Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

July 21, 2023Episode 203
Overview
This week we talk about the dual use purposes of eBPF - both for security and
for exploitation, and how you can keep your systems safe, plus we cover security
updates for the Linux kernel, Ruby, SciPy, YAJL, ConnMan, curl and more.
This week in Ubuntu Security Updates
80 unique CVEs addressed
[USN-6220-1] Linux kernel vulnerabilities (00:50)
1 CVEs addressed in Lunar (23.04)
CVE-2023-35788
6.2 gcp, ibm, azure, oracle
[USN-6192-1] Linux kernel vulnerabilities for Episode 202
Off-by-one in the flower network traffic classifier
info leak via stale page table entries (INVLPG)
[USN-6234-1] Linux kernel (Xilinx ZynqMP) vulnerability (01:20)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2023-35788
5.4 Xilinux ZynqMP platform
[USN-6221-1] Linux kernel vulnerabilities (01:32)
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-3111
CVE-2023-1990
CVE-2022-29901
CVE-2022-26373
CVE-2022-1184
CVE-2021-3753
CVE-2021-20321
4.4 Xenial ESM, Trusty ESM LTS Xenial
AWS, KVM, Generic, Low latency
[USN-6222-1] Linux kernel (Xilinx ZynqMP) vulnerabilities (02:13)
31 CVEs addressed in Focal (20.04 LTS)
CVE-2023-32269
CVE-2023-32233
CVE-2023-3161
CVE-2023-31436
CVE-2023-30456
CVE-2023-2985
CVE-2023-26545
CVE-2023-2612
CVE-2023-25012
CVE-2023-2162
CVE-2023-1998
CVE-2023-1859
CVE-2023-1829
CVE-2023-1670
CVE-2023-1513
CVE-2023-1380
CVE-2023-1281
CVE-2023-1118
CVE-2023-1079
CVE-2023-1078
CVE-2023-1077
CVE-2023-1076
CVE-2023-1075
CVE-2023-1074
CVE-2023-1073
CVE-2023-0459
CVE-2023-0458
CVE-2022-4129
CVE-2022-3903
CVE-2022-3707
CVE-2022-3108
[USN-6223-1] Linux kernel (Azure CVM) vulnerabilities (02:25)
9 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-35788
CVE-2023-2985
CVE-2023-25012
CVE-2023-1998
CVE-2023-1859
CVE-2023-1670
CVE-2023-1079
CVE-2023-1077
CVE-2023-1076
[USN-6224-1, USN-6228-1] Linux kernel vulnerabilities (02:36)
2 CVEs addressed in Lunar (23.04)
CVE-2023-2176
CVE-2023-2124
6.2 Oracle, Azure, GCP, IBM, Raspi, AWS, KVM, Low latency
[USN-6231-1] Linux kernel (OEM) vulnerabilities (02:53)
5 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-3212
CVE-2023-3141
CVE-2023-31084
CVE-2023-3090
CVE-2023-2124
6.1 OEM
OOB write due to uninitialized memory in packet control buffer for IP-VLAN
network driver
[USN-6235-1] Linux kernel (OEM) vulnerabilities (03:17)
8 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-35788
CVE-2023-2430
CVE-2023-2176
CVE-2023-2124
CVE-2023-1073
CVE-2023-0597
CVE-2023-0459
CVE-2022-4842
6.0 OEM
Flower, missing lock in io_uring
[USN-6192-1] Linux kernel vulnerabilities from Episode 202
[USN-6219-1] Ruby vulnerabilities (03:32)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-36617
CVE-2023-28755
ReDoS in URI parser - only one issue really but fix for first was incomplete
[USN-6216-1] lib3mf vulnerability (04:09)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2021-21772
UAF
[USN-6225-1] Knot Resolver vulnerability (04:14)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-40188
CPU-based DoS due to high algorithmic complexity - requires an authoritative
server to return large address sets - fixed by adding a limit to various lookups etc
[USN-6226-1] SciPy vulnerabilities (04:45)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-29824
CVE-2023-25399
2 issues in reference count handling - both appear to be disputed by
upstream - first, as it would only be able to triggered by first
deterministicly exhausting memory, the other since the only way to trigger it
would be to first be able to execute arbitrary Python code. Both were reported
by the same user who discovered them via static analysis
[USN-6227-1] SpiderMonkey vulnerabilities (05:47)
2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-37211
CVE-2023-37202
mozjs102 (102.13.0) - memory mishandling in JS engine
[USN-6229-1] LibTIFF vulnerabilities (06:00)
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-3316
CVE-2023-26966
CVE-2023-26965
CVE-2023-25433
2 heap buffer overflows, one OOB read, one NULL ptr deref
[USN-6230-1] PostgreSQL vulnerability (06:24)
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-2454
[USN-6104-1] PostgreSQL vulnerabilities from Episode 197
[USN-6184-2] CUPS vulnerability (06:34)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-34241
[USN-6184-1] CUPS vulnerability from Episode 201
[USN-6078-2] libwebp vulnerability (06:43)
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-1999
[USN-6078-1] libwebp vulnerability from Episode 195
[USN-6183-2] Bind vulnerability (06:46)
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-2911
CVE-2023-2828
[USN-6183-1] Bind vulnerabilities from Episode 201
[USN-6233-1] YAJL vulnerabilities (06:56)
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-33460
CVE-2022-24795
CVE-2017-16516
Yet Another JSON library - used by i3, mpd, uwsgi, modsecurity, libvirt and others
Memory leak, buffer overflow on unicode parsing, integer overflow -> heap
buffer overflow when handling inputs larger than 2GB
[USN-6236-1] ConnMan vulnerabilities (07:33)
9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-28488
CVE-2022-32293
CVE-2022-32292
CVE-2022-23098
CVE-2022-23097
CVE-2022-23096
CVE-2021-26676
CVE-2021-33833
CVE-2021-26675
a number of issues in internal gdhcp client - stack buffer overflow, OOB read
(info leak) - requires an attacker to run a malicious DHCP server - think
public wifi etc
UAF in WISPR HTTP handling (MiTM)
Heap buffer overflow gweb component - RCE
2 different OOB read in DNS proxy component - crash / info leak
Also an infinite loop in DNS proxy
[USN-6237-1] curl vulnerabilities (08:45)
3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32001
CVE-2023-28322
CVE-2023-28321
Improperly matched wildcard patterns when doing certificate validation - in
particular could match a punycode-encoded IDN against an ascii wildcard of x*
as punycode names always start with xn--
Logic error where would use the read callback to ask a remote client to ask
for data to send even if the same handle had been used previously for a PUT
request - unexpected behaviour for applications using curl, so could result in
potentially sending the wrong data (info leak) or a UAF etc.
Race condition on fopen() - used to save cookies etc to files - would first
check that file is a real file before opening - local attacker could race to
say replace it with a symlink instead to then get cookies written to a
different file etc.
The dual use of eBPF as both a tool for malware and a tool for detecting malware (10:34)
Interesting write-up on the use of eBPF by malware authors for hooking into
libpam to steal credentials
https://blog.aquasec.com/detecting-ebpf-malware-with-tracee
pamspy - uses eBPF uprobes - way of hooking into userspace functions from the
kernel using user-level return probe
requires to be root in the first place to be able to create a uretprobe
through /sys/kernel/debug/tracing/uprobe_events but once done, allows to then
have a BPF program executed every time the specified function within a
specified library / binary is executed - so by hooking libpam can then log the
credentials used by any user when logging in / authenticating for sudo etc.
More traditional approach would have been to use say LD_PRELOAD to hook into
the functions - but this requires that binaries get executed with this
environment set so is harder to achieve
But uretprobes have their own problems - implementation is based on
breakpoints so potentially be detected by the program which is being traced by
examining its own code (.text section) to look for breakpoint opcode (0xCC) or
it could look for the special memory mapping [uprobes] in /proc/self/maps
https://blog.quarkslab.com/defeating-ebpf-uprobe-monitoring.html
Potentially more easy to find that they are being used on a system as well by
just looking at the contents of /sys/kernel/debug/tracing/uprobe_events -
which lists all the uretprobes currently in use on the system
Interesting to see that (not surprisingly) each new technology can be used in
multiple ways - BPF+uprobes is a great way to do tracing of userspace code for
developers / sysadmins etc when debugging - but is also a great way for
malware authors to do the same
Also interesting to see the aquasec team mention the use of eBPF for system
monitoring / instrumentation to detect malware - ie. using an eBPF program to
detect malicious use of eBPF
but perhaps the best solution is to disable the use of eBPF by unprivileged
/ untrusted users and use seccomp or similar (via systemd units) to restrict
the use of eBPF to only those applications which really need it
then the only way for malware to use eBPF would be to compromise something
which already has access to eBPF - ie. the kernel itself or a privileged
process - ie. reducing the attack surface
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
18min
July 07, 2023Episode 202
Overview
We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover
vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen,
containerd and more.
This week in Ubuntu Security Updates
50 unique CVEs addressed
[USN-6190-1] AccountsService vulnerability (00:47)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-3297
Mentioned in passing last week - reported to us by Kevin Backhouse from the
Github Security Lab team
DBus service that provides APIs to add, delete or modify system accounts - ie
create a new user etc
Originally developed by GNOME - used by gnome-control-center etc
Also allows to configure language / locale settings etc
In Ubuntu, we carry a custom patch which is used to synchronise the language
and locale from accountsservice to the local users ~/.pam_environment file
which is used to configure various per-user session environment variables -
this way no matter how you log in to a Ubuntu system, the locale etc that you
configured via g-c-c etc gets used
Turned out there was a number of cases of UAF due to logic errors in the
original patch - so an unprivileged user could trigger this and crash the
accounts-daemon which runs as root
[USN-6191-1] Linux kernel regression (02:44)
Affecting Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
Spurious warning message would be printed via the IPv6 subsystem
[USN-6192-1] Linux kernel vulnerabilities (03:10)
2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-2430
