affect
non-empty data authentication which is the vast majority of use-cases
[USN-6165-2] GLib vulnerabilities (07:57)
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-32665
CVE-2023-32643
CVE-2023-32636
CVE-2023-32611
CVE-2023-29499
[USN-6165-1] GLib vulnerabilities from Episode 199
[USN-6374-2] Mutt vulnerabilities (05:08)
2 CVEs addressed in Mantic (23.10)
CVE-2023-4875
CVE-2023-4874
[USN-6374-1] Mutt vulnerabilities from Episode 210
[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)
2 CVEs addressed in Mantic (23.10)
CVE-2023-44487
CVE-2023-36799
HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of
requests and immediately cancelling them many times over and over - exploited
in the wild recently, achieving the largest DoS attack bandwidths seen -
requires HTTP/2 implementations to essentially do heuristics over time to
track allocated streams against connections and block the connection when too
many are made or similar
Fix for Kestrel web server in .NET
[USN-6362-2] .Net regressions
1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-36799
[USN-6362-1] .NET vulnerability from Episode 209
Fix for DoS in handling of X.509 certificates
[USN-6199-2] PHP vulnerability (06:31)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-3247
[USN-6199-1] PHP vulnerability from Episode 202
[USN-6403-2] libvpx vulnerabilities (06:39)
2 CVEs addressed in Bionic ESM (18.04 ESM)
CVE-2023-5217
CVE-2023-44488
WebM VP8/VP9 video en/decoder
Heap buffer overflow -> DoS/RCE
OOB read -> DoS
[USN-6408-2] libXpm vulnerabilities (07:00)
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-43789
CVE-2023-43788
CVE-2023-43787
CVE-2023-43786
Infinite recursion -> stack exhaustion -> crash -> DoS
Integer overflow -> heap buffer overflow -> RCE/DoS
Two different OOB reads -> crash -> DoS
[USN-6448-1] Sofia-SIP vulnerability (09:01)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
CVE-2023-32307
SIP user agent - integer overflows and resulting heap buffer overflows due to
missing length checks in the STUN message parser -> RCE
Also fixed a OOB read as well -> DoS
[USN-6422-2] Ring vulnerabilities (09:17)
20 CVEs addressed in Mantic (23.10)
CVE-2022-21722
CVE-2022-39244
CVE-2022-31031
CVE-2022-24793
CVE-2022-24764
CVE-2022-24763
CVE-2022-24754
CVE-2022-23608
CVE-2022-23547
CVE-2022-23537
CVE-2022-21723
CVE-2021-43845
CVE-2021-43804
CVE-2021-43303
CVE-2021-43302
CVE-2021-43301
CVE-2021-43300
CVE-2021-43299
CVE-2023-27585
CVE-2021-37706
Voice / video and chat platform (now called Jami, contains embedded copy of
PJSIP - library implementing various related protocols for remote
communication like SIP, STUN, RTP, ICE and others)
Also missed various length checks, allowing possible integer underflow -> crash / memory corruption -> RCE
Buffer overflow when using the internal DNS resolver
[USN-6449-1] FFmpeg vulnerabilities (09:58)
8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-48434
CVE-2021-38094
CVE-2021-38093
CVE-2021-38092
CVE-2021-38091
CVE-2021-38090
CVE-2020-20898
CVE-2020-22038
Various memory leaks -> DoS, plus some integer overflows -> buffer overflows
in various parsers for different media types
[USN-6447-1] AOM vulnerabilities (11:32)
7 CVEs addressed in Focal (20.04 LTS)
CVE-2021-30475
CVE-2021-30474
CVE-2021-30473
CVE-2020-36135
CVE-2020-36133
CVE-2020-36131
CVE-2020-36130
AV1 Video Codec Library - used by things like gstreamer, libavcodec - in turn
is used by a huge number of multimedia applications from blender, ffmpeg,
kodi, mplayer, obs-studio, vlc and more
Very much a case of xkcd 2347 (Dependency)
Various buffer overflows, use-after-frees, stack buffer overflow, NULL ptr
derefs etc.
[USN-6288-2] MySQL vulnerability (12:40)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-22053
[USN-6288-1] MySQL vulnerabilities from Episode 205
[USN-6451-1] ncurses vulnerability (12:47)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2020-19189
Heap buffer overflow via crafted terminfo file - found by fuzzing infotocap
terminfo files are usually trusted content so unlikely to be an issue in
practice
[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)
13 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-44466
CVE-2023-4273
CVE-2023-4194
CVE-2023-4155
CVE-2023-4132
CVE-2023-3866
CVE-2023-3865
CVE-2023-3863
CVE-2023-38432
CVE-2023-3338
CVE-2023-2156
CVE-2023-20569
CVE-2023-1206
5.15 raspi for 22.04 LTS
Most interesting vuln fixed is AMD “INCEPTION” - [USN-6319-1] AMD Microcode
vulnerability from Episode 207 - speculative execution attack similar to the
original Spectre
Have now added a mitigation within the kernel itself rather than having to
rely on CPU microcode (particularly when that microcode only covers a subset
of the affected CPUs)
[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)
11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-3772
CVE-2023-34319
CVE-2023-31083
CVE-2023-1206
4.4 generic,low-latency,kvm,aws etc
includes various high priority fixes which we’ve covered in previous episodes
[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)
12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-3772
CVE-2023-34319
CVE-2023-31083
CVE-2023-1206
CVE-2023-0597
4.15
kvm, gcp, aws, azure, generic, lowlatency on 18.04 / 16.04 HWE
azure 14.04
same as above
[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)
9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-42756
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-34319
5.4 xilinx zyncmp, ibm, gkeop, kvm, oracle, aws, gcp, azure, generic, lowlatency
[USN-6442-1] Linux kernel (BlueField) vulnerabilities
10 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-42756
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-4004
CVE-2023-34319
5.4 bluefiled (same as above)
[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)
6 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-5197
CVE-2023-4881
CVE-2023-42756
CVE-2023-42755
CVE-2023-42752
CVE-2023-4244
6.1 oem
[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)
11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-5197
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-42756
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-4244
CVE-2023-34319
6.2 starfive, aws, oracle, azure, kvm, lowlatency, raspi, gcp, generic for 23.04
[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities
24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-5197
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-44466
CVE-2023-42756
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-4273
CVE-2023-4244
CVE-2023-4194
CVE-2023-4155
CVE-2023-4132
CVE-2023-3866
CVE-2023-3865
CVE-2023-3863
CVE-2023-38432
CVE-2023-34319
CVE-2023-3338
CVE-2023-2156
CVE-2023-20569
CVE-2023-1206
5.15 intel iotg
[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-5197
CVE-2023-4921
CVE-2023-4881
CVE-2023-4623
CVE-2023-4622
CVE-2023-42756
CVE-2023-42755
CVE-2023-42753
CVE-2023-42752
CVE-2023-4244
CVE-2023-34319
5.15 gkeop, nvidia, ibm, raspi, gcp, gke, kvm, oracle, aws, azure, azure-fde
Goings on in Ubuntu Security Community
Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)
Ubuntu Summit
https://events.canonical.com/event/31/
Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS
maintainers who want to be proactive about security and protecting their
users
Tobias Heider will be presenting with Hector Martin on Asahi Linux and in
particular Ubuntu Asahi - community project to bring the Asahi Linux work to
Ubuntu (also was a great shout-out from Joe Ressington on the most recent
Late Night Linux plus a good write-up on omgubuntu)
Goodbye and good luck to David Lane (21:31)
Led the snap store reviewers work - much more streamlined process for folks
interacting on the snapcraft forum
Great manager + engineer and a great friend
See you at b-sides cbr in 2024
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
24min
October 20, 2023Episode 211
Overview
After a well-deserved break, we’re is back looking at the recent Ubuntu 23.10
release and the significant security technologies it introduces along with a
call for testing of unprivileged user namespace restrictions, plus the details
of security updates for curl, Samba, iperf3, CUE and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-6429-2, USN-6429-3] curl vulnerability (00:51)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-38546
for Ubuntu Pro users
under rare circumstances, possible that an application using libcurl would
potentially load cookies from a crafted file on disk - allowing a local
attacker to inject arbitrary cookies into a connection - although requires the
application to use the curl_easy_duphandle() function
2 CVEs addressed in Mantic (23.10)
CVE-2023-38546
CVE-2023-38545
cookie issue above, plus a possible heap buffer overflow when using a SOCKS5
proxy, if the specified hostname was longer than 255 bytes
[USN-6425-3] Samba vulnerabilities (02:38)
4 CVEs addressed in Mantic (23.10)
CVE-2023-42670
CVE-2023-42669
CVE-2023-4154
CVE-2023-4091
Various logic issues which could result in a range of effects, from attackers
being able to truncate read-only files, or cause Samba to stop responding and
hence DoS through to the ability to obtain all domain secrets
[USN-6425-2] Samba regression (03:06)
4 CVEs addressed in Focal (20.04 LTS)
CVE-2023-42670
CVE-2023-42669
CVE-2023-4154
CVE-2023-4091
Previous security update for focal was miscompiled and resulted in an issue
when handling the %U directive in smb.conf - if specified a path to be shared
like /home/%U/FILES the %U would seemingly be ignored and not replaced with
the username as expected - and hence the share would fail - this same issue
actually occurred previously in January this year - have now added a
regression test specifically to try and ensure we do not introduce this same
issue in the future again
[USN-6430-1] FFmpeg vulnerabilities (04:25)
6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2021-28429
CVE-2020-22051
CVE-2020-22043
CVE-2020-22040
CVE-2020-22039
CVE-2020-22024
Most just memory leaks in handling of various crafted files -> DoS
One heap buffer overflow - possible RCE but likely just DoS
One integer overflow in FPS calculation
[USN-6431-1, USN-6431-2, USN-6431-3] iperf3 vulnerabilities (05:12)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38403
Integer overflow -> heap buffer overflow -> RCE / crash - essentially, when
parsing a frame, would allocate memory for the frame, plus 1 extra byte for a
trailing NUL - if frame length was MAX_UINT adding 1 then wraps the integer
around back to zero - and so no memory gets allocated - and when copying into
the subsequent memory get a buffer overflow
When preparing this update, Jorge discovered he could cause the iperf3 server
to hang indefinitely on crafted input as well - reported this upstream and
included that fix here as well
[USN-6432-1] Quagga vulnerabilities (06:26)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-41360
CVE-2023-41358
2 different DoS vulns - both OOB reads on crafted input -> crash
[USN-6436-1] FRR vulnerabilities (06:38)
3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-41909
CVE-2023-41360
CVE-2023-41358
FRR is the new Quagga
[USN-6394-2] Python vulnerability (06:52)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2022-48560
Possible UAF in heapq module (aka priority queue implementation)
[USN-6423-2] CUE vulnerability (07:04)
1 CVEs addressed in Mantic (23.10)
CVE-2023-43641
OOB write discovered by Kevin Backhouse from Github - allows for a one-click
RCE on GNOME desktop due to the use of libcue by tracker - when a crafted CUE
file is downloaded, will get automatically indexed by tracker and hence parsed
by libcue triggering this bug -> RCE
Interestingly, tracker employed a seccomp sandbox which should have limited
the impact for this kind of issue (ie restricting what the exploit could do)
but Kevin found a way to bypass this since the seccomp filter was only applied
to the thread used to parse the file - not the main thread - so Kevin could
simply delegate the code execution to the main thread to bypass this
Upstream GNOME developers were already aware of this as a possible weakness in
the sandbox, and so worked to ensure this is then applied to all threads
within tracker, not just the one spawned to parse the particular file
[USN-6433-1] Ghostscript vulnerability (10:18)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-43115
Possible sandbox escape via a crafted PS document since it could modify the
specified IJS server parameter binary to execute some other binary instead
[USN-6396-3] Linux kernel (Azure) vulnerabilities (10:55)
6 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2023-4128
CVE-2023-40283
CVE-2023-3863
CVE-2023-3212
CVE-2022-40982
CVE-2022-27672
Various issues covered previously - 2 different UAFs - network packet
classifier and bluetooth subsystems, recent speculative execution vulns in AMD
and Intel processors and more
[USN-6434-1] PMIx vulnerability (11:24)
1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-41915
OpenPMIx implementiation - Process Management Interface Exascale Standard -
API used in HPC environments
Possible privilege escalation via race condition - library sets ownership of
various files but would follow symlinks when doing this - so if a user could
race it to swap a symlink out then could get it to set the ownership of a root