CVE-2023-35788
Off-by-one in the flower network traffic classifier - flow based traffic
control filter - allows to define a “flow” by a set of key/value pairs
(ie. src MAC address, port number or various other types) - could be leveraged
for DoS or potential code execution - PoC posted publicly but even then was
stated that it doesn’t even crash the kernel, however gdb can be used to
detect the OOB write
Mishandling of locking in the io_uring subsystem - local attacker could use
this to trigger a deadlock and hence a DoS
Possible info leak via stale page table entries - when KPTI was introduced in
the wake of Meltdown, to minimise the cost of flushing page table on every
entry/exit to/from kernel space, PCIDs are a hardware feature that was
introduced in more recent Intel processors to try and minimise this cost by
only flushing on exit back to userspace - this is done by issuing the INVLPG
instruction - but it was found that on certain hardware platforms this did not
actually flush the global TLB contrary to expectation - and so could leak
kernel memory back to userspace
[USN-6193-1] Linux kernel vulnerabilities
1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
CVE-2023-35788
TC flower + INVLPG
[USN-6194-1] Linux kernel (OEM) vulnerabilities (06:04)
3 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-2176
CVE-2023-2430
CVE-2023-35788
io_uring and TC flower plus OOB read in InfiniBand RDMA driver - DoS / info
leak
[USN-6195-1] Vim vulnerabilities (06:26)
6 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-0696
CVE-2022-0407
CVE-2022-0393
CVE-2022-0158
CVE-2022-0156
CVE-2022-0128
More vim fuzzing results - OOB read, UAF, heap buffer overflow, NULL pointer
dereference etc.
[USN-6196-1] ReportLab vulnerability (06:47)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-33733
Python library for producing PDFs - often used to convert HTML to PDF etc
Bypass of validation originally put in place for a previous CVE-2019-17626
(see [USN-4273-1] ReportLab vulnerability in Episode 62)
That vuln was RCE since reportlab would call the python eval() function
directly on value obtained from an XML document
To fix that, introduced a complex validation scheme so they could still use
eval() without having to remove this functionality - new update disables this
by default and instead only allows a much limited subset of colors to be
parsed
[USN-6197-1] OpenLDAP vulnerability (08:48)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-2953
NULL pointer deref in certain circumstances if failed to allocate memory
during various string handling operations - unlikely to be able to be
triggered easily (would first need a memory leak bug or similar…)
[USN-6198-1] GNU Screen vulnerability (09:25)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-24626
screen provides an API to allow the processes under its controlled to be say
killed from another session - but would fail to check if the specified PID was
actually owned by the calling user - so if screen was setuid, would allow a
local user to send a SIGHUP to any other process on the system
In Ubuntu screen is not setuid so this was not a real issue
[USN-6199-1] PHP vulnerability (10:35)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-3247
When generating a nonce for use in HTTP Digest during SOAP authentication,
wouldn’t actually check the return value from the call to generate random data
for the nonce - as such, the nonce would be whatever was previously in the
stack memory - so could leak info from the stack, or this could be say all
zeros which would defeat the purpose of the nonce
[USN-6200-1] ImageMagick vulnerabilities (11:27)
20 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-34151
CVE-2023-3195
CVE-2023-1289
CVE-2023-3428
CVE-2023-1906
CVE-2021-3610
CVE-2022-32547
CVE-2022-32546
CVE-2022-32545
CVE-2022-28463
CVE-2021-39212
CVE-2021-20313
CVE-2021-20312
CVE-2021-20246
CVE-2021-20309
CVE-2021-20244
CVE-2021-20243
CVE-2021-20241
CVE-2021-20224
CVE-2020-29599
Time for another frequent mention in the podcast - ImageMagick (seems to come
up every 10 episodes or so)
Huge range of CVEs fixed across the various releases with some dating back to
2020
OOB read, stack bufffer overflow, NULL ptr deref, lots of heap buffer overflows
Since 20.04, ImageMagick is now in universe, so for 20.04 LTS this update is
available via Ubuntu Pro
[USN-6201-1] Firefox vulnerabilities (12:27)
13 CVEs addressed in Focal (20.04 LTS)
CVE-2023-37208
CVE-2023-37206
CVE-2023-37204
CVE-2023-37203
CVE-2023-3482
CVE-2023-37212
CVE-2023-37211
CVE-2023-37210
CVE-2023-37209
CVE-2023-37207
CVE-2023-37205
CVE-2023-37202
CVE-2023-37201
115.0
Usual web browser issues (DoS, domain bypass, RCE etc) - but also bypass of
cookie storage protections, possible spoofing attack via fullscreen
notifications and others
[USN-6202-1] containerd vulnerabilities (13:09)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-25173
CVE-2023-25153
DoS when importing an OCI image with a really large manifest or image layout
file - would try and read the whole JSON file into memory - could cause
containerd to crash by running out of memory - limited to 20MBs
[USN-6203-1] Django vulnerability (13:55)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-36053
ReDoS in EmailValidator and URLValidator classes when parsing really long
strings - fixed by rejecting anything longer than some hardcoded constants
(2KB for URL, 320 chars for email as per RFC x3696)
Goings on in Ubuntu Security Community
AppArmor 4.0-alpha1 in progress (14:44)
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-alpha1
“Bridge” between 3.0 style policy and new 4.0 policy
New profile flags
unconfined, debug
New mediation types
Fine grained POSIX message queues
User namespaces
io_uring
Minor changes
Ability to filter the output of aa-status
Inclusion of a new utility called aa-load which can load pre-compiled /
cached binary policies without the use of apparmor_parser
Ability to run and compile policies as an unprivileged user (still need to
be root to actually load the policy into the kernel)
AppArmor kernel fixes for Linux 6.5 (20:42)
https://lore.kernel.org/all/[email protected]/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
22min
June 30, 2023Episode 201
Overview
This week we look at the top 25 most dangerous vulnerability types, as well as
the announcement of the program for LSS EU, and we cover security updates for
Bind, the Linux kernel, CUPS, etcd and more.
This week in Ubuntu Security Updates
36 unique CVEs addressed
[USN-6183-1] Bind vulnerabilities (00:53)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2911
CVE-2023-2828
Two DoS issues - when bind was configured as a recursive resolver, possible to
cause the configured cache size to be exceeded by a remote attacker by
performing queries in a particular manner (as this would then evade the normal
cache cleaning algorithm) - DoS due to excessive memory usage -> OOM killer
etc
The other was due to a recursive algorithm that could be triggered in a
pathological way when particular configuration options were used - eventually
would exhaust the available stack space -> killed by stack protections -> DoS
[USN-6185-1] Linux kernel vulnerabilities (01:52)
8 CVEs addressed in Focal (20.04 LTS)
CVE-2023-2985
CVE-2023-25012
CVE-2023-1998
CVE-2023-1859
CVE-2023-1670
CVE-2023-1079
CVE-2023-1077
CVE-2023-1076
5.4 - IBM, GCP, GKEOP, raspi2, Azure, AWS, Bluefield, KVM, Oracle
type confusion in real-time scheduler -> DoS
few different UAF in various USB device drivers (and even PCMCIA) - could all
be triggered by a local attacker with physical access
UAF in HFS+ file-system + Xen 9P file-system protocol impl
[USN-6187-1] Linux kernel (IBM) vulnerabilities (02:49)
9 CVEs addressed in Kinetic (22.10)
CVE-2023-2985
CVE-2023-25012
CVE-2023-1998
CVE-2023-1859
CVE-2023-1670
CVE-2023-1079
CVE-2023-1077
CVE-2023-1076
CVE-2022-4269
5.19 IBM
All of the above plus a possible deadlock in the network traffic control
subsystem that could be triggered by a local attacker -> DoS
[USN-6186-1] Linux kernel vulnerabilities (03:06)
20 CVEs addressed in Lunar (23.04)
CVE-2023-33288
CVE-2023-33203
CVE-2023-30772
CVE-2023-28866
CVE-2023-28466
CVE-2023-2612
CVE-2023-2235
CVE-2023-2194
CVE-2023-1990
CVE-2023-1989
CVE-2023-1859
CVE-2023-1855
CVE-2023-1670
CVE-2023-1611
CVE-2023-1583
CVE-2022-4269
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
All interesting CVEs discussed previously - [USN-6130-1] Linux kernel vulnerabilities in Episode 198
netfilter race condition able to be triggered by a local attacker -> UAF -> DoS/RCE
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
KVM mishandling of control registers for nested guest VMs
OOB write in network queuing scheduler - able to be triggered though an
unprivileged user namespace (again)
[USN-6184-1] CUPS vulnerability (03:55)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-34241
UAF since would log details of a connection after closing the connection (and
hence freeing the memory associated with the connection) - since was in the
logging code, would only happen if the log level was set to warn or higher -
could then either cause a crash (SEGV etc) or could potentially end up logging
sensitive info if that was then present in that memory location
[USN-6188-1] OpenSSL vulnerability (04:43)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-2650
[USN-6119-1] OpenSSL vulnerabilities from Episode 197
CPU-based DoS when parsing crafted ASN.1 object identifiers
[USN-6161-2] .NET regression (05:02)
5 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-33128
CVE-2023-32032
CVE-2023-29337
CVE-2023-29331
CVE-2023-24936
[USN-6161-1] .NET vulnerabilities from Episode 199
New upstream point release to address a regression in the previous release -
would fail to import PKCS12 blobs where the private keys were protected by a
null password (apparently this was non-deterministic which sounds like it was
due to an uninitialised local variable…?)
[USN-6189-1] etcd vulnerability (05:55)
1 CVEs addressed in Kinetic (22.10), Lunar (23.04)
CVE-2021-28235
Leaked credentials into the debug log which could then be accessed by a remote
attacker via the debug API endpoint
Goings on in Ubuntu Security Community
MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses published (06:20)

Rank
ID
Name
Score
CVEs in KEV

1
CWE-787
Out-of-bounds Write
63.72
70

2
CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
45.54
4

3
CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
34.27
6

4
CWE-416
Use After Free
16.71
44

5
CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
15.65
23

6
CWE-20
Improper Input Validation
15.50
35

7
CWE-125
Out-of-bounds Read
14.60
2

8
CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
14.11
16

9
CWE-352
Cross-Site Request Forgery (CSRF)
11.73
0

10
CWE-434
Unrestricted Upload of File with Dangerous Type
10.41
5

11
CWE-862
Missing Authorization
6.90
0

12
CWE-476
NULL Pointer Dereference
6.59
0

13
CWE-287
Improper Authentication
6.39
10

14
CWE-190
Integer Overflow or Wraparound
5.89
4

15
CWE-502
Deserialization of Untrusted Data
5.56
14

16
CWE-77
Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
4.95
4

17
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
4.75
7

18
CWE-798
Use of Hard-coded Credentials
4.57
2

19
CWE-918
Server-Side Request Forgery (SSRF)
4.56
16

20
CWE-306
Missing Authentication for Critical Function
3.78
8

21
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
3.53
8

22
CWE-269
Improper Privilege Management
3.31
5

23
CWE-94
Improper Control of Generation of Code (‘Code Injection’)
3.30
6

24
CWE-863
Incorrect Authorization
3.16
0

25
CWE-276
Incorrect Default Permissions
3.16
0
https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html
MITRE (operates the US Homeland Security Systems Engineering and Development
Institute) released the 2023 CWE Top 25 Most Dangerous Software Weaknesses
Calculated by analysing the previous 2 years worth of public vulnerability
data from NVD for their various root-causes and ranking those
Also incorporates updates weakness data for the CVEs that form CISA’s (US
Cybersecurity & Infrastructure Security Agency) known exploited
vulnerabilities catalog (KEV)
root-causes - CWE - common weakness enumeration - list of software and
hardware weakness types
Looked at CVEs published in 2021 and 2022 and used those where the CWEs could
be mapped to the simplified collection of 130 weakness types which are the
most common set
Each CVE published by NVD has associated CWEs that identify the root-case for
the vulnerability - these are generally chosen by the CNA who assigns the CVE
(as they are most familiar with the product and vulnerability in question) or
by an NVD analyst - multiple CWEs can be assigned for a CVE since they can
often be part of chain
Score was calculated as the frequency of the CWE compared to other CWEs in the
dataset, multiplied by the average CVSS score for all CVEs that had the CWE
Have spoken in the past about perceived inaccuracies in CVSS scores and how
they are not necessarily a good fit for determining the risk of a given
CVE - but in this case, using them as the basis for this calculation is
perhaps not awful as they are the only real objective measure of the
potential severity of a CVE - and this is a noisy measure anyway
Looking at the top 10, OOB writes come in way at the top with a score of 63.7,
then XSS (45.5), SQLi (34.3) after which follows a long tail of CWEs with
scores in the teens - UAF (16.7), OS Command Injection (15.6), Improper Input
Validation (15.5), OOB Read (14.6), Path Traversal (14.11), CSRF (11.73) and
finally Unrestricted Upload of File with Dangerous Type (10.4)
Interesting to see the top 3 have a much higher score (all over 34) where as
the rest are half this - below 16
They also quote the number of CVEs that featured in the KEV list (known
exploited vulns) - OOB W (70) yet XSS (4) + SQLi (6) - so just because there
are more of a given type of vuln, doesn’t mean that they get exploited more -
e.g. OOB reads are #7 yet only 2 in the list of KEV, and CSRF #9 yet none in
the KEV list
What does this mean for Ubuntu Security? Ultimately it is interesting and
seems to back up our more traditional approach to CVE priority assignment
compared to trying to use CVSS as a priority (again this is a severity score
but doesn’t really indicate risk, which is what our traditional priority score
is based on) - but perhaps is more interesting from an industry point of
view - memory corruption vulns (OOB Writes) still most prevalent and
impactful - static / dynamic analysis still very important to try and find
these - but ultimately the move to memory safe languages (Rust, Go etc) is
where we will finally see a shift away from this dominance
Even then, will still be security bugs (XSS + SQLi, OS Command Injection,
Improper Input Validation, Path Traveral, CSRF etc)
Linux Security Summit EU Schedule Published (17:16)
https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/
20-21 September - in Bilbao Spain alongside the Open Source Summit
Still chance to get Early Bird Registration (closes 6th July)
BPF, exploit detection, estimating security risk of a given OSS project,
OP-TEE (ARM Trust-Zone) usage, novel project using CHERI hardware architecture
to protect security sensitive parts of the kernel, using TPM for per-process
secret storage, secure boot, LSM Updates + LandLock and some more
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
21min
June 23, 2023Episode 200
Overview
For our 200th episode, we discuss the impact of Red Hat’s decision to stop
publicly releasing the RHEL source code, plus we cover security updates for
libX11, GNU SASL, QEMU, VLC, pngcheck, the Linux kernel and a whole lot more.
This week in Ubuntu Security Updates
73 unique CVEs addressed
[USN-6163-1] pano13 vulnerabilities (01:08)
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2021-33293
CVE-2021-20307
use by hugin-tools for stitching together photos into a panorama
format-string vuln in PTcrop utility which could be abused to execute arbitrary code etc
OOB read (looks more like a NULL ptr deref from the upstream patch…) when
parsing TIFF images
[USN-6168-1, USN-6168-2] libx11 vulnerability (01:55)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-3138
libx11 mishandled various Request, Event and Error IDs - these IDs get used as
indexes into various arrays and so can be used to trigger OOB writes up -
these IDs get supplied back from the X server to the X client - if were
tricked into connecting to a malicious X server, could then either crash X
client -> DoS or get code execution - in general, it is highly unlikely to be
tricked into connecting to a malicious X server due to the nature of the X
protocol (as the X server usually runs on the local machine)
[USN-6169-1] GNU SASL vulnerability (03:22)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2469
library and CLI application for the Simple Authentication and Security Layer
(SASL) framework - used by network servers like IMAP/XMPP etc and to
authenticate clients etc
e.g. mutt and neomutt both use this
Possible OOB read on server side if client provides crafted auth data -> DoS /
info leak against the server
[USN-6155-2] Requests vulnerability (04:02)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-32681
[USN-6155-1] Requests vulnerability from Episode 199
[USN-6166-2] libcap2 vulnerability (04:21)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-2603
[USN-6166-1] libcap2 vulnerabilities from Episode 199
[USN-6083-2] cups-filters vulnerability (04:30)
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-24805
[USN-6083-1] cups-filters vulnerability from Episode 196
[USN-6156-2] SSSD regression (04:40)
Affecting Focal (20.04 LTS)
[USN-6156-1] SSSD vulnerability from Episode 199
possible issue if were to install only some of the newer binary packages from
the previous security update - fixed by adding more specific dependency info
in the package metadata but ideally users should just run apt upgrade or use
unattended-upgrades to install security updates as this will upgrade all
installed binary packages to all the newer versions, and not say just apt install sssd which would only pull in some of the binary packages
[USN-6167-1] QEMU vulnerabilities (05:31)
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-0330
CVE-2022-4172
CVE-2022-4144
CVE-2022-1050
All various memory management issues in different guest drivers, which could
allow a malicious guest to cause QEMU on the host to crash - not really
surprising as the boundary between unprivileged and privileged components is
the literal attack surface in this case and so is where security issues of
this nature will likely be found
[USN-6176-1] PyPDF2 vulnerability (05:57)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-24859
Library for handling PDF files
Possible infinite loop if input PDF was malformed and finished without
containing an expected terminating element - would just keep trying to read
even though there was nothing more to read
[USN-6170-1] Podman vulnerabilities (06:26)
Affecting Jammy (22.04 LTS)
When using podman play kube to create containers / pods / volumes based on a
k8s yaml, it would always pull in the k8s.gcr.io/pause image - this is not
necessary and it not necessarily maintained and so could present a security
issue as a result
[USN-6177-1, USN-6179-1] Jettison vulnerabilities (07:01)
4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-45693
CVE-2022-45685
CVE-2022-40150
CVE-2022-40149
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-1436
Java library for converting between XML and JSON
3 different stack overflows due to recursive parsing implementation for JSON -
so could simply create a JSON structure that had a very deeply nested object
to trigger this - plus an associated memory leak -> OOM - fixed by counting
number of recursions and bailing if get too deep
[USN-6178-1] SVG++ library vulnerabilities (07:37)
2 CVEs addressed in Bionic ESM (18.04 ESM), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2021-44960
CVE-2019-6246
Possible OOB reads - one in demo code only - not much of a security impact -
still assigned CVSS 6.5 for NULL ptr deref in demo code - shows the limits of
CVSS as a metric - Daniel Stenberg (curl maintainer) has a good discussion of
this on his blog -
https://daniel.haxx.se/blog/2023/03/06/nvd-makes-up-vulnerability-severity-levels/
https://daniel.haxx.se/blog/2023/06/12/nvd-damage-continued/
I even wrote something about this a few years ago -
https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation -
there is more to CVEs than just their CVSS score - also CVSS 4 will help a bit
but will still not capture enough nuance, and even if it does, it still won’t
stop the problem of CVEs being misclassified due to a lack of deep
understanding by whoever assigns the CVSS score (and in fact this may be made
worse by CVSS 4 since it contains more attributes used to compute a score)
[USN-6180-1] VLC media player vulnerabilities (09:58)
7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-41325
CVE-2021-25804
CVE-2021-25803
CVE-2021-25802
CVE-2021-25801
CVE-2020-13428
CVE-2019-19721
OOB reads / write when handling various image or video files -> DoS / RCE
[USN-5948-2] Werkzeug vulnerabilities (10:16)
2 CVEs addressed in Lunar (23.04)
CVE-2023-25577
CVE-2023-23934
various utilities for WSGI applications in python
one issue in cookie parsing which could allow a remote attacker to shadow
other cookies, another CPU-based DoS via unlimited number of multipart form
data parts - since each consumes only a small number of bytes but takes a
reasonable amount of CPU time to parse (and also consumes RAM too)
[USN-6143-3] Firefox regressions (11:09)
4 CVEs addressed in Focal (20.04 LTS)
CVE-2023-34415
CVE-2023-34417
CVE-2023-34416
CVE-2023-34414
114.0.2 - Upstream regressions in native messaging handlers and some possible crashes as well
[USN-6181-1] Ruby vulnerabilities (11:24)
3 CVEs addressed in Kinetic (22.10), Lunar (23.04)
CVE-2023-28756
CVE-2023-28755
CVE-2021-33621
2 different ReDoS, 1 issue in handling of responses in the cgi gem could allow
an attacker to modify the response that would then be received by the user via
a HTTP response splitting attack
[USN-6182-1] pngcheck vulnerabilities (11:51)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-35511
CVE-2020-27818
Used to verify the integrity of PNG and associated files (used by the
forensics-extra package which contains various forensics and ethical hacking
tools etc)
Ironically this contained a buffer overflow which could be triggered on a
crafted file
[USN-6171-1] Linux kernel vulnerabilities (12:29)
9 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-2985
CVE-2023-25012
CVE-2023-1998
CVE-2023-1859
CVE-2023-1670
CVE-2023-1079
CVE-2023-1077
CVE-2023-1076
CVE-2022-4269
5.19
22.10 - generic, AWS, Azure. GCP, KVM, Oracle, Raspi, Lowlatency
22.04 - HWE
Various issues allowing local user to trigger deadlock, OOPS (crash), or read
kernel memory (info leak) - none appear to be exploitable remotely
[USN-6172-1] Linux kernel vulnerabilities (13:02)
8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-2985
CVE-2023-25012
CVE-2023-1998
CVE-2023-1859
CVE-2023-1670
CVE-2023-1079
CVE-2023-1077
CVE-2023-1076
5.15
22.04 generic, GCP, GKE, Raspi, AWS, Azure, Oracle, KVM, lowlatency etc
5.4
20.04 generic, GCP, GKE, Raspi, AWS, Azure, Oracle, KVM, lowlatency etc
Similar set of issues as above
[USN-6173-1] Linux kernel (OEM) vulnerabilities (13:32)
7 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-32254
CVE-2023-32250
CVE-2023-2269
CVE-2023-2156
CVE-2023-2002
CVE-2023-1380
CVE-2023-31436
6.1 OEM
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
requires an attacker to create a malicious USB device and insert that into
your machine to be able to trigger (shout out to USBGuard)
OOB write in network queuing scheduler
able to be triggered though an unprivileged user namespace (again)
[USN-6130-1] Linux kernel vulnerabilities from Episode 198
[USN-6174-1] Linux kernel (OEM) vulnerabilities
3 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-26606
CVE-2023-1073
CVE-2023-0459
5.17 OEM
[USN-6175-1] Linux kernel vulnerabilities (14:11)
20 CVEs addressed in Lunar (23.04)
CVE-2023-33288
CVE-2023-33203
CVE-2023-30772
CVE-2023-28866
CVE-2023-28466
CVE-2023-2612
CVE-2023-2235
CVE-2023-2194
CVE-2023-1990
CVE-2023-1989
CVE-2023-1859
CVE-2023-1855
CVE-2023-1670
CVE-2023-1611
CVE-2023-1583
CVE-2022-4269
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
6.2 GA (everything)
[USN-6130-1] Linux kernel vulnerabilities from Episode 198
[LSN-0095-1] Linux kernel vulnerability (14:25)
6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-32233
CVE-2023-31436
CVE-2023-2612
CVE-2023-1872
CVE-2023-1380
CVE-2023-0386