owned file to themselves and gain the ability to read it etc
Goings on in Ubuntu Security Community
Ubuntu 23.10 (Mantic Minotaur) Released (12:41)
https://ubuntu.com/blog/canonical-releases-ubuntu-23-10-mantic-minotaur
Culmination of the last 6 months of work - this release in particular has a
strong focus on raising the bar for security, and setting the stage for the
next LTS (24.04)
Two preview features - TPM-backed FDE on Ubuntu Desktop, and unprivileged user
namespace restrictions via AppArmor
Covered both of these in previous episodes
TPM-backed Full Disk Encryption is coming to Ubuntu from Episode 208
Unprivileged user namespace restrictions via AppArmor in Ubuntu from Episode 205
Call for testing of Unprivileged User Namespace Restrictions on Mantic
The hope is to get this enabled by default in 24.04 LTS - but we need as much
testing as we can get to find anything else which is not working as expected
beforehand - easy to do via a new sysctl
Can either do it immediately:
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
Or can set this to be applied at boot via a new file in /etc/sysctl.d, e.g.:
create a file /etc/sysctl.d/60-apparmor.conf with the following contents:
kernel.apparmor_restrict_unprivileged_userns = 1
Then if you do find something which is not working as expected, you can create
a simple AppArmor profile which will allow it to use unprivileged user
namespaces without any additional restrictions, e.g:
abi ,
include
/opt/google/chrome/chrome flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists
}
From a defensive security point of view, also is useful to enable an
additional sysctl to ensure that anything which is unconfined can’t just abuse
these profiles by aa-exec‘ing themselves via that profile - so then also need
to enable the kernel.apparmor_restrict_unprivileged_unconfined = 1 sysctl too
One application that we are aware of that is impacted is LXD - which, to avoid
issues, is currently disabling this automatically at startup - so for now you
have to keep manually re-enabling this restriction until the LXD devs land a
change to stop this https://github.com/canonical/lxd-pkg-snap/pull/187
Also all applications based on chromium (ie all electron apps) may likely have
issues since the chromium sandbox uses unprivileged user namespaces by
default - we have already created profiles for the various ones in the Ubuntu
archive that we are aware of, and for some third party ones too (Brave,
Vivaldi etc) but we expect there will be others - in that case, let us know
File a bug against apparmor: ubuntu-bug apparmor or visit
https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
20min
September 22, 2023Episode 210
Overview
It’s the Linux Security Summit in Bilbao this week and we bring you some
highlights from our favourite talks, plus we cover the 25 most stubborn software
weaknesses, and we look at security updates for Open VM Tools, libwebp, Django,
binutils, Indent, the Linux kernel and more.
This week in Ubuntu Security Updates
88 unique CVEs addressed
[USN-6365-1] Open VM Tools vulnerability (00:45)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-20900
Failed to properly validate SAML tokens - uses the xmlsec library but when
verifying the signature on a SAML document, failed to configure the library to
only use the X509 certificate for validation - since presumably an attacker
could intercept the SAML token, and replace the X509 cert with a different
type of signature which would then be trusted by the xmlsec library and allow
the attacker to gain access
[USN-6366-1] PostgreSQL vulnerability (01:34)
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-39417
Fixed for other releases in [USN-6296-1] PostgreSQL vulnerabilities in Episode
206 - one issue, which allowed an attacker to escalate their privileges
(from CREATE to being able to execute arbitrary code as a bootstrap superuser)
also affected PostgreSQL 9.5 in Ubuntu 16.04
[USN-6364-1] Ghostscript vulnerabilities (01:59)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-21890
CVE-2020-21710
Divide by zero and buffer overflow in handling of PDFs -> DoS / RCE?
[USN-6369-1] libwebp vulnerability (02:19)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-4863
heap buffer overflow -> OOB write -> RCE
originally reported as a vuln in Chrome on 12 September - full impact that
this was actually a bug in libwebp became clear a few days later
Solar Designer has a good thread on the details on oss-security
[USN-6367-1] Firefox vulnerability (03:55)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4863
117.0.1 for the libwebp fix above
[USN-6368-1] Thunderbird vulnerabilities (04:04)
6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-4863
CVE-2023-4584
CVE-2023-4581
CVE-2023-4575
CVE-2023-4574
CVE-2023-4573
102.15.1 - libwebp issue above plus various other issues - various UAFs,
missing .xll files from standard blocklist that warns users when downloading
executables - more of a windows issue but these are Excel add-in files -
ie. plugins for Excel, “memory safety bugs”
[USN-6370-1] ModSecurity vulnerabilities (04:42)
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-24021
CVE-2022-48279
CVE-2021-42717
CPU-based DoS when parsing excessively nested JSON objects (needs to be
tens-of-thousands deep)
Mishandling of NUL byte in file uploads - would parse the filename as a string
but if it contained an embedded NUL byte then filename would be truncated and
hence could result in a buffer overread or the ability to bypass the web
application firewall for rules which read from the FILES_TMP_CONTENT variable
Mishandling of HTTP multipart requests could also allow to bypass WAF
[USN-6371-1] libssh2 vulnerability (06:07)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-22218
OOB read - low impact since requires to connect to a malicious server to
trigger - and outcome is likely a DoS
[USN-6372-1] DBus vulnerability (06:26)
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-34969
Ability to crash the dbus daemon by an unprivileged user - BUT only if there
is a privileged user using the in-built monitoring interface of dbus to
monitor the traffic - so low chance of being able to trigger this and the
outcome is just a DoS anyway - and will be restarted by systemd anyway
[USN-6373-1] gawk vulnerability (07:02)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-4156
Heap OOB read - DoS
[USN-6374-1] Mutt vulnerabilities (07:16)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-4875
CVE-2023-4874
2 different NULL ptr deref
viewing crafted email
composing from a specially crafted draft email
DoS only
[USN-6375-1] atftp vulnerability (07:38)
Affecting Jammy (22.04 LTS), Lunar (23.04)
Could crash atftpd if requesting a non-existant file - turns out to be a
buffer overflow so could possibly be used for code execution
[USN-6376-1] c-ares vulnerability (7:50)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-22217
OOB read when parsing a crafted Start of Authority (SOA) reply
[USN-6377-1] LibRaw vulnerability (7:56)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-22628
Failed to reject images with invalid pixel aspect ratio - leading to an OOB
read -> crash
[USN-6378-1] Django vulnerability (08:08)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-41164
DoS via handling of URIs with a very large number of unicode characters -
algorithm would parse from start of string forwards for every invalid unicode
character - instead of just using the remainder of the string
[USN-6379-1] vsftpd vulnerability (08:47)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3618
Possible application layer confusion attack (ALPACA) - abuses wildcard or
multi-domain certificates to redirect traffic from one subdomain to another
[USN-6381-1] GNU binutils vulnerabilities (09:07)
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2022-47695
CVE-2022-44840
CVE-2020-35342
CVE-2022-45703
CVE-2021-46174
CVE-2020-19726
CVE-2020-21490
CVE-2020-19724
memory leaks in nm and when disassembling microblaze instructions -> DoS
various buffer overflows in different functions -> DoS / RCE
failure to zero memory -> info leak
OOB read in objdump
heap buffer overflow in readelf
in general, we don’t consider it safe to run binutils on untrusted inputs
[USN-6380-1] Node.js vulnerabilities (09:54)
6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-8287
CVE-2020-8265
CVE-2020-8174
CVE-2019-15606
CVE-2019-15605
CVE-2019-15604
abort when sending a crafted X509 certificate -> DoS
2 different HTTP request smuggling attacks
possible bypass of HTTP authorization since would include whitespace in HTTP
headers
couple memory corruption issues in various operations implemented in C
[USN-6382-1] Memcached vulnerability (10:23)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2022-48571
NULL ptr deref upon reception of a UDP multi-packet request
[USN-6389-1] Indent vulnerability (10:30)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-40305
heap buffer overflow -> DoS / RCE
[USN-6339-4] Linux kernel (Intel IoTG) vulnerabilities (10:53)
8 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-38429
CVE-2023-38428
CVE-2023-38426
CVE-2023-3212
CVE-2023-31084
CVE-2023-2898
CVE-2023-21255
CVE-2022-48425
5.15
same set of vulns from [USN-6350-1, USN-6351-1, USN-6339-2, USN-6339-3] Linux
kernel vulnerabilities
[USN-6383-1] Linux kernel vulnerabilities (11:15)
5 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-4569
CVE-2023-4128
CVE-2023-40283
CVE-2023-21264
CVE-2023-20588
6.2 all in 23.04, HWE in 22.04
speculative execution leak when performing a divide-by-zero on various AMD processors
possible privilege escalation in ARM64 KVM implementation -> guest VM could
then write to host memory -> code execution
UAF in L2CAP socket handling in bluetooth - local DoS / code execution
UAF in various network packet classifiers - local DoS via unprivileged user
namespace
Memory leak in netfilter - also able to be abused by an unprivileged user in a
user namespace
[USN-6384-1] Linux kernel (OEM) vulnerabilities (12:23)
2 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-4569
CVE-2023-20588
6.1
speculative execution leak when performing a divide-by-zero on various AMD processors
Memory leak in netfilter - also able to be abused by an unprivileged user in a
user namespace
[USN-6385-1] Linux kernel (OEM) vulnerabilities (12:37)
37 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-4569
CVE-2023-4273
CVE-2023-4128
CVE-2023-40283
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3863
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-3390
CVE-2023-32269
CVE-2023-3220
CVE-2023-31436
CVE-2023-3141
CVE-2023-3090
CVE-2023-2898
CVE-2023-28466
CVE-2023-28328
CVE-2023-2269
CVE-2023-2235
CVE-2023-2163
CVE-2023-2162
CVE-2023-20593
CVE-2023-2002
CVE-2023-1611
CVE-2023-1380
CVE-2023-1206
CVE-2023-4194
CVE-2023-1076
CVE-2023-1075
CVE-2023-0458
CVE-2022-4269
CVE-2022-27672
6.0 OEM
All the previously mentioned vulns plus a heap more - kudos to OEM team and
Timo Aaltonen from the kernel team for the most number of CVEs fixed this week
[USN-6386-1] Linux kernel vulnerabilities (13:01)
4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-4569
CVE-2023-4128
CVE-2023-40283
CVE-2023-20588
5.15 22.04 GA. 20.04 HWE
[USN-6387-1] Linux kernel vulnerabilities (13:08)
3 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-4128
CVE-2023-40283
CVE-2023-20588
5.4 20.04 GA, 18.04 HWE
[USN-6388-1] Linux kernel vulnerabilities (13:12)
9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-4459
CVE-2023-4387
CVE-2023-4385
CVE-2023-4128
CVE-2023-40283
CVE-2023-3863
CVE-2023-32269
CVE-2023-3212
CVE-2022-40982
4.4 16.04 GA, 14.04 HWE
Goings on in Ubuntu Security Community
Highlights from LSS EU (13:29)
Hardware-backed Per-process Secrets - Matthew Garrett, Aurora
Mark Esler described as a crystal clear explanation of how TPM works and
proposes an automated attestation for confidential computing
Estimating Security Risk Through Repository Mining - Tamas K. Lengyel, Intel
proposed that most common metrics don’t demonstrate code quality, except
possibly percentage of cognitive complex functions
cyclomatic complexity measured how hard to test - cognitive complexity
tries to measure how hard to understand
premise is that if you can’t understand it, you can’t see the vulns
intuitively makes sense, but relies on the ability actually measure
cognitive complexity
and recent studies seem to show that the current cognitive complexity
measurements are no better at accurately identifying code that is hard
to understand than the more traditional methods of LOC or cyclomatic
complexity
Cognitive Complexity: A new way of measuring understandability white paper by G. Ann Campbell of SonarSource
I missed this one but as Steve Beattie said, it does provide some things to
think about in the context of the security reviews that the Ubuntu Security
does as part of the MIR process (for a good overview of this, take a step
back in time to Main inclusion review security code audits discussion with
Seth Arnold from Episode 32)
Top 25 most stubborn weaknesses (17:13)
https://cwe.mitre.org/top25/archive/2023/2023_stubborn_weaknesses.html
MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses published from Episode 201
15 CWEs present in every one of the last 5 top 25 most dangerous lists from MITRE