Kernel type
22.04
20.04
18.04

aws
95.4
95.4
—

aws-5.15
—
95.4
—

aws-5.4
—
—
95.4

azure
95.4
95.4
—

azure-5.4
—
—
95.4

gcp
95.4
95.4
—

gcp-5.15
—
95.4
—

gcp-5.4
—
—
95.4

generic-5.4
—
95.4
95.4

gke
95.4
95.4
—

gke-5.15
—
95.4
—

gke-5.4
—
—
95.4

gkeop
—
95.4
—

gkeop-5.4
—
—
95.4

ibm
95.4
95.4
—

ibm-5.4
—
—
95.4

linux
95.4
—
—

lowlatency
95.1
—
—

lowlatency-5.4
—
95.4
95.4

To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
Goings on in Linux Security Community
Red Hat to stop publicly releasing source code for RHEL (14:59)
https://www.redhat.com/en/blog/furthering-evolution-centos-stream
Previously would release sources for RHEL to git.centos.org - the repo which
was used for the previous CentOS Linux - a freely available repackaging of
RHEL, more like a downstream - was discontinued at the end of 2021 in favour
of CentOS Stream which is positioned more as an upstream of RHEL now.
By pushing these sources public, allowed others to inspect their work, but
also to create competitor products based off that work - AlmaLinux / Rocky
etc - both of which aim to be community versions of RHEL, bug-for-bug
compatible etc
https://almalinux.org/blog/impact-of-rhel-changes/
https://rockylinux.org/news/2023-06-22-press-release/
This change first occurred last week, noticed by the AlmaLinux developers -
RHEL then released the public statement above
Red Hat say CentOS Stream will now be the only public repo for RHEL-related
source code - but this does not necessarily contain all the patches and
updates that end up in the various RHEL packages
AlmaLinux plans to then use CentOS Stream to base their security updates
off - as this is still public
Rocky Linux is not so open about how they plan to deal with this - also
looks like they will use CentOS Stream as their upstream - but will this
then be bug-for-bug compatible with RHEL as they claim?
Red Hat also say the sources for RHEL will be available to customers and
partners via their usual customer portal - however the standard RHEL license
agreement prohibits these from being used to develop competitor products etc
Doesn’t have a huge impact on Ubuntu as in general we take our patches direct
from the upstream projects - and when we have to backport these to older
versions, they are not necessarily the same version as used in RHEL anyway so
we don’t often use patches from RHEL
Will be interesting to see what impact this does have on AlmaLinux and Rocky
Linux
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
20min
June 16, 2023Episode 199
Overview
For our 199th episode Andrei looks at Fuzzing Configurations of Program Options
plus we discuss Google’s findings on the io_uring kernel subsystem and we look
at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib
and more.
This week in Ubuntu Security Updates
53 unique CVEs addressed
[USN-6145-1] Sysstat vulnerabilities (00:55)
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-33204
CVE-2022-39377
system performance tools - integer overflow leading to possible buffer
overflow - original fix was incomplete so a second CVE was issued
[USN-6146-1] Netatalk vulnerabilities (01:22)
9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-45188
CVE-2022-43634
CVE-2022-23125
CVE-2022-23124
CVE-2022-23123
CVE-2022-23122
CVE-2022-23121
CVE-2022-0194
CVE-2021-31439
Implementation of the Apple Filing Protocol - allows a Ubuntu server to share
files with macOS clients - similar to Samba for Windows
Lots of different buffer overflows - some / most disclosed via ZDI
Almost all due to missing length checks on the input data - some OOB write,
others OOB read - sadly there is no AppArmor profile for netatalk but it would
be interesting to try and create one
[USN-6147-1] SpiderMonkey vulnerability (02:21)
1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-34416
Latest release of mozjs-102.12.0 (Mozilla’s SpiderMonkey JS engine)
Used by gnome-shell etc
Upstream mozilla describes this issue as ‘memory safety bugs’
[USN-6149-1] Linux kernel vulnerabilities (02:52)
6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-28328
CVE-2023-1073
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
4.4 based kernel (Xenial GA kernel)
All interesting CVEs discussed last week - [USN-6130-1] Linux kernel vulnerabilities in Episode 198
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
KVM mishandling of control registers for nested guest VMs
OOB write in network queuing scheduler - able to be triggered though an
unprivileged user namespace (again)
race condition -> UAF -> privesc in netfilter
[USN-6150-1, USN-6162-1] Linux kernel vulnerabilities (03:55)
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-2612
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
5.15 Raspi + Intel-IoTG 22.04 LTS,
5.4 Raspi + Intel-IoTG 20.04 LTS
[USN-6151-1] Linux kernel (Xilinx ZynqMP) vulnerabilities (04:13)
4 CVEs addressed in Focal (20.04 LTS)
CVE-2023-23559
CVE-2022-4382
CVE-2022-2196
CVE-2021-3669
5.4
[USN-6152-1] Linux kernel (GKE) regression (04:21)
Affecting Focal (20.04 LTS), Jammy (22.04 LTS)
5.15 - NFS cache issue causing a severe degradation in performance under
certain conditions
[USN-6153-1] Jupyter Core vulnerability (04:42)
1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-39286
Executed untrusted files from current working directory - possible RCE - would
unconditionally prepend the current working dir to the search path
[USN-6154-1] Vim vulnerabilities (04:58)
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2610
CVE-2023-2609
CVE-2023-2426
Moar vim CVEs
Seems we talk about vim every month or so lately
Only a few CVEs per year until 2021 - then 20, 113 for 2022, so far only 15
for 2023 - is this the sign that the rate of vim CVEs are decreasing?

Figure 1: Vulnerabilities by year in vim from https://www.cvedetails.com/product/14270/VIM-VIM.html?vendor_id=8218

[USN-6155-1] Requests vulnerability (05:56)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32681
Python requests library - leaked Proxy-Authorization headers to the
destination server when redirected by a HTTPS endpoint
[USN-6156-1] SSSD vulnerability (06:11)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2022-4254
Failed to sanitise certificate attributes before issuing an LDAP search -
ie. a certificate may contain parenthesis in say the Subject DN field - this
would then be used directly in the query and would be interpreted as
parameters in the LDAP query - could then allow a malicious client to provide
a crafted certificate which performs arbitrary LDAP queries etc - such that
when used in conjunction with FreeIPA they could elevate their privileges
[USN-6148-1] SNI Proxy vulnerability (06:54)
1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-25076
Buffer overflow when handling a crafted HTTP packet that specifies an IPv6
address longer than the maximum possible - since parses it into a fixed size
buffer
[USN-6157-1] GlusterFS vulnerability
1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-26253
Stack buffer overread - generally protected by stack protector on Ubuntu -
crash -> DoS
[USN-6143-2] Firefox regressions (07:25)
4 CVEs addressed in Focal (20.04 LTS)
CVE-2023-34415
CVE-2023-34417
CVE-2023-34416
CVE-2023-34414
114.0.1 - crash on startup if on disk metadata is corrupted / invalid - fixed
to just indicate an error occurred and continue without the data
[USN-6158-1] Node Fetch vulnerability (07:45)
1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2022-0235
If redirected to another site, would leak the cookie of the originating site
to the other - violation of same origin policy
[USN-6159-1] Tornado vulnerability (07:59)
1 CVEs addressed in Xenial ESM (16.04 ESM), Lunar (23.04)
CVE-2023-28370
Open redirect - allows an attacker to craft a URL to a site that when visited
will redirect the user to a different arbitrary site - can then be used to
phish the user
[USN-6160-1] GNU binutils vulnerability (08:27)
1 CVEs addressed in Focal (20.04 LTS)
CVE-2021-45078
Heap based buffer overflow when reading certain debugging information - could
then possibly get code execution - requires the user to run objdump or similar
on an attacker controlled binary - in general binutils is expected to only be
run on trusted inputs - so if you are using objdump etc for reverse
engineering arbitrary binaries, should do this in an isolated environment - VM
[USN-6161-1] .NET vulnerabilities (09:02)
5 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-33128
CVE-2023-32032
CVE-2023-29337
CVE-2023-29331
CVE-2023-24936
Latest .NET point releases from Microsoft for .NET 6 and 7 fixing various
issues in the language runtime (not a lot of details provided by MS on these)
[USN-6164-1] c-ares vulnerabilities (09:24)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32067
CVE-2023-31130
library for async DNS lookups - used by apt-cacher-ng, frr, wireshark, sssd
and more
Buffer underflow when looking up crafted IPv6 addresses - appears to be able
to be tricked into writing infront of an allocated buffer - memory corruption
-> DoS / RCE
DoS via an attacker forging a zero length UDP packet in response to a query -
then cause the resolver to shutdown the “connection” as it sees a 0 byte
read - however that code path assumes the transport protocol is TCP - this is
not a valid assumption for UDP as UDP is connectionless
[USN-6165-1] GLib vulnerabilities (11:07)
7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-32665
CVE-2023-32643
CVE-2023-32636
CVE-2023-32611
CVE-2023-29499
CVE-2023-25180
CVE-2023-24593
Various issues in the handling of GVariants - looks like someone has been
fuzzing glib - GVariant used for on-the-wire encoding of parameters in DBus
etc - similar to protobuf’s etc
[USN-6166-1] libcap2 vulnerabilities (11:35)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2603
CVE-2023-2602
DoS via a memory leak through thread creation plus an integer overflow when
handling really large strings
Goings on in Ubuntu Security Community
Google disables io_uring in ChromeOS and their production servers (12:00)
https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Google runs kCTF as part of the vuln rewards program, offering a bug-bounty /
monetary rewards for researchers who find exploitable bugs in Google
Kubernetes Engine (GKE) or the underlying Linux kernel
Has paid out $1.8m USD - 60% of submissions exploited io_uring - with around
$1m USD rewarded for io_uring submissions alone - and io_uring was used in all
submissions which bypassed their mitigations
followed by net and then fs subsystems
clearly is a target rich environment
As such, disabled io_uring in ChromeOS (was originally enabled back in
November 2022 to increase performance of their arcvm which is used to run
Android apps on ChromeOS) but then now disabled 4 months later in Feb this
year
Use seccomp-bpf to block access to io_uring to Android applications and in the
future will also use SELinux to restrict access even further to only select
system processes
Will likely disable it also on GKE AutoPilot - where Google manages the config
of your GKE Kubernetes cluster
And have disabled io_uring on their production servers
Essentially due to the newness of io_uring and ongoing development of features
for it, it presents too much of a risk for use by untrusted applications etc
Andrei discusses Fuzzing Configurations of Program Options (15:06)
https://doi.org/10.1145/3580597
https://google.github.io/fuzzbench/
https://github.com/google/AFL
https://github.com/AFLplusplus/AFLplusplus
https://llvm.org/docs/CommandGuide/llvm-cov.html
https://github.com/google/AFL/tree/master/experimental/argv_fuzzing
https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/argv_fuzzing
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
28min
June 09, 2023Episode 198
Overview
This week we investigate the mystery of failing GPG signatures for the 16.04 ISO
images, plus we look at security updates for CUPS, Avahi, the Linux kernel, FRR,
Go and more.
This week in Ubuntu Security Updates
58 unique CVEs addressed
[USN-6128-1, USN-6128-2] CUPS vulnerability (00:56)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32324
Heap buffer overflow when printing debug messages - apparently requires
cupsd.conf to have LogLevel as debug which is not usually the case
[USN-6129-1] Avahi vulnerability (01:39)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-1981
DoS -> if called with an unknown service name, would result in a NULL pointer
dereference and crash - found via dfuzzer - a fuzzer for D-Bus services
[USN-6130-1] Linux kernel vulnerabilities (02:23)
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
4.15 GA for 18.04 ESM (generic, virtual, lowlatency, KVM, AWS, Snapdragon, Azure, GCP, Oracle)
HWE + GCP, Azure, GKE, AWS etc for 16.04 ESM
Azure for 14.04 ESM
race condition -> UAF -> privesc in netfilter
[USN-6122-1] Linux kernel (OEM) vulnerabilities from Episode 197
KVM mishandling of control registers for nested guest VMs
[USN-6123-1] Linux kernel (OEM) vulnerabilities from Episode 197
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver -
requires an attacker to create a malicious USB device and insert that into
your machine to be able to trigger (shout out to USBGuard)
OOB write in network queuing scheduler - able to be triggered though an
unprivileged user namespace (again)
[USN-6127-1] Linux kernel vulnerabilities (04:41)
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-2612
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
5.15
22.10 GA (virtual, raspi, generic, aws, lowlatency, ibm, azure, gcp, oracle, kvm, aws)
22.04 HWE (ditto)
20.04 HWE (ditto + OEMs)
Same as above plus a race condition in shiftfs -> kernel deadlock -> DoS
[USN-6135-1] Linux kernel (Azure CVM) vulnerabilities (05:06)
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-2612
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
5.15 Azure FDE (22.04, 20.04)
[USN-6131-1] Linux kernel vulnerabilities (05:18)
5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-2612
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
5.4 GA 20.04, HWE 18.04
[USN-6132-1] Linux kernel vulnerabilities (05:30)
13 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2612
CVE-2023-2162
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
CVE-2023-1380
CVE-2023-30456
CVE-2023-31436
CVE-2023-32233
5.4 (20.04 bluefield, 18.04 AWS)
[USN-6133-1] Linux kernel (Intel IoTG) vulnerabilities (05:42)
12 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-20938
CVE-2023-1872
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
CVE-2022-27672
CVE-2023-1829
5.15 Intel IoTG
[USN-6134-1] Linux kernel (Intel IoTG) vulnerabilities
24 CVEs addressed in Focal (20.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-26545
CVE-2023-2162
CVE-2023-21102
CVE-2023-20938
CVE-2023-1872
CVE-2023-1652
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-1074
CVE-2023-1073
CVE-2023-0459
CVE-2023-0458
CVE-2023-0394
CVE-2022-4842
CVE-2022-47929
CVE-2022-4129
CVE-2022-3707
CVE-2022-27672
CVE-2023-0386
CVE-2023-1281
CVE-2023-1829
5.15 Intel IoTG as well
[USN-6112-2] Perl vulnerability (05:54)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-31484
[USN-6112-1] Perl vulnerability from Episode 197
failed to properly validate TLS certs when using CPAN and HTTP::Tiny
[USN-6136-1] FRR vulnerabilities (06:19)
2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-31490
CVE-2023-31489
Implements BGP, OSPF, RIP, IS-IS, PIM and more - successor to Quagga