CWE-ID
Description
2023 Rank

CWE-787
Out-of-bounds Write
1

CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
2

CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
3

CWE-416
Use After Free
4

CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
5

CWE-20
Improper Input Validation
6

CWE-125
Out-of-bounds Read
7

CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
8

CWE-352
Cross-Site Request Forgery (CSRF)
9

CWE-476
NULL Pointer Dereference
12

CWE-287
Improper Authentication
13

CWE-190
Integer Overflow or Wraparound
14

CWE-502
Deserialization of Untrusted Data
15

CWE-119
Improper Restriction of Operations within Bounds of a Memory Buffer
17

CWE-798
Use of Hard-coded Credentials
18
all fall into one of three different categories
errors when processing of data from untrusted sources providing an initial
entry point for compromise
weaknesses from using languages that don’t provide strong memory safety
guarantees
poor security architecture / design choices
re memory safety - MITRE note that this has been coming down - CWE-119
(“Improper Restriction of Operations within Bounds of a Memory Buffer”) was
once ranked 1 5 years ago, is now 17. Related (but not directly memory safety
but more correctness) CWE-190 (“Integer Overflow or Wraparound”) was ranked 5,
is now 7.
Really shows that if you are implementing any new code, choosing a language
that is memory safe will help avoid a lot of the most prevalent security
issues - clearly won’t help with lack of proper input validation or poor
security architecture etc - but will cut out the most dangerous and most
stubborn issues (OOB W, UAF etc)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
22min
September 15, 2023Episode 209
Overview
Andrei is back this week with a deep dive into recent research around CVSS
scoring inconsistencies, plus we look at a recent Ubuntu blog post on the
internals of package updates and the repositories, and we cover security updates
in Apache Shiro, GRUB2, CUPS, RedCloth, curl and more.
This week in Ubuntu Security Updates
77 unique CVEs addressed
[USN-6346-1] Linux kernel (Raspberry Pi) vulnerabilities (00:55)
5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
5.4 raspi + HWE on 18.04
Covered previously in [USN-6315-1] Linux kernel vulnerabilities from Episode 207
[USN-6347-1] Linux kernel (Azure CVM) vulnerabilities
24 CVEs addressed in Focal (20.04 LTS)
CVE-2023-35829
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-33288
CVE-2023-33203
CVE-2023-3268
CVE-2023-32248
CVE-2023-3141
CVE-2023-30772
CVE-2023-28466
CVE-2023-23004
CVE-2023-2269
CVE-2023-2235
CVE-2023-2194
CVE-2023-2163
CVE-2023-2124
CVE-2023-2002
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0597
CVE-2022-48502
CVE-2022-4269
Microsoft Azure CVM cloud systems - 5.15
[USN-6348-1] Linux kernel vulnerabilities
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-21400
CVE-2023-20593
CVE-2022-40982
5.15 Raspi on 22.04 / Intel-IoTG on 20.04
[USN-6349-1] Linux kernel (Azure) vulnerabilities
9 CVEs addressed in Focal (20.04 LTS)
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-3268
CVE-2023-31084
CVE-2023-2269
CVE-2023-2163
CVE-2023-21255
CVE-2023-2002
5.4 Azure
[USN-6350-1, USN-6351-1, USN-6339-2, USN-6339-3] Linux kernel vulnerabilities
8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-38429
CVE-2023-38428
CVE-2023-38426
CVE-2023-3212
CVE-2023-31084
CVE-2023-2898
CVE-2023-21255
CVE-2022-48425
5.15
Oracle, AWS, GKE, Raspi, Azure on 22.04
IBM, Oracle, AWS, GKE, Azure on 20.04
[USN-6340-2] Linux kernel vulnerabilities
9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-3268
CVE-2023-31084
CVE-2023-2269
CVE-2023-2163
CVE-2023-21255
CVE-2023-2002
5.4 Xilinx ZyncMP, GKEOP, Raspi on 20.04; Raspi, GCP, Azure on 18.04 (Ubuntu Pro)
[USN-6342-2] Linux kernel (Azure) vulnerabilities
6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-3776
CVE-2023-3611
CVE-2023-31084
CVE-2023-2985
CVE-2023-2269
CVE-2023-20593
4.15 Azure on all
[USN-6338-2] Linux kernel vulnerabilities
11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38429
CVE-2023-38428
CVE-2023-38426
CVE-2023-32258
CVE-2023-32257
CVE-2023-32252
CVE-2023-32250
CVE-2023-32247
CVE-2023-31084
CVE-2023-2898
CVE-2023-21255
6.2
Starfive, IBM, Oracle, GCP on 23.04
GCP on 22.04
[USN-6357-1] Linux kernel (IBM) vulnerabilities
14 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3609
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-3268
CVE-2023-31084
CVE-2023-2269
CVE-2023-2163
CVE-2023-21255
CVE-2023-20593
CVE-2023-2002
CVE-2022-40982
5.4 IBM on 20.04 / 18.04
[USN-6345-1] SoX vulnerability (02:42)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-32627
Floating point exception via crafted content -> crash -> DoS
[USN-6352-1] Apache Shiro vulnerabilities (03:03)
2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-17510
CVE-2020-13933
Two different authentication bypasses for crafted HTTP requests - not great to
have in a component whose purpose is to to authentication, authorisation,
cryptopraphy and session management
[USN-6353-1] PLIB vulnerability (03:25)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2021-38714
Portable games library - aims to work across a range of HW and OSes - used by
torcs and flightgear
Integer overflow -> buffer overflow on crafted TGA file
[USN-6354-1] Python vulnerability (03:54)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2022-48565
XML eXternal Entity when parsing XML plist files - fix was to reject entity
declarations in plist files - this is consistent with the behaviour in Apple’s
plutil tool as well
[USN-6355-1] GRUB2 vulnerabilities (04:14)
10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-3775
CVE-2022-28737
CVE-2022-28736
CVE-2022-28735
CVE-2022-28734
CVE-2022-28733
CVE-2021-3981
CVE-2021-3697
CVE-2021-3696
CVE-2021-3695
Various grub vulns - see [USN-4992-1] GRUB 2 vulnerabilities from Episode 121
for the previous lot - these updates were published back in February to the
-updates pocket and have now been synced to -security
various OOB R/W via crafted images (Daniel Axtens), integer overflow when
parsing crafted IP packets -> buffer overflow, OOB write via crafted HTTP
header, UAF in chainloader and more
[USN-6356-1] OpenDMARC vulnerabilities (05:08)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-12460
CVE-2020-12272
Open Source implementation of the DMARC specification
Possible to inject authentication results via a crafted domain
1-byte heap buffer overflow of a NUL-byte - likely just crash -> DoS
[USN-6164-2] c-ares vulnerabilities (05:39)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-32067
CVE-2023-31130
[USN-6164-1] c-ares vulnerabilities from Episode 199
[USN-6237-3] curl vulnerabilities (05:50)
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-32001
CVE-2023-28322
CVE-2023-28321
[USN-6237-1] curl vulnerabilities from Episode 203
[USN-6359-1] file vulnerability (06:01)
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-48554
stack-based buffer over-read -> crash, DoS
[USN-6360-1] FLAC vulnerability (06:18)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2020-22219
buffer overflow -> RCE / crash
[USN-6361-1] CUPS vulnerability (06:27)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-32360
Default configuration failed to require authentication for the
CUPS-Get-Document operation - could allow other users to fetch print documents
without authentication
[USN-6362-1] .NET vulnerability (06:46)
1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-36799
DoS in X509 certs handling
[USN-6358-1] RedCloth vulnerability (06:52)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-31606
ReDoS via crafted HTML payload - upstream maintainer hasn’t responded to the
original report or to the PR with the proposed fix - one of the rare occasions
where we deploy a fix that is not blessed by upstream - also demonstrates
though that we try and maintain the software in Ubuntu even when upstream
stops supporting it (whether officially or not)
[USN-6363-1] curl vulnerability (08:03)
1 CVEs addressed in Lunar (23.04)
CVE-2023-38039
Provides an API to access headers from past HTTP responses - so stores headers
in memory, but failed to limit how large this could be - so if a malicious
server provided a response with a very large header then could DoS the
application using libcurl - limited to 300KB total per response - which is
similar to how Chrome behaves
Goings on in Ubuntu Security Community
Part 4 of Andrei’s deep dive into cybersecurity research ()
“Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on
Evaluating Widespread Security Vulnerabilities” - to appear in IEEE Symposium on
Security & Privacy (aka S&P) in 2024
Tries to answer the questions “Are CVSS evaluations consistent?” and “Which
factors influence CVSS assessments?”
https://arxiv.org/abs/2308.15259
https://www.first.org/cvss/specification-document
https://www.first.org/cvss/user-guide
https://www.first.org/cvss/examples
https://www.first.org/cvss/examples#OpenSSL-Heartbleed-Vulnerability-CVE-2014-0160
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation
Ubuntu updates, releases and repositories explained (22:18)
https://ubuntu.com/blog/ubuntu-updates-releases-and-repositories-explained
by Aaron Whitehouse - Senior Public Cloud Enablement Director at Canonical,
leads the team that drives Canonical’s joint initiatives with the major
public clouds
Get in contact
Come find us in person at LSS EU 2023 in Bilbao, Spain
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
25min
September 08, 2023Episode 208
Overview
This week we detail the recently announced and long-awaited feature of
TPM-backed full-disk encryption for the upcoming Ubuntu 23.10 release, plus we
cover security updates for elfutils, GitPython, atftp, BusyBox, Docker Registry
and more.
This week in Ubuntu Security Updates
93 unique CVEs addressed
[USN-6322-1] elfutils vulnerabilities (00:38)
10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2021-33294
CVE-2020-21047
CVE-2019-7665
CVE-2019-7150
CVE-2019-7149
CVE-2018-18521
CVE-2018-18520
CVE-2018-18310
CVE-2018-16403
CVE-2018-16062
All the older CVEs (2018-2019) for Ubuntu 14.04 only - and all of these are
just DoS through OOB read / NULL ptr deref etc
OOB write / off-by-one + CPU-based DoS as well for more recent releases ->
code execution / crash | DoS
[USN-6323-1] FRR vulnerability (01:40)
1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-31490
Missing length check when handling particular options - would cause an OOB
read and hence a crash of bgpd within frr - similar to recent issues like
[USN-6136-1] FRR vulnerabilities from Episode 198
[USN-6326-1] GitPython vulnerability (02:11)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-40267
Incomplete fix for historical CVE-2022-24439 ([USN-5968-1] GitPython vulnerability from Episode 192)
Essentially allows to get RCE since calls git clone and doesn’t completely
validate the options and so leads to shell-command injection - thanks to
Sylvain Beucler from Debian LTS team for noticing this and pointing it out to
the upstream project
[USN-6333-1] Thunderbird vulnerabilities (03:00)
9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-4056
CVE-2023-4055
CVE-2023-4049
CVE-2023-4048
CVE-2023-4047
CVE-2023-4050
CVE-2023-4046
CVE-2023-4045
CVE-2023-3417
102.15.0
[USN-6334-1] atftp vulnerabilities (03:10)
3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2021-46671
CVE-2021-41054
CVE-2020-6097
TFTP server and client packages
All 3 issues in the atftpd server
assertion failure when handling crafted Multicast Read Request
buffer overflow when handling crafted request with multiple options
buffer overread when handling crafted options data - would read past the
array of options and into adjacent memory - according to the CVE this would
then be the data from /etc/group on the server but likely this is not
deterministic and would be whatever else was on the heap
[USN-6335-1] BusyBox vulnerabilities (05:20)
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2022-48174
CVE-2021-28831
Invalid free() on malformed gzip data - on error, sets bit 1 of a pointer to
indicate that an error occurred - would then go and pass this pointer to
free() but now the pointer is 1-byte past where it should be - so need to
unset this bit first
In shell handling of crafted input could trigger a stack overflow when parsing
certain arithmetic expressions -> crash / RCE - BUT since this is in parsing
of shell expressions anyway could just easily pass actual shell code to
evaluate surely?
[USN-6336-1] Docker Registry vulnerabilities (07:52)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-2253
CVE-2017-11468
Tools to pack and server docker images - ie. to stand up your own docker
registry for serving OCI images
Two different DoS since didn’t place any bounds on the size of various
parameters in requests - so when handling a crafted request with a very large
value, would try and allocate enough memory for that and then potentially run
out of memory and crash
Even in languages like Go which are memory safe, we still run into real world
limits like this - whilst in computing we like to have abstractions like
unlimited memory, and can generally program assuming this to be true, need to
be careful still when handling untrusted input
[USN-6321-1] Linux kernel vulnerabilities (09:21)
10 CVEs addressed in Lunar (23.04)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
6.2 for StarFive and GCP
Covered previously in [USN-6315-1] Linux kernel vulnerabilities from Episode 207
[USN-6325-1] Linux kernel vulnerabilities
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-21400
CVE-2023-20593
CVE-2022-40982
5.15 GKEOP, Intel IoTG
[USN-6324-1] Linux kernel (GKE) vulnerabilities
5 CVEs addressed in Focal (20.04 LTS)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
5.4 for GKE
[USN-6327-1] Linux kernel (KVM) vulnerabilities
6 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3567
CVE-2023-31084
CVE-2023-2985
CVE-2023-2269
[USN-6328-1] Linux kernel (Oracle) vulnerabilities
10 CVEs addressed in Lunar (23.04)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
[USN-6329-1] Linux kernel vulnerabilities
5 CVEs addressed in Bionic ESM (18.04 ESM)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
[USN-6330-1] Linux kernel (GCP) vulnerabilities
11 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-21400
CVE-2023-20593
CVE-2022-40982
[USN-6331-1] Linux kernel (Azure) vulnerabilities
21 CVEs addressed in Focal (20.04 LTS)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3609
CVE-2023-33203
CVE-2023-3141
CVE-2023-3111
CVE-2023-30772
CVE-2023-28466
CVE-2023-2194
CVE-2023-2124
CVE-2023-20593
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0590
CVE-2022-4269
CVE-2022-40982
CVE-2022-27672
CVE-2022-1184
CVE-2022-0168
CVE-2020-36691
[USN-6332-1] Linux kernel (Azure) vulnerabilities
35 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-35829
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-33288
CVE-2023-33203
CVE-2023-3268
CVE-2023-32248
CVE-2023-3141
CVE-2023-30772
CVE-2023-28466
CVE-2023-23004
CVE-2023-2269
CVE-2023-2235
CVE-2023-2194
CVE-2023-2163
CVE-2023-21400
CVE-2023-2124
CVE-2023-20593
CVE-2023-2002
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0597
CVE-2022-48502
CVE-2022-4269
CVE-2022-40982
[USN-6337-1] Linux kernel (Azure) vulnerabilities
16 CVEs addressed in Bionic ESM (18.04 ESM)
CVE-2023-33203
CVE-2023-3141
CVE-2023-3111
CVE-2023-30772
CVE-2023-28466
CVE-2023-2194
CVE-2023-2124
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0590
CVE-2022-4269
CVE-2022-27672
CVE-2022-1184
CVE-2022-0168
CVE-2020-36691
[USN-6338-1] Linux kernel vulnerabilities
11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38429
CVE-2023-38428
CVE-2023-38426
CVE-2023-32258
CVE-2023-32257
CVE-2023-32252
CVE-2023-32250
CVE-2023-32247
CVE-2023-31084
CVE-2023-2898
CVE-2023-21255
[USN-6339-1] Linux kernel vulnerabilities
8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-38429
CVE-2023-38428
CVE-2023-38426
CVE-2023-3212
CVE-2023-31084
CVE-2023-2898
CVE-2023-21255
CVE-2022-48425
[USN-6340-1] Linux kernel vulnerabilities
9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-3268
CVE-2023-31084
CVE-2023-2269
CVE-2023-2163
CVE-2023-21255
CVE-2023-2002
[USN-6341-1] Linux kernel vulnerabilities
5 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3567
CVE-2023-3159
CVE-2023-0458
[USN-6342-1] Linux kernel vulnerabilities
6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-3776
CVE-2023-3611
CVE-2023-31084
CVE-2023-2985
CVE-2023-2269
CVE-2023-20593
[USN-6343-1] Linux kernel (OEM) vulnerabilities
7 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-4273
CVE-2023-4194
CVE-2023-4155
CVE-2023-4128
CVE-2023-40283
CVE-2023-34319
CVE-2023-1206
[USN-6344-1] Linux kernel (Azure) vulnerabilities
11 CVEs addressed in Lunar (23.04)
CVE-2023-38429
CVE-2023-38428
CVE-2023-38426
CVE-2023-32258
CVE-2023-32257
CVE-2023-32252
CVE-2023-32250
CVE-2023-32247
CVE-2023-31084
CVE-2023-2898
CVE-2023-21255
Goings on in Ubuntu Security Community
TPM-backed Full Disk Encryption is coming to Ubuntu (10:48)
https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
Ijlal Loutfi (Product Manager for Security Technologies)
Technical work has been led by Chris Coulson from our team - from early
research, design and implementation
Ubuntu has traditionally offered FDE via LUKS on-top of LVM since 6.06 - back
then it was via an alternate install image but in 12.10 got integrated into
the main install image
Uses a passphrase which is manually typed in at boot to unlock the disk
Not very useful in environments which don’t have a user to do this -
ie. servers or IoT etc
Demand for an ability to have FDE without having to enter a passphrase -
particularly for IoT - so that if a device is stolen and the disk is removed
it cannot be compromised
Windows has long supported this via BitLocker - uses a hardware component
called the Trusted Platform Module (TPM) to essentially store an encryption
key which is only made available if the machine is booting the expected
operating system under the expected BIOS etc
As I said earlier, this is a feature that has high demand in the IoT space, so
back in 2019 work was started to design and implement a similar solution for
Ubuntu Core
Debuted in Ubuntu Core 20 and has seen ongoing development through Ubuntu Core
22 and more since
To ensure that the expected + trusted BIOS and OS is running, use the TPM to
essentially store a chain of hashes of each component in the boot chain -
ie. BIOS, bootloader (shim + grub), kernel (including the kernel command-line)
and initrd etc
When the TPM is asked to unlock the encryption key, it will check that the
system is in the expected state by looking at the chain of hashes to make sure
they match the one that was used when the key was locked into the TPM in the
first place. If this is as expected, it will unlock the key, but if not
(ie. the system is booting some other OS or the disk is running on some other
machine etc) then the state won’t match the disk won’t be able to be unlocked
This has traditionally been quite hard to do on traditional Ubuntu and general
Linux systems since things like the initrd are composed on the local machine
(see update-initramfs) - and so they can’t easily be signed and verified by
such a system.
But Ubuntu Core is a different beast, not subject to these same constraints -
built on snaps for more specialised use-cases - so for Ubuntu Core 20 the
kernel snap was updated to use unified kernel images which contain both the
kernel and initrd (plus some other components) into a single UEFI binary -
this allows them to be signed like existing kernel EFI binaries and hence
verified during the boot process and measured by the TPM to support this
use-case. Similarly, the gadget snap contains the bootloader and UEFI
configuration etc - so this can also be measured and verified at boot to
ensure the system is in the required state (ie. UEFI Secure Boot is enabled
etc).
Unlike Ubuntu Core, traditional or classic Ubuntu however uses debs for the
kernel and shim etc, and so is not easily amenable to this same solution -
also as mentioned above, components like the initrd and bootloader
configuration are generated locally and so can’t easily be signed and hence
verified at boot
As such, to support this same use-case on traditional Ubuntu, the snap-based
approach was reused - in this model, instead of deb packages providing kernel
and shim + grub etc, snaps are used. As such, snapd is then also used to
manage the TPM as described above - ie. calculate the expected hashes when a
new kernel / bootloader is installed and re-seal the encryption key based on
this
This is then all provided via a new experimental option in the installer:
Can list the recovery key once booted via:
snap recovery --show-keys
Otherwise is intended to function like a regular Ubuntu install - but like
BitLocker on Windows, you won’t have to enter a passphrase on boot but you
still get full disk encryption - and the kernel and bootloader are delivered
as snaps:
Now you may ask, how is this different than existing solutions like Clevis?
Clevis only verifies the bootloader and kernel and hence can be bypassed
reasonably easily - in fact there was a recent blog from Pulse Security
describing this kind of thing
https://pulsesecurity.co.nz/advisories/tpm-luks-bypass
In this case, the systemd emergency.service unit is still enabled which
allows the usual boot checks to be bypassed
Chris considered this in the original design for Ubuntu Core and so this is
disabled
Crucially, when using something like Clevis, the initrd is not verified, so
an attacker can just replace the initrd with one of their own choosing to
subvert the usual trusted boot process as well
Interestingly the folks from Linux Matters were recently talking about
TPM-backed FDE - mentioned systemd-cryptenroll - this can provide a more
comprehensive solution since you can choose to have it verify more of the
boot components BUT it still requires a lot of manual work to get running
and won’t be as comprehensive in the end - also won’t necessarily
auto-update when new kernels are installed etc
Intended to be a holistic solution the provides robust protection against
various online and offline attacks, whilst providing strong guarantees that
things like Secure Boot is not bypassed and that the key from the TPM can’t be
easily sniffed from the bus etc.
Thanks again to Chris for leading this work
Try it out, provide feedback
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
25min
September 01, 2023Episode 207
Overview
This week we cover reports of “fake” CVEs and their impact on the FOSS security
ecosystem, plus we look at security updates for PHP, Fast DDS, JOSE for C/C++,
the Linux kernel, AMD Microcode and more.
This week in Ubuntu Security Updates
83 unique CVEs addressed
[USN-6305-1] PHP vulnerabilities (00:53)
2 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-3824
CVE-2023-3823
One interesting issue in the handling of XML - PHP uses the libxml library for
XML handling which maintains global state for things like whether XML external
entities should be loaded. However PHP also uses ImageMagick for image
handling, which also uses libxml (for say SVG parsing etc). As such,
ImageMagick may end up configuring XML EE to be enabled, which then in turn
enables it for all of PHP and so allows XML EE attacks - which can then be
used to read and disclose the contents of local files.