Two issues in BGP handling - both OOB reads due to failing to use the right
lengths when reading packet structures, implemented in C
[USN-6137-1] LibRaw vulnerabilities (06:43)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-1729
CVE-2021-32142
Heap buffer overflow and stack buffer overflow (mitigated by stack protector
etc)
[USN-6138-1] libssh vulnerabilities (07:01)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2283
CVE-2023-1667
NULL ptr deref during re-keying - already authenticated user could trigger a DoS
Possible for a client to avoid having its signature fully verified IF during
the verification process there is insufficient memory - fails, leaves in error
state that then falls though to an OK state
[USN-6139-1] Python vulnerability (07:37)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-24329
[USN-5960-1] Python vulnerability from Episode 191 - original upstream fix was
incomplete
[USN-6140-1] Go vulnerabilities (07:57)
8 CVEs addressed in Kinetic (22.10), Lunar (23.04)
CVE-2023-29400
CVE-2023-24540
CVE-2023-24539
CVE-2023-24538
CVE-2022-41725
CVE-2023-24537
CVE-2023-24534
CVE-2022-41724
Various content injection issues in JS, CSS and HTML template handling due to
failing to properly parse various delimiting elements (like backtick ` for JS
etc)
Also two DoS since could trigger a panic due to mishandling of memory
[USN-6141-1] xfce4-settings vulnerability (08:31)
1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-45062
MIME helper failed to properly parse input - is called via xdg-open - so could
call xdg-open with crafted input that would then get passed through to
whatever application (like say the browser / file manager etc) and hence could
run these other applications with arbitrary arguments - e.g. could embed a
link in a PDF and when the user clicks this can then get say the browser to be
launched with arbitrary arguments
e.g. could set the --remote-allow-origins flag to specify an attacker
controlled domain which is then allowed to connect to the local debugging port
and hence execute arbitrary JS on any other domain - steal creds etc
[USN-6142-1] nghttp2 vulnerability (10:16)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
CVE-2020-11080
C library for HTTP/2
Overly large SETTINGS frames would cause a CPU-based DoS - mitigated by
setting a max limit for these frame types and rejecting if too large
[USN-6143-1] Firefox vulnerabilities (10:50)
4 CVEs addressed in Focal (20.04 LTS)
CVE-2023-34415
CVE-2023-34417
CVE-2023-34416
CVE-2023-34414
114.0 release
[USN-6144-1] LibreOffice vulnerabilities (10:59)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-2255
CVE-2023-0950
Array index underflow in handling of crafted formulas in Calc - memory corruption -> RCE
Failed to prompt user before loading a document into an IFrame - document can then contain other elements like JS etc that get executed
[USN-6028-2] libxml2 vulnerabilities (11:35)
3 CVEs addressed in Lunar (23.04)
CVE-2023-29469
CVE-2023-28484
CVE-2022-2309
2 different NULL ptr deref, possible double free
DoS / RCE via crafted XML documents
Goings on in Ubuntu Security Community
Recent report of invalid GPG signatures on 16.04 ISOs (12:04)
https://discourse.ubuntu.com/t/is-ubuntu-vulnerable-to-fake-keys/21997/4
User reported that the SHA256SUMS file for 16.04 ISOs on
old-releases.ubuntu.com failed to validate
Sounds scary - has the server been hacked and the ISOs (and hence SHA256SUMS
file) been tampered with?
We don’t sign the ISOs directly - instead (like apt) we take a hash of the ISO
file and then sign the file containing that list of hashes - for performance
So in this case, it would appear that the SHA256SUMS file has been modified
and so does not validate properly
One other thing to note, this report was made in a follow-up comment to an
older thread where someone mentioned that they are able to upload arbitrary
keys to the ubuntu keyserver that mimic the archive / CD image signing keys
etc - this is the nature of key servers - anyone can upload any key with any
arbitrary identifiers - but since keys are generated from randomness, it is
theoretically impossible to generate a key with the same underlying
cryptographic fingerprint (even if it has the same name / email address
associated with it)
Always important to make sure you use the right keys - as identified by their
fingerprint - these are listed on the wiki
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
These keys are also contained on all Ubuntu installs within the
/usr/share/keyrings/ubuntu-archive-keyring.gpg file from the ubuntu-keyring
package
Able to easily verify this behaviour locally:
wget -q https://old-releases.ubuntu.com/releases/xenial/SHA256SUMS{,.gpg}
gpg --verify --no-default-keyring --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --verbose SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg: using DSA key 46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg: using RSA key D94AA3F0EFE21092
gpg: using pgp trust model
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) " [unknown]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
So far so scary - it really does look like the SHA256SUMS file was modified
But if we look closer, we can see GPG says the signature was made on 28th
February 2019 - this corresponds with the 16.04.6 point release - yet the most
recent point release was 16.04.7 from 13th August 2020 for BootHole (Alex and
Joe take an in-depth and behind-the-scenes look at BootHole / GRUB from
Episode 84) - so it appears that perhaps the various signature files were
not regenerated when the 16.04.7 point release was made (yet the various SUMS
files were)
Marc went asking around, vorlon from Foundations confirmed this was the case
Simply had to run the script to resign this and push it to the server - now
all is good as can be seen below
gpg: Signature made Fri 09 Jun 2023 00:38:30 ACST
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: using pgp trust model
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
Thanks to the anonymous user in the Ubuntu Discourse for bringing this to our
attention
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
18min
June 02, 2023Episode 197
Overview
The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we look
at Till Kamppeter’s excellent guide on how to set up your GitHub projects to
receive private vulnerability reports, and we cover the week in security updates
including PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lot
more.
This week in Ubuntu Security Updates
56 unique CVEs addressed
[USN-6104-1] PostgreSQL vulnerabilities (00:55)
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2455
CVE-2023-2454
Two issues, both requiring to be an authenticated user. One in mishandling of
CREATE privileges - could then allow an auth user to execute arbitrary code as
a the bootstrap supervisor - the other in row security properties which could
allow to bypass policies and get read/write contrary to security policy.
[USN-6105-1] ca-certificates update (01:32)
Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
Updates to the latest upstream 2.60 release from Mozilla, adds a bunch of new
CAs plus removes some that had either expired or that were now not used
anymore
[USN-6106-1] calamares-settings-ubuntu vulnerability (02:08)
Affecting Jammy (22.04 LTS)
When installing Lubuntu, it would allow to create the first user with an empty
password. Lubuntu uses it’s own installer called Calamares - so this issue
only affects Lubuntu, not regular Ubuntu or other Ubuntu flavors.
[USN-6100-1] HTML::StripScripts vulnerability (02:58)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-24038
REDoS when parsing HTML with “certain style attributes”
[USN-6108-1] Jhead vulnerabilities (03:18)
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-41751
CVE-2021-34055
[USN-6098-1] Jhead vulnerabilities in last week’s episode
Code-exec - place OS commands into a JPEG filename and then using
jhead to rotate the file
Buffer overflow when writing Exif data
[USN-6110-1] Jhead vulnerabilities
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2021-28277
CVE-2021-28275
CVE-2021-3496
Stack buffer overflow, heap buffer overflow and OOB read - DoS / code exec
[USN-6113-1] Jhead vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2018-6612
Heap buffer OOB read -> DoS
[USN-6054-2] Django vulnerability (04:17)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2023-31047
[USN-6054-1] Django vulnerability in Episode 194
[USN-6109-1, USN-6118-1] Linux kernel (Raspberry Pi + Oracle) vulnerabilities (04:29)
8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
5.4 raspi + oracle on both 20.04 + 18.04
Most issues covered on previous episodes
[USN-6122-1] Linux kernel (OEM) vulnerabilities (04:49)
2 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-2612
CVE-2023-32233
6.1 OEM 22.04 LTS
Race condition in netfilter able to be triggered by a local user -> UAF
requires CAP_NET_ADMIN but can get this in an unprivileged user namespace ∴
can be triggered OOTB by an unpriv user on Ubuntu
PoC was published for this last week - caused a bunch of folks to get
anxious but since can be mitigated by disabling unprivileged user namespaces
perhaps it was not worth all the hype? Also kernel updates take a while to
prepare and test etc so it is not easy to just drop everything and crank a
new kernel - so in general this would only occur for remotely exploitable
issues
[USN-6123-1] Linux kernel (OEM) vulnerabilities (06:48)
5 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-26606
CVE-2023-2612
CVE-2023-1670
CVE-2023-30456
CVE-2023-32233
6.0 OEM