Fixed by making PHPs use of libxml set a local context which explicitly
turns off XML EE handling rather than relying on the global context
Stack buffer overflow when reading dirents from PHAR archives
[USN-6306-1] Fast DDS vulnerabilities (02:28)
7 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-39949
CVE-2023-39948
CVE-2023-39947
CVE-2023-39946
CVE-2023-39945
CVE-2023-39534
CVE-2021-38425
C++ implementation of DDS standard - pub-sub model for connecting software
components, used in various contexts like Adaptive AUTOSAR in the automotive
industry and others
DoS via traffic flood - fixed by implementing an exponential backoff for
authentication requests
various other DoS through different assertion failures, unhandled exceptions
and a couple heap buffer overflows for good measure too
[USN-6307-1] JOSE for C/C++ vulnerability (03:33)
1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-37464
C library implementation of Javascript Object Signing and Encryption (JOSE)
standard
AES/GCM decryption would used the tag length value from the Authentication Tag
provided in the JWE header rather than the fixed length of 16 as
specified. Attacker could then provide a crafted JWE header with a shorter
authentication tag to trigger a buffer overflow on the receiver -> crash ->
DoS / info leak
[USN-6308-1] Libqb vulnerability (04:25)
1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-39976
tooling for generating man pages from Doxygen XML files
heap buffer overflow via an overly long input line when outputting certain log
messages
[USN-6309-1] Linux kernel vulnerabilities (04:48)
6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3567
CVE-2023-31084
CVE-2023-2985
CVE-2023-2269
4.4 GA in 16.04, HWE in 14.04
Mentioned some of these last week in [USN-6285-1] Linux kernel (OEM) vulnerabilities
deadlocks in device mapper and DVB Core drivers; UAFs in HFS+ file-system
impl, virtual terminal drivers and netfilter network packet classifier; OOB
write in QFS network scheduler
DoS via CPU deadlock or crash; possible code execution for the UAFs / OOB
write
[USN-6311-1] Linux kernel vulnerabilities (06:07)
24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-35829
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-33288
CVE-2023-33203
CVE-2023-3268
CVE-2023-32248
CVE-2023-3141
CVE-2023-30772
CVE-2023-28466
CVE-2023-23004
CVE-2023-2269
CVE-2023-2235
CVE-2023-2194
CVE-2023-2163
CVE-2023-2124
CVE-2023-2002
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0597
CVE-2022-48502
CVE-2022-4269
5.15 kernel variants for GCP and GKE
[USN-6312-1] Linux kernel vulnerabilities (06:22)
16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-33203
CVE-2023-3141
CVE-2023-3111
CVE-2023-30772
CVE-2023-28466
CVE-2023-2194
CVE-2023-2124
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0590
CVE-2022-4269
CVE-2022-27672
CVE-2022-1184
CVE-2022-0168
CVE-2020-36691
5.4 for GKE on 20.04 and IBM on 18.04
[USN-6314-1] Linux kernel vulnerabilities (06:33)
16 CVEs addressed in Focal (20.04 LTS)
CVE-2023-33203
CVE-2023-3141
CVE-2023-3111
CVE-2023-30772
CVE-2023-28466
CVE-2023-2194
CVE-2023-2124
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0590
CVE-2022-4269
CVE-2022-27672
CVE-2022-1184
CVE-2022-0168
CVE-2020-36691
5.4 for IBM and BlueField (NVIDIA DPU family using ARM CPU cores from Mellanox
(now owned by NVIDIA))
[USN-6315-1] Linux kernel vulnerabilities (06:58)
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-21400
CVE-2023-20593
CVE-2022-40982
5.15 GA (GKE, NVIDIA, IBM, GCP, KVM, Oracle, AWS, LowLatency) for 22.04 and
HWE for 20.04 + some OEM specific kernels too
Zenbleed ([USN-6244-1] AMD Microcode vulnerability from Episode 204) and
Gather Data Sampling ([USN-6286-1] Intel Microcode vulnerabilities from
Episode 205)
Previously released microcode updates, now also shipping associated kernel
fixes - for Zenbleed this enables a workaround if the microcode is not
available (since for some CPUs this is only available as a BIOS update, not
via microcode in Ubuntu), whilst for GDS this simply provides kernel support
to help identify if the mitigation is in place or not - if no microcode is
available, can disable AVX entirely by setting clearcpuid=avx on the kernel
command-line (but this will have a decent performance impact)
[USN-6316-1] Linux kernel (OEM) vulnerabilities (09:02)
6 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-20593
CVE-2022-40982
6.1 OEM on 22.04
[USN-6317-1] Linux kernel vulnerabilities (09:10)
5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-3776
CVE-2023-3611
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
5.4 GA for 20.04 / HWE for 18.04
[USN-6318-1] Linux kernel vulnerabilities (09:20)
10 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-4015
CVE-2023-4004
CVE-2023-3995
CVE-2023-3777
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-20593
CVE-2022-40982
6.2 23.04 GA, HWE for 22.04
[USN-6310-1] json-c vulnerability (09:41)
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2021-32292
stack buffer overread on crafted input - interestingly the CVE says that it
can allow code execution but that is the first time I have heard an OOB read
can allow code execution
[USN-6313-1] FAAD2 vulnerabilities (10:08)
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2021-32276
CVE-2023-38858
CVE-2023-38857
CVE-2021-32278
CVE-2021-32277
CVE-2021-32274
CVE-2021-32273
CVE-2021-32272
audio decoding library
various heap and stack buffer overflows plus a NULL ptr deref for good measure
[USN-6319-1] AMD Microcode vulnerability (10:33)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-20569
“INCEPTION” / “RAS Poisoning” - similar to the original SpectreV2 vulns -
another variant of a speculative execution attack using the branch prediction
buffer to cause an incorrectly speculated return to be executed which can then
be inferred from a cache timing attack to read kernel memory
[USN-6320-1] Firefox vulnerabilities (11:13)
11 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4580
CVE-2023-4579
CVE-2023-4577
CVE-2023-4585
CVE-2023-4584
CVE-2023-4583
CVE-2023-4581
CVE-2023-4578
CVE-2023-4575
CVE-2023-4574
CVE-2023-4573
117.0
[USN-6263-2] OpenJDK regression (11:24)
7 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-25193
CVE-2023-22049
CVE-2023-22045
CVE-2023-22044
CVE-2023-22041
CVE-2023-22036
CVE-2023-22006
[USN-6263-1] OpenJDK vulnerabilities from Episode 204
Upstream regression in handling of JAR files made with older versions of Ant
etc - would fail to be decompressed
Goings on in Ubuntu Security Community
Reports of “Fake” CVEs being assigned by MITRE (12:07)
https://riskybiznews.substack.com/p/open-source-projects-plagued-by-fake-cves
Dan Lorenc from Chainguard posted about a heap of CVEs assigned just over 1
week ago (22nd August 2023) against a heap of open source projects - cURL,
PostgreSQL, Python, nasm, ImageMagick and a heap more
Each refers to either a bug report or patch sent to the upstream project that
mentions a fix for seemingly real vulnerability (“buffer overflow”, “use after
free” etc)
But for most of these, the upstream project never agreed that these were valid
vulnerabilities, and some have come out to expressly disavow them - PostgreSQL
on CVE-2020-21469 and cURL on CVE-2020-19909
PostgreSQL issue is a DoS via sending a repeated SIGHUP to the server
BUT you need to have local access with priviliges to send SIGHUP - ie be
root - and have access to the PostgreSQL superuser etc
which if you do, you can do a lot more damage - ie. this is not a
vulnerability - there is no privilege boundary being crossed etc
cURL is an integer overflow in the --retry-delay command-line option - where
if you specify a really large value of seconds, cURL will multiply this by
1000 to convert it to ms and hence overflow
BUT this is not used for memory calculations etc - is just used for a
retry delay - ie. it will only wait for say a few seconds rather than the
billion odd seconds originally specified - again, there is no security
impact here
Dan posited that these were likely just scraped automatically and CVEs filed
But who filed the CVEs?
all show as assigned by MITRE - and anyone can request a CVE from MITRE as
they are the CNA of last resort - https://cveform.mitre.org/
BUT like all CNAs, they should be checking validating the information before
assigning a CVE
MITRE even rejected the request by Daniel Stenberg (@bagder) (cURL
maintainer) to reject the CVE
clearly something is breaking down here
Not only does this create a heap of work for the upstream projects (as
mentioned by Risky Biz) but for all the downstreams like Ubuntu and other
distros
We have to triage these CVEs against the packages in Ubuntu and determine
whether the require immediate fixing etc - this takes time for everyone
involved
RiskyBiz calls these “Fake” CVEs - but they are not fake in the traditional
sense - ie. they are not fradualent, they have been issued by the official
custodians of CVEs - MITRE - but it is just that they are not actual
vulnerabilities
Is this just taking the Linux kernel mantra of security problems are just bugs
(and hence to get kernel security fixes you need to get all kernel bug fixes
as you won’t know which are the real vulns) to the opposite extreme - all bugs
are security bugs and hence should get CVEs?
Will have to wait and see how this plays out but if consumers can’t trust CVEs
that will likely put the whole system in jeopardy since whilst CVEs have many
shortcomings, they are the global defacto for vulnerability tracking
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
23min
August 25, 2023Episode 206
Overview
This week we talk about HTTP Content-Length handling, intricacies of group
management in container environments and making sure you check your return codes
while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call
out for input on using open source tools to secure your SDLC.
This week in Ubuntu Security Updates
69 unique CVEs addressed
[USN-6294-1, USN-6294-2] HAProxy vulnerability (01:00)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-40225
Would forward requests with empty Content-Length headers even when there was
content in the request (which violates
RFC 9110 - HTTP Semantics) - this
RFC explicitly says:
If the message is forwarded by a downstream intermediary, a Content-Length
field value that is inconsistent with the received message framing might cause
a security failure due to request smuggling or response splitting. As a result,
a sender MUST NOT forward a message with a Content-Length header field value
that is known to be incorrect.
As such, downstream HTTP/1 servers behind HAProxy may interpret the payload in
the request as an extra request and hence this can be used for request
smuggling as warned by the RFC
[USN-6295-1] Podman vulnerability (02:34)
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-2989
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
interaction between supplemental groups, negative group permissions and setgid
binaries
supplemental groups - each user generally has a group specific to their user
(so-called primary group for that user), but can also belong to other
supplemental groups:
ubuntu@ubuntu:~$ groups
ubuntu sudo
negative group permissions - not used often but allows to say that a certain
group of users should not be able to access something - ie. denylisting
setgid binary - like a setuid binary - no matter what group that executes the
binary, the binary runs as the primary group of the binary
so could a user could create a binary, make it set-group for one of their
supplemental groups and then drop their primary group, run it and use that to
access such a resource that has been denied access to their primary group?
no, since on login, primary group gets added to the list of supplemental