Netfilter issue above, plus mishandling of control registers in nested KVM
VMs - could allow an guest VM to crash the VM host
[USN-6124-1] Linux kernel (OEM) vulnerabilities (07:10)
6 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-2612
CVE-2023-1670
CVE-2022-4139
CVE-2022-3586
CVE-2023-30456
CVE-2023-32233
5.17 OEM
Mostly same issues as above
[USN-6097-1] Linux PTP vulnerability (07:20)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3570
Precision time protocol implementation - allows to synchronise time between
servers to sub-microsecond accuracy - more accurate than NTP - uses a
leader/follower architecture - leader would be synchronised with high accuracy
via say a GPS then distributes this to other machines via PTP
Failed to check length of received packet properly (but only for forwarded
packets) - results in a OOB R/W - so could either be an info leak or possible
RCE
[USN-6005-2] Sudo vulnerabilities (08:49)
2 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-28487
CVE-2023-28486
[USN-6005-1] Sudo vulnerabilities in Episode 193
[USN-6111-1] Flask vulnerability (09:02)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-30861
Possibly sends a response intended for one client to a different client due to
mishandling of the Vary:Cookie header - requires the use of a caching proxy
and other conditions though so may not be a widespread issue
[USN-6112-1] Perl vulnerability (09:35)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2023-31484
Failed to properly validate TLS certs when using CPAN with <:Tiny> to
download modules over HTTPS - failed to set ssl_Verify - parameter to
<:Tiny>
Seems the upstream HTTP::Tiny dev’s thinks it would be discriminatory to
enable SSL verification by default as that would make applications etc that
use self-signed certs or community-driven CAs like CAcert.org fail - but this
seems pretty outdated since with Let’s Encrypt etc nowadays there is easy
access to trusted certs for anyone - and so this just does a disservice to all
applications that use <:Tiny> making them potentially insecure
out-of-the-box
Won’t be surprised to see other similar vulns in the future as a result of
this foot-gun
[USN-6114-1] nth-check vulnerability (11:32)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3803
Node.js module for parsing and compiling CSS nth-checks (used in CSS 3
nth-child() and nth-last-of-type() functions) - can pass it a string and it
will compile that to an optimised function for calling by other code
REDoS
[USN-6116-1] hawk vulnerability (12:11)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-29167
Node.js HTTP Holder-of-key authentication scheme - a HTTP authentication
scheme that is similar to the regular HTTP Digest scheme - developed by Mozilla
REDoS
[USN-6115-1] TeX Live vulnerability (12:47)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32700
Shell command execution in luatex if run against an untrusted document since
could access the io stream used by the underlying lua engine and inject
contents into it which would then be executed
[USN-6119-1] OpenSSL vulnerabilities (13:20)
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-1255
CVE-2023-2650
CPU-based DoS when processing crafted ASN.1 object identifiers - requires to
have an object ID which itself is tens to hundreds of KBs - OpenSSL 3 has a
limit of 100KB on the peer cert chain which limits the ability to craft such
long IDs and have them be processed by OpenSSL
An aarch64 specific issue - AES-XTS decryption algorithm would possibly read
past the end of the input buffer -> OOB read -> possible DoS but only if the
ciphertext is a certain size relative to the block size
[USN-6120-1] SpiderMonkey vulnerabilities (14:25)
9 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32215
CVE-2023-32211
CVE-2023-29550
CVE-2023-29548
CVE-2023-29536
CVE-2023-29535
CVE-2023-25751
CVE-2023-25739
CVE-2023-25735
mozjs 102.11 release - JS engine shipped in Firefox so has a lot of overlap
with CVEs in firefox etc.
thanks to the Jeremy Bicha on the Ubuntu Desktop team for preparing these
updates
[USN-6121-1] Nanopb vulnerabilities (14:45)
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-21401
CVE-2020-26243
Implementation of Protocol Buffers but with small code size - designed for embedded systems etc
Memory leak on parsing of crafted messages plus an invalid free() or realloc()
on crafted messages - both only really an issue if parsing untrusted content
[USN-6117-1] Apache Batik vulnerabilities (15:16)
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-42890
CVE-2022-41704
CVE-2022-40146
CVE-2022-38648
CVE-2022-38398
CVE-2020-11987
CVE-2019-17566
Java SVG library
4 different XSRF issues
1 SSRF issue on handling of URLs in Jar’s - could allow to access local files
on the server
2 different issues that could allow untrusted Java code embedded in an SVG to
be executed
[USN-6125-1] snapd vulnerability (15:48)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-1523
Very similar to a recent issue (CVE-2023-28100) in flatpak - seccomp sandbox failed to block
the TIOCLINUX ioctl() request - could allow a snap to inject contents into the
controlling terminal when run on a virtual console - this would then be
executed when the snap finished running -> code exec outside the snap sandbox
Now simply blocks TIOCLINUX as it already did for TIOCSTI in the past
Very similar to historic TIOCSTI CVEs such as CVE-2016-9016 in firejail,
CVE-2016-10124 in lxc, CVE-2017-5226 in bubblewrap, CVE-2019-10063 in flatpak
[USN-6126-1] libvirt vulnerabilities (17:44)
2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2700
CVE-2022-0897
race condition within the nwfilter driver - allows a local unprivileged user
to race against the driver and corrupt the list of network filters and trigger
a crash in the libvirt daemon
memory leak when reading SR-IOV PCI device capabilities
Goings on in Ubuntu Security Community
Ubuntu 18.04 has now entered ESM (18:21)
https://www.omgubuntu.co.uk/2023/05/ubuntu-18-04-general-support-ends-enable-esm-to-stay-protected
OpenPrinting tutorial on handling security bugs via GitHub (19:40)
https://openprinting.github.io/OpenPrinting-News-May-2023/#handling-reported-security-bugs-with-github
Last week we talked about a vulnerability in the cups-filter package
Discusses the difficulty in handling security issues in open source projects,
where all the development is usually done in the open, how do you privately
report and collaborate on a security issue?
GitHub offers the ability to report security vulnerabilities privately
Not enabled by default since it requires some configuration on the part of the
maintainer to configure the templates etc that get sent out - also needs the
organisation that owns the repo to enable this as well
GitHub offer some great guidance on the best ways to do this
Usual workflow is to submit a report privately and then can create a temporary
private fork in which to develop the fix
Read Till’s blog post as that contains a great walk-through on how to enable
this
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
24min
May 26, 2023Episode 196
Overview
This week we look at some recent security developments from PyPI, the Linux
Security Summit North America and the pending transition of Ubuntu 18.04 to ESM,
plus we cover security updates for cups-filter, the Linux kernel, Git, runC,
ncurses, cloud-init and more.
This week in Ubuntu Security Updates
83 unique CVEs addressed
[USN-6083-1] cups-filters vulnerability (01:03)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-24805
Legacy BEH (Backend Error Handler) allows to create a network accessible
printer - allowed to do pretty easy RCE since used system() to run a command
which contained various values that can be controlled by the attacker
Fixed by upstream to use fork() and execve() plus some other smaller changes
to perform sanitisation of the input
[USN-6084-1] Linux kernel vulnerabilities (01:45)
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-1513
CVE-2023-0459
4.15 18.04 GCP + Oracle, 16.04 Oracle
[USN-6085-1] Linux kernel (Raspberry Pi) vulnerabilities (02:00)
10 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-20938
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
CVE-2022-27672
5.15 Raspi kernel
Various UAFs in different drivers and subsystems, possible speculative
execution attack against AMD x86-64 processors with SMT enabled, a few type
confusion bugs leading to OOB reads etc
[USN-6090-1] Linux kernel vulnerabilities (02:26)
10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-20938
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
CVE-2022-27672
Same set of vulns as above
5.15 22.04 GKE, GCP; 20.04 GKE, GCP, Oracle
[USN-6089-1] Linux kernel (OEM) vulnerability (02:45)
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-4139
6.0 OEM
i915 failed to flush GPU TLB in some cases -> DoS / RCE
[USN-6091-1] Linux kernel vulnerabilities (03:09)
25 CVEs addressed in Kinetic (22.10)
CVE-2023-1118
CVE-2023-32269
CVE-2023-26544
CVE-2023-23455
CVE-2023-23454
CVE-2023-2162
CVE-2023-21106
CVE-2023-21102
CVE-2023-1652
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-1074
CVE-2023-1073
CVE-2023-0459
CVE-2023-0458
CVE-2023-0394
CVE-2023-0210
CVE-2022-48424
CVE-2022-48423
CVE-2022-4842
CVE-2022-4129
CVE-2022-3707
CVE-2022-36280
CVE-2022-27672
5.19 IBM + Oracle
Lots of the previously mentioned issues and more - same kinds of issues though
(race conditions, UAFs, OOB writes etc in various drivers / subsystems)
[USN-6096-1] Linux kernel vulnerabilities (03:34)
25 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-1118
CVE-2023-32269
CVE-2023-26544
CVE-2023-23455
CVE-2023-23454
CVE-2023-2162
CVE-2023-21106
CVE-2023-21102
CVE-2023-1652