groups which can’t be modified by a user themself - this has been the
standard behaviour in UNIX since 1994 in BSD 4.4 and hence Linux has always
worked this way too
However, podman is a container manager though and it manages groups within the
container - and it failed to do this duplication of the primary group into the
supplemental group and so would allow exactly this attack
it wasn’t only podman that was affected - also buildah, cri-o and moby
(ie. docker.io in Ubuntu)
[USN-6296-1] PostgreSQL vulnerabilities (06:44)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-39418
CVE-2023-39417
Latest upstream point releases, so contains both security fixes and other bug
fixes
[USN-6298-1] ZZIPlib vulnerabilities (07:04)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-18442
CVE-2018-7727
Provides the ability to read into a zip archive, as well as the ability to
overlay a zip archive with an existing file system
Used by applications like mpd, milkytracker and texlive (LaTeX etc)
Two different DoS
infinite loop -> CPU based DoS
memory leak -> resource based DoS
both require to parse an attacker provided ZIP archive
[USN-6297-1] Ghostscript vulnerability (07:50)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38559
Buffer overflow when generating a PDF file for a DEVN device - DEVN is an
abbreviation for DeviceN which is a type of colour space - ie a way of
specifying different colour levels across a set of channels - ie. encoding
colour information for a printer etc
Needs an attacker to provide a crafted input file though…
[USN-6299-1] poppler vulnerabilities (08:40)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-36024
CVE-2020-36023
someone has been fuzzing poppler - in particular the pdftops binary
stack overflow and NULL ptr deref when handling crafted input PDFs -> crash -> DoS
[USN-6300-1] Linux kernel vulnerabilities (09:18)
24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-35829
CVE-2023-35828
CVE-2023-35824
CVE-2023-35823
CVE-2023-33288
CVE-2023-33203
CVE-2023-3268
CVE-2023-32248
CVE-2023-3141
CVE-2023-30772
CVE-2023-28466
CVE-2023-23004
CVE-2023-2269
CVE-2023-2235
CVE-2023-2194
CVE-2023-2163
CVE-2023-2124
CVE-2023-2002
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0597
CVE-2022-48502
CVE-2022-4269
5.15 GA, AWS, GCP, IBM, Intel-IoTG, KVM, Low latency, NVIDIA, Raspi etc
Have mentioned some of these previously - issues across various drivers and subsystems
Lots of UAFs, a few OOB / NULL ptr deref, memory leak (DoS), OOB read /
write as well
[USN-6301-1] Linux kernel vulnerabilities (10:07)
16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-33203
CVE-2023-3141
CVE-2023-3111
CVE-2023-30772
CVE-2023-28466
CVE-2023-2194
CVE-2023-2124
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0590
CVE-2022-4269
CVE-2022-27672
CVE-2022-1184
CVE-2022-0168
CVE-2020-36691
5.4 Xilinx ZynqMP on 20.04 (Hi Portia!)
HWE / OEM etc on 18.04 ESM
Very similar sorts of issues as above
[USN-6267-3] Firefox regressions (10:44)
12 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4050
CVE-2023-4046
CVE-2023-4045
CVE-2023-4058
CVE-2023-4057
CVE-2023-4056
CVE-2023-4055
CVE-2023-4053
CVE-2023-4051
CVE-2023-4049
CVE-2023-4048
CVE-2023-4047
Second lot of regressions in the upstream 116 release - now at 116.0.3
often these regressions are for Windows users etc but this time we have one
for Linux - in particular screensharing on Wayland was broken since would
fail to properly negotiate framerate in webrtc with Pipewire
[USN-6302-1] Vim vulnerabilities (11:22)
15 CVEs addressed in Trusty ESM (14.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-3153
CVE-2022-3099
CVE-2022-3037
CVE-2022-3016
CVE-2022-2874
CVE-2022-2816
CVE-2022-2598
CVE-2022-3134
CVE-2022-2982
CVE-2022-2889
CVE-2022-2862
CVE-2022-2819
CVE-2022-2817
CVE-2022-2580
CVE-2022-2522
More vim - is now the 8th most mentioned package in this podcast (only behind
Linux kernel, Firefox, Thunderbird, PHP, MySQL, WebkitGTK)
[USN-6303-1, USN-6303-2] ClamAV vulnerability (11:50)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-20197
Infinite loop in the HFS+ parser -> DoS of entire ClamAV
[USN-6304-1] Inetutils vulnerabilities (12:14)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-40303
CVE-2022-39028
Provides various utilities for different network services - ie. clients /
servers for ftp, telnet, and talk
NULL ptr deref in telnetd - not super interesting - if running telnetd you
probably have bigger problems
Failed to check return values of the various setuid()=/=setgid() system calls
used in ftpd/rshd/rlogin etc
daemon runs as root and uses these calls to drop privileges to the user who
is logging in - if these fail, then users session will still be running as
root - easy privesc (although not really able to be controlled by the remote
attacker to induce this error to occur)
Goings on in Ubuntu Security Community
Brainstorming for a software security workshop (13:53)
https://discourse.ubuntu.com/t/brainstorming-for-a-software-security-workshop/37991/1
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
16min
August 18, 2023Episode 205
Overview
We’re back after unexpectedly going AWOL last week to bring you the latest in
Ubuntu Security including the recently announced Downfall and GameOver(lay)
vulnerabilities, plus we look at security updates for OpenSSH and GStreamer and
we detail plans for using AppArmor to restrict the use of unprivileged user
namespaces as an attack vector in future Ubuntu releases.
This week in Ubuntu Security Updates
143 unique CVEs addressed
[USN-6268-1, USN-6269-1] GStreamer Base and Good Plugins vulnerabilities (01:07)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-37328
CVE-2023-37327
Both CVEs discovered by an independent security researcher and reported via
ZDI (ZDI-CAN-20775, ZDI-CAN-20994)
Used by the built-in Videos app (aka totem) which can play streaming videos
(even has a default plugin providing integration with Apple Video Trailers and
others) - so could possibly be used for remote exploitation
Integer overflow -> buffer overflow -> RCE in FLAC audio decoder
Buffer overflow in PGS subtitle handler - failed to validate length before
copying -> heap buffer overflow -> RCE
[USN-6270-1] Vim vulnerabilities (02:49)
11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2287
CVE-2022-2286
CVE-2022-2285
CVE-2022-2289
CVE-2022-2284
CVE-2022-2264
CVE-2022-2257
CVE-2022-2231
CVE-2022-2210
CVE-2022-2208
CVE-2022-2182
Latest round of vim vulns - all via the bug bounty program and from just 3
researchers - would be interesting to know what kind of bounties are payed out
for these “vulns” since most require the user to run vim with a crafted set of
commands against a crafted input file - if you can get someone to do that, you
can probably just write arbitrary shell code for them to execute as well…
[USN-6271-1] MaraDNS vulnerabilities (03:55)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-31137
CVE-2022-30256
[USN-6272-1] OpenJDK 20 vulnerabilities
7 CVEs addressed in Lunar (23.04)
CVE-2023-25193
CVE-2023-22049
CVE-2023-22045
CVE-2023-22044
CVE-2023-22041
CVE-2023-22036
CVE-2023-22006
20.0.2
[USN-5064-3] GNU cpio vulnerability (04:08)
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-38185
[USN-5064-1] GNU cpio vulnerability from Episode 130 - integer overflow ->
heap buffer overflow if using untrusted pattern files
[USN-6275-1] Cargo vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-38497
[USN-6273-1] poppler vulnerabilities
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-34872
CVE-2022-27337
[USN-6274-1] XMLTooling vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-36661
[USN-6276-1] unixODBC vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2018-7409
[USN-6267-2] Firefox regressions
12 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4050
CVE-2023-4046
CVE-2023-4045
CVE-2023-4058
CVE-2023-4057
CVE-2023-4056
CVE-2023-4055
CVE-2023-4053
CVE-2023-4051
CVE-2023-4049
CVE-2023-4048
CVE-2023-4047
[USN-6277-1, USN-6277-2] Dompdf vulnerabilities
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2400
CVE-2021-3838
CVE-2014-5013
CVE-2014-5012
CVE-2014-5011
[USN-6278-1, USN-6278-2] .NET vulnerabilities (04:41)
3 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38180
CVE-2023-38178
CVE-2023-35390
[USN-6279-1] OpenSSH update (04:53)
Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
Possible info leak during algorithm negotiation - related to CVE-2020-14145 -
which is a low priority vulnerability where it is possible for a person in the
middle to determine if a client already has knowledge of the server’s host
key. This could be used to then attack clients which do not have this
knowledge (since they then will be prompted to accept and trust the host key
which is offered on first connection) and offer them an attacker chosen host
key to cause them to authenticate to a host controlled by the attacker and
therefore intercept their connection etc
There is a partial mitigation in the form of a client change so that if the
client does already have the server’s host key, it will still preserve the
original algorithm ordering sent to the server and so not leak this
information.
This is not a complete fix for this issue since it only mitigates some of the
use-cases of the original vuln.
[USN-4336-3] GNU binutils vulnerabilities
6 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2018-6323
CVE-2017-9756
CVE-2017-9750
CVE-2017-9748
CVE-2017-9747
CVE-2017-9742
[USN-6243-2] Graphite-Web regression
4 CVEs addressed in Bionic ESM (18.04 ESM)
CVE-2022-4730
CVE-2022-4729
CVE-2022-4728
CVE-2017-18638
[USN-6281-1] Velocity Engine vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-13936
[USN-6282-1] Velocity Tools vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-13959
[USN-6283-1] Linux kernel vulnerabilities (07:34)
13 CVEs addressed in Lunar (23.04)
CVE-2023-35829
CVE-2023-35828
CVE-2023-35826
CVE-2023-35824
CVE-2023-35823
CVE-2023-3317
CVE-2023-3312
CVE-2023-3268
CVE-2023-32254
CVE-2023-32248
CVE-2023-3141
CVE-2023-2269
CVE-2023-2002
[USN-6284-1] Linux kernel vulnerabilities
16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-33203
CVE-2023-3141
CVE-2023-3111
CVE-2023-30772
CVE-2023-28466
CVE-2023-2194
CVE-2023-2124
CVE-2023-1990
CVE-2023-1855
CVE-2023-1611
CVE-2023-0590
CVE-2022-4269
CVE-2022-27672
CVE-2022-1184
CVE-2022-0168
CVE-2020-36691
[USN-6285-1] Linux kernel (OEM) vulnerabilities (07:50)
14 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-3863
CVE-2023-38432
CVE-2023-38430
CVE-2023-3776
CVE-2023-3611
CVE-2023-3610
CVE-2023-3609
CVE-2023-35001
CVE-2023-3390
CVE-2023-32629
CVE-2023-31248
CVE-2023-2898
CVE-2023-2640
CVE-2022-48502
6.1 kernel
8 different high priority vulns - most mentioned previously - does include
“GameOver(lay)” which we haven’t covered yet - reported by WizResearch and is
specific to Ubuntu kernels
OverlayFS is a union filesystem which allows multiple filesystems to be
mounted at the same time, and presents a single unified view of the
filesystems. In 2018 we introduced some changes to OverlayFS as SAUCE patches
to handle extended attributes in overlayfs. Then in 2020 we backported commits
to fix CVE-2021-3493 - in the process this also added support for extended
attributes in OverlayFS so now there were two code paths, each using different
implementations for extended attributes. One was protected against the vuln in
CVE-2021-3493 whilst the other was not.
This vulnerability is exploiting that same vulnerability in the unprotected
implementation.
In this case, the vulnerability is in the handling of extended attributes in
OverlayFS - the vulnerability is that it is possible to create a file with
extended attributes which are not visible to the user, and then mount that