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-1074
CVE-2023-1073
CVE-2023-0459
CVE-2023-0458
CVE-2023-0394
CVE-2023-0210
CVE-2022-48424
CVE-2022-48423
CVE-2022-4842
CVE-2022-4129
CVE-2022-3707
CVE-2022-36280
CVE-2022-27672
22.10 GCP, 22.04 HWE
Same as above
[USN-6092-1] Linux kernel (Azure) vulnerabilities (03:45)
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-1513
CVE-2023-0459
4.15 Azure on both 18.04, 16.04 ESM + 14.04 ESM
[USN-6093-1] Linux kernel (BlueField) vulnerabilities (03:54)
9 CVEs addressed in Focal (20.04 LTS)
CVE-2023-26545
CVE-2023-1074
CVE-2023-1073
CVE-2023-0458
CVE-2022-4129
CVE-2022-3903
CVE-2022-3108
CVE-2023-1281
CVE-2023-1829
5.4
NVIDIA BlueField platform
[USN-6094-1] Linux kernel vulnerabilities (04:02)
8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
5.4 20.04 / 18.04 HWE on all generic, Azure, GKE, IBM, OEM, AWS, KVM, Low
latency etc
[USN-6095-1] Linux kernel vulnerabilities (04:29)
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-1513
CVE-2023-0459
4.15 18.04 snapdragon + raspi2; 16.04 HWE etc
[USN-6050-2] Git vulnerabilities (04:50)
2 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-29007
CVE-2023-25652
RCE via a crafted .gitmodules file with submodule URLs longer than 1024
chars - could inject arbitrary config into the users git config - eg. could
configure the pager or editor etc to run some arbitrary command
Local file overwrite via crafted input to git apply --reject
[USN-6088-1] runC vulnerabilities (05:39)
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-28642
CVE-2023-27561
CVE-2023-25809
Vuln where the cgroup hierarchy of the host may be exposed within the
container and be writable - could possibly use this to privesc
Regression from a previous vuln fix in CVE-2019-19921 (see [USN-4297-1] runC vulnerabilities in Episode 66)
Possible to bypass AppArmor (or SELinux) restrictions on runc if a container
[USN-6088-2] runC vulnerabilities (06:26)
6 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-28642
CVE-2023-27561
CVE-2023-25809
CVE-2022-29162
CVE-2021-43784
CVE-2019-19921
[USN-6086-1] minimatch vulnerability (06:31)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-3517
ReDoS against nodejs package
[USN-6087-1] Ruby vulnerabilities (06:39)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-28756
CVE-2023-28755
Speaking of ReDoS - two in ruby - mentioned previously in
[USN-6055-2] Ruby regression Episode 194 - has been
fixed properly now without introducing the previous regression
[USN-5900-2] tar vulnerability (07:03)
1 CVEs addressed in Lunar (23.04)
CVE-2022-48303
[USN-5900-1] tar vulnerability from Episode 189
[USN-5996-2] Libloius vulnerabilities (07:17)
3 CVEs addressed in Lunar (23.04)
CVE-2023-26769
CVE-2023-26768
CVE-2023-26767
Braille translation library
3 different buffer overflows
[USN-6099-1] ncurses vulnerabilities (07:27)
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-29491
CVE-2022-29458
CVE-2021-39537
CVE-2019-17595
CVE-2019-17594
Most interesting vuln here was possible memory corruption via malformed
terminfo database which can be set via TERMINFO of though ~/.terminfo - will
get used by a setuid binary as well - turns out though that ncurses has a
build-time configuration option to disable the use of custom terminfo/termcap
when running - fixed this by enabling that
[USN-6073-6, USN-6073-7, USN-6073-8, USN-6073-9] Cinder, Glance store, Nova, os-brick regressions (08:34)
Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability from Episode 195
[USN-5725-2] Go vulnerability (08:50)
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2020-16845
[USN-6042-2] Cloud-init regression (08:55)
Affecting Focal (20.04 LTS)
Published an update to cloud-init a few weeks ago - this was due to a vuln
where credentials may get accidentally logged to the cloud-init log file -
this was a newer version of cloud-init and it relied on a feature in the
netplan package that was not published to the security pocket - easy fix would
be to publish this version of netplan to -security but this is not in the
spirit of the pocket - so instead cloud-init was updated to include a fallback
to ensure routes were appropriately retained
[USN-6098-1] Jhead vulnerabilities (09:48)
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-28278
CVE-2021-28276
CVE-2020-26208
CVE-2020-6625
CVE-2020-6624
CVE-2019-1010302
CVE-2019-1010301
CVE-2019-19035
EXIF JPEG header manipulation tool written in C
Heap buffer overflows, NULL ptr derefs, OOB reads etc
[USN-6102-1] xmldom vulnerabilities (10:12)
3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-39353
CVE-2022-37616
CVE-2021-21366
NodeJS javascript DOMParser and XMLSerializer
Logic error where failed to preserve identifiers or namespaces when parsing
malicious documents
Prototype pollution
Parses documents with multiple top-level elements and combines all their
elements
[USN-6101-1] GNU binutils vulnerabilities (10:50)
6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-25588
CVE-2023-25586
CVE-2023-25585
CVE-2023-25584
CVE-2023-1972
CVE-2023-1579
Assembler, linker and other utils for handling binary files
Generally not expected to be fed untrusted input, but notheless
various buffer overflows (read and write) - DoS / RCE
[USN-6074-3] Firefox regressions (11:38)
11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-32209
CVE-2023-32208
CVE-2023-32206
CVE-2023-32216
CVE-2023-32215
CVE-2023-32213
CVE-2023-32212
CVE-2023-32211
CVE-2023-32210
CVE-2023-32207
CVE-2023-32205
113.0.2
[USN-6103-1] JSON Schema vulnerability (11:50)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3918
NodeJS package for JSON document manipulation - prototype pollution vuln
[USN-5967-1] object-path vulnerabilities from Episode 192
Goings on in Ubuntu Security Community
Security related announcements from PyPI (12:21)
Removing PGP from PyPI
will no longer support new PGP signatures for PyPI packages in response to a
recent public blog post detailing an audit of the PGP ecosystem with PyPI
most devs not uploading PGP signatures and of those that were, 30% were
not available on major public keyservers and of those that were nearly
half were not able to be meaningfully verified - some had expired,
others had no binding signature to be able to verify them
PyPI was subpoenaed
Ordered by DOJ to provide details on 5 PyPI usernames, including names,
addresses, connection records, payment details, which packages and IP logs
etc
Provided these details after consulting with their lawyers
Includes the specific attributes which were provided including the database
queries used to lookup those records
likely in response to recent security issues like typosquatting of popular
packages with credential stealers and other malware embedded - over the past
weekend, account sign-up and package uploads were blocked due to an
overwhelming large number of malicious users and projects being created
which the admins could not keep up with
Securing PyPI accounts via Two-Factor Authentication
Every account that maintains a project / organisation will be required to
enable 2FA by the end of this year
supports both TOTP and WebAuthN
Already announced this for most critical projects last year where they gave
away Google Titan security keys to those projects and mandated them to use
2FA
LSS NA 2023 (16:11)
Attended by John Johansen and Mark Esler from the Ubuntu Security Team
John presented in the LSM Maintainers Panel with Mickaël Salaün, Casey
Schaufler, Mimi Zohar & moderated by Paul Moore
All presentations now online: https://www.youtube.com/playlist?list=PLbzoR-pLrL6q4vmwFP7-ZZ1LJc5mA3Hqu
Lots of interesting bits like:
systemd and TPM2
Verifiable End to End Secure OCI Native Machines
Progress on Bounds Checking in C and the Linux Kernel
for more great content with Kees check out Seth and John talk Linux Kernel Security with Kees Cook from Episode 145
Building the Largest Working Set of Apparmor Profiles
Controlling Script Execution
Announcement of 18.04 LTS going into ESM on 31 May 2023 (18:55)
https://lists.ubuntu.com/archives/ubuntu-security-announce/2023-May/007371.html
18.04 LTS released on 26 April 2018
https://canonical.com/blog/18-04-end-of-standard-support
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
21min
May 19, 2023Episode 195
Overview
Alex and Camila discuss security update management strategies after a recent
outage at Datadog was attributed to a security update for systemd on Ubuntu,
plus we look at security vulnerabilities in the Linux kernel, OpenStack,
Synapse, OpenJDK and more.
This week in Ubuntu Security Updates
66 unique CVEs addressed
[USN-6069-1] Linux kernel (Raspberry Pi) vulnerability (01:01)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-1829
5.4 raspi in 20.04 / 18.04 HWE
[USN-6058-1] Linux kernel vulnerability from Episode 194
UAF in Traffic-Control Index (TCINDEX) filter from April this year - fix
simply removes this classifier from the kernel
[USN-6070-1] Linux kernel vulnerabilities (01:37)
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-1872
CVE-2023-1829
5.15 raspi in 22.04, Azure FDE in 20.04
TCINDEX UAF plus UAF in io_uring
[USN-6071-1] Linux kernel (OEM) vulnerabilities (01:58)
12 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-26545
CVE-2023-23455
CVE-2023-1859
CVE-2022-4662
CVE-2022-4095
CVE-2022-40307
CVE-2022-3586
CVE-2022-3303
CVE-2022-2590
CVE-2023-0386
CVE-2023-0468
CVE-2023-1829
5.17
UAFs in TCINDEX, io_uring, logic issue in OverlayFS
([USN-6057-1] Linux kernel
(Intel IoTG) vulnerabilities from Episode 194), race-condition in handling
of handling of copy-on-write read-only shared memory mappings - unpriv user
could then get write on these read-only mappings -> privesc
[USN-6072-1] Linux