file in a way which allows the extended attributes to be visible to the user
this is done by mounting the file with the nosuid option, and then
remounting it with suid option. This allows the user to then execute arbitrary
code as root. NOTE: requires the user to have the ability to have
CAP_SYS_ADMIN but this is easy with unprivileged user namespaces.
Even more reason to keep pursuing the effort to restrict the use of
unprivileged user namespaces in upcoming Ubuntu 23.10
[USN-6286-1] Intel Microcode vulnerabilities (10:59)
3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-23908
CVE-2022-41804
CVE-2022-40982
Gather data sampling (aka “Downfall”) - another microarchitectural CPU
vulnerability - the last one we saw was Zenbleed from Episode 103 in AMD Zen2 CPUs
This time in Intel hardware (6th to 11th generation) CPUs
Presented at BlackHat just over 1 week ago -
https://www.blackhat.com/us-23/briefings/schedule/#single-instruction-multiple-data-leaks-in-cutting-edge-cpus-aka-downfall-31490
Similar to Zenbleed in a way, since both are related to the SIMD instruction
set (single instruction, multiple data) - these instructions are used to
perform the same operation on multiple data elements simultaneously
(e.g. adding two vectors of 4 32-bit integers together) which is very useful
for things like video encoding/decoding, image processing, etc.
As the name, Gather data sampling suggests, the fault in this case is in the
SIMD Gather instruction which is used to load data into a vector register from
a memory location specified by an index vector register. Essentially this
allows the efficient loading of data which is scattered across memory into a
single register to then perform further operations on, and is useful in many
applications. The vulnerability is that under speculative execution, the data
which is loaded could be stale and come from an address which is not
accessible to the current process, and the data could be used in further
operations which could then leak the contents of that inaccessible memory -
e.g. stealing cryptographic keys from another process.
The fix in this case was a microcode update, which stops the CPU from
speculatively executing the Gather instruction, and instead waits for the data
to be available before executing the instruction. This results in a
performance hit, which was measured at up to 50% in a small number of
use-cases (whilst in others it is negligible).
Perhaps the most interesting part of this vulnerability is the timeline - it
was reported to Intel on 24th August 2022 yet only fixed publicly on 8th
August 2023 - basically meaning it took a year for Intel to fix this
issue.
Associated with the microcode update is a kernel patch - this allows the
microcode fix to be reverted at boot by a new kernel command line option:
gather_data_sampling=off - this is useful for those who want to avoid the
performance hit, and are willing to accept the risk of the vulnerability.
Ubuntu kernels have not yet been updated with this fix but that should arrive
within the next week (ie. week of 21st August)
[USN-6280-1] PyPDF2 vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-36810
[USN-6287-1] Go yaml vulnerabilities
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2022-3064
CVE-2021-4235
[USN-4897-2] Pygments vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-20270
CVE-2021-27291
[USN-4897-1] Pygments vulnerability from Episode 110 - ReDoS
[USN-6288-1] MySQL vulnerabilities
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-22058
CVE-2023-22057
CVE-2023-22056
CVE-2023-22054
CVE-2023-22053
CVE-2023-22048
CVE-2023-22046
CVE-2023-22038
CVE-2023-22033
CVE-2023-22008
CVE-2023-22005
[USN-6289-1] WebKitGTK vulnerabilities
9 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38611
CVE-2023-38600
CVE-2023-38599
CVE-2023-38597
CVE-2023-38595
CVE-2023-38594
CVE-2023-38592
CVE-2023-38572
CVE-2023-38133
[USN-6290-1] LibTIFF vulnerabilities
10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38289
CVE-2023-38288
CVE-2023-26965
CVE-2023-26966
CVE-2023-25433
CVE-2023-3618
CVE-2023-3316
CVE-2023-2908
CVE-2023-2731
CVE-2022-48281
[USN-6291-1] GStreamer vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2017-5838
[USN-6292-1] Ceph vulnerability
1 CVEs addressed in Lunar (23.04)
CVE-2022-3650
[USN-6293-1] OpenStack Heat vulnerability
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-1625
Goings on in Ubuntu Security Community
Ubuntu 22.04.3 LTS Released (15:47)
https://lists.ubuntu.com/archives/ubuntu-announce/2023-August/000294.html
Ubuntu 22.10 (Kinetic Kudu) End of Life (16:32)
https://lists.ubuntu.com/archives/ubuntu-announce/2023-July/000293.html
Unprivileged user namespace restrictions via AppArmor in Ubuntu (17:00)
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
21min
August 04, 2023Episode 204
Overview
This week we look at the recent Zenbleed vulnerability affecting some AMD
processors, plus we cover security updates for the Linux kernel, a high
profile OpenSSH vulnerability and finally Andrei is back with a deep dive into
recent academic research around how to safeguard machine learning systems when
used across distributed deployments.
This fortnight in Ubuntu Security Updates
123 unique CVEs addressed
[USN-6238-1] Samba vulnerabilities [01:15]
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-34968
CVE-2023-34967
CVE-2023-34966
CVE-2023-3347
CVE-2022-2127
Possible attacker-in-the-middle attack when configured to do SMB2 packet
signing (as it was not properly enforced), couple issues in the Spotlight
protocol implementation (used to enable MacOS clients to search the Samba
share via Finder) - DoS via a possible infinite loop when processing RPC
packets which specified 0 elements in an array-like structure, plus info leak
where full server-side path of resources would be returned in results
[USN-6237-2] curl regression
3 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-32001
CVE-2023-28322
CVE-2023-28321
[USN-6239-1] ECDSA Util vulnerability [02:13]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-24884
Very similar to “Psychic Signatures” vuln in Java (OpenJDK) -
[USN-5546-1, USN-5546-2] OpenJDK vulnerabilities
from Episode 172 - basically would fail to first check if the provided
exponents in the signature were zero - since if they are, then an all-zero
signature would be considered as valid - so could easily forge a signature
[USN-6232-1] wkhtmltopdf vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-21365
[USN-6241-1] OpenStack vulnerability
1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-2088
[USN-6240-1] FRR vulnerability
1 CVEs addressed in Lunar (23.04)
CVE-2023-3748
[USN-6242-1, USN-6242-2] OpenSSH vulnerability [03:08]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38408
Result of an incomplete fix for historical vulnerability CVE-2016-10009 in
PKCS#11 module in ssh-agent
Vuln is hence very similar to that, ie. if you chose to forward the ssh-agent
socket to a remote machine, then the remote machine could cause your local
ssh-agent to execute arbitrary code - it does this by causing the PKCS#11
module in ssh-agent to load an attacker controlled library from /usr/lib on
your local machine
On the surface, it would appear that it would require a malicious library to
be on your machine in this privileged location - BUT there are a bunch of
seemingly innocuous libraries in say standard Ubuntu that can be abused to
cause malicious actions and get arbitrary code execution. This is exactly
what Qualys did to demonstrate the impact of this vuln -
https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
very clever use of various pieces of surprising behaviour from various
libraries (such as the ability to make the stack executable or register
signal handlers just by dlopen()‘ing a module) - chain these together to
then get code execution
It does though require you to use ssh-agent forwarding - this is generally
discouraged, and instead you should probably use an jump host - this is even
mentioned in the man page for ssh
Fixed by making module loading more defensive (ie that they contain the
expected symbols and if not abort etc)
[USN-6243-1] Graphite-Web vulnerabilities
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-4730
CVE-2022-4729
CVE-2022-4728
CVE-2017-18638
[USN-6203-2] Django vulnerability
1 CVEs addressed in Bionic ESM (18.04 ESM)
CVE-2023-36053
[USN-6129-2] Avahi vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-1981
[USN-6244-1] AMD Microcode vulnerability [05:57]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-20593
Zenbleed - Tavis Ormandy (GPZ) discovered new hardware vuln via fuzzing of the
ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
Only specific to AMD’s Zen2 family of processors and is related to speculative
execution - but unlike Spectre etc, speculative execution is not used as the
attack primitive - instead for Zenbleed, the processor fails to properly clean
up state after speculatively executing a particular vector register
instruction - which then allows an attacker thread / process to read this data
from the vector register - all comes about because these registers are not
like the normal physical registers in the CPU, but instead are shared as a
“Register File” - this sharing means that when one instruction gets
speculatively executed, but which turns out to not actually be needed, it
fails to properly clean up - and then leaks this data via the shared register
file which can be read by another process which is executing at the same time
Tavis also released a handy PoC - requires the use of specific assembly
language intructions and so it is not clear if this could be exploited
remotely say via JS running a web-browser - but it definitely can be exploited
by local users to spy on all other processes in the system (that use vector
registers), including root / VMs etc
What kinds of things use these vector registers? Turns out is is many, since
glibc implements functions like strlen() using them - and this is a very
common operation in all kinds of code
So basically anyone with local unprivileged code-access on an affected system
could snoop on passwords etc
AMD released a microcode update to fix this - but only for server-oriented
EPYC line of processors (code named “Rome”) - so in that case all you need to
do is install this microcode update and reboot and you are good.
But that still leaves a lot of other platforms without an official fix -
according to their advisory they will release BIOS firmware updates for other
affected processors later in the year
You can however set a so-called “chicken bit” in the processor which (as far
as I can tell) instructs it to not execute this particular instruction
out-of-order (ie not speculatively execute it) - AMD haven’t actually said
what this does but that is the assumption. As such, this does have an effect
on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
Kernel developers have then developed a patch to automatically enable this
chicken-bit if the associated microcode update is not present - for Ubuntu we
plan to include this fix in the next round of kernel security updates, due on
21st August
[LSN-0096-1] Linux kernel vulnerability [11:47]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-35001
CVE-2023-31436
CVE-2023-31248
CVE-2023-30456
CVE-2023-1380
OOB write in netfilter -> crash / code-exec - plus a UAF in netfilter as
well - both require CAP_NET_ADMIN to exploit - but can get this in an
unprivileged user namespace -> privesc
Plus a bunch of vulns covered in previous episodes
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
KVM mishandling of control registers for nested guest VMs
OOB write in network queuing scheduler - also able to be triggered though an
unprivileged user namespace

Kernel type
22.04
20.04
18.04
16.04
14.04

aws
—
96.2
—
96.2
—

aws-hwe
—
—
—
96.2
—

azure
96.3
96.2
—
96.2
—

azure-5.4
—
—
96.2
—
—

gcp
96.3
96.2
—
96.2
—

gcp-4.15
—
—
96.2
—
—

gcp-5.15
—
96.3
—
—
—

gcp-5.4
—
—
96.2
—
—

generic-4.15
—
—
96.2
96.2
—

generic-4.4
—
—
—
96.2
96.2

generic-5.15
—
96.3
—
—
—

generic-5.4
—
96.2
96.2
—
—

gke
96.3
96.2
—
—
—

gke-5.15
—
96.3
—
—
—

gke-5.4
—
—
96.2
—
—

gkeop
—
96.2
—
—
—

gkeop-5.4
—
—
96.2
—
—

ibm
96.3
96.2
—
—
—

ibm-5.4
—
—
96.2
—
—

linux
96.3
—
—
—
—

lowlatency-4.15
—
—
96.2
96.2
—

lowlatency-4.4
—
—
—
96.2
96.2

lowlatency-5.15
—
96.3
—
—
—

lowlatency-5.4
—
96.2
96.2
—
—

[USN-6246-1] Linux kernel vulnerabilities
6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-35001
CVE-2023-3439
CVE-2023-3390
CVE-2023-3389
CVE-2023-31248
CVE-2023-3090
[USN-6247-1] Linux kernel (OEM) vulnerabilities
6 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-35001
CVE-2023-31248
CVE-2023-2860
CVE-2022-47929
CVE-2022-3635
CVE-2022-2663
[USN-6248-1] Linux kernel (OEM) vulnerabilities
7 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-35001
CVE-2023-3389
CVE-2023-32629
CVE-2023-31248
CVE-2023-2640
CVE-2023-21106
CVE-2022-47929
[USN-6249-1] Linux kernel (OEM) vulnerabilities
2 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-3389
CVE-2023-3269
[USN-6250-1] Linux kernel vulnerabilities
8 CVEs addressed in Lunar (23.04)
CVE-2023-35001
CVE-2023-3390
CVE-2023-3389
CVE-2023-3269
CVE-2023-32629
CVE-2023-31248
CVE-2023-3090
CVE-2023-2640
[USN-6251-1] Linux kernel vulnerabilities
4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-35001
CVE-2023-3390
CVE-2023-32629
CVE-2023-3090
[USN-6252-1] Linux kernel vulnerabilities
13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-35001
CVE-2023-3390
CVE-2023-3268
CVE-2023-3141
CVE-2023-3111
CVE-2023-3090
CVE-2023-2124
CVE-2023-1990
CVE-2023-1859
CVE-2023-1670
CVE-2023-1611
CVE-2022-3303
CVE-2022-1184
[USN-6254-1] Linux kernel vulnerabilities
12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-35001
CVE-2023-3390
CVE-2023-3268
CVE-2023-3161
CVE-2023-3159
CVE-2023-3141
CVE-2023-3090
CVE-2023-2513
CVE-2023-2162
CVE-2023-2124
CVE-2023-1611
CVE-2023-0458
[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities
6 CVEs addressed in Focal (20.04 LTS)
CVE-2023-35001
CVE-2023-3439
CVE-2023-3390
CVE-2023-3389
CVE-2023-31248
CVE-2023-3090
[USN-6256-1] Linux kernel (IoT) vulnerabilities
32 CVEs addressed in Focal (20.04 LTS)
CVE-2023-35788
CVE-2023-32269
CVE-2023-32233
CVE-2023-3161
CVE-2023-31436
CVE-2023-30456
CVE-2023-2985
CVE-2023-26545
CVE-2023-2612
CVE-2023-25012
CVE-2023-2162
CVE-2023-1998
CVE-2023-1859
CVE-2023-1829
CVE-2023-1670
CVE-2023-1513
CVE-2023-1380
CVE-2023-1281
CVE-2023-1118
CVE-2023-1079
CVE-2023-1078
CVE-2023-1077
CVE-2023-1076
CVE-2023-1075
CVE-2023-1074
CVE-2023-1073
CVE-2023-0459
CVE-2023-0458
CVE-2022-4129
CVE-2022-3903
CVE-2022-3707
CVE-2022-3108
[USN-6260-1] Linux kernel vulnerabilities
9 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-35001
CVE-2023-3390
CVE-2023-3389
CVE-2023-32629
CVE-2023-3141
CVE-2023-31248
CVE-2023-3090
CVE-2023-2640
CVE-2022-48502
[USN-6261-1] Linux kernel (IoT) vulnerabilities
4 CVEs addressed in Focal (20.04 LTS)
CVE-2023-35001
CVE-2023-3390
CVE-2023-32629
CVE-2023-3090
[USN-6245-1] Trove vulnerabilities
Affecting Jammy (22.04 LTS)
[USN-5807-3] libXpm vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2022-46285
[USN-6253-1] libvirt vulnerability
1 CVEs addressed in Lunar (23.04)
CVE-2023-3750
[USN-6257-1] Open VM Tools vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-20867
[USN-6258-1] LLVM Toolchain vulnerabilities
4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-29933
CVE-2023-29939
CVE-2023-29934
CVE-2023-29932
[USN-5193-3] X.Org X Server vulnerabilities
3 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-4011
CVE-2021-4009
CVE-2021-4008
[USN-6259-1] Open-iSCSI vulnerabilities
3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-17437
CVE-2020-13988
CVE-2020-13987
[USN-6262-1] Wireshark vulnerabilities
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-25863
CVE-2020-25862
CVE-2020-17498
CVE-2020-15466
CVE-2020-13164
[USN-6265-1] RabbitMQ vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2017-4966
[USN-6264-1] WebKitGTK vulnerabilities
6 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-37450
CVE-2023-32439
CVE-2023-32435
CVE-2023-32393
CVE-2023-32373
CVE-2023-28204
[USN-6263-1] OpenJDK vulnerabilities
7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-25193
CVE-2023-22049
CVE-2023-22045
CVE-2023-22044
CVE-2023-22041
CVE-2023-22036
CVE-2023-22006
[USN-6266-1] librsvg vulnerability [13:55]
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-38633
Directory traversal vuln - arbitrary file read by using a specially crafted
include element that specifies say - simple PoC provided by
the upstream reporter
[USN-6267-1] Firefox vulnerabilities [14:47]
12 CVEs addressed in Focal (20.04 LTS)
CVE-2023-4050
CVE-2023-4046
CVE-2023-4045
CVE-2023-4058
CVE-2023-4057
CVE-2023-4056
CVE-2023-4055
CVE-2023-4053
CVE-2023-4051
CVE-2023-4049
CVE-2023-4048
CVE-2023-4047
116.0
Goings on in Ubuntu Security Community
Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]
https://arxiv.org/abs/2101.02281
https://www.usenix.org/system/files/sec22-nguyen.pdf
https://www.youtube.com/watch?v=nMrte2S9U68
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
29min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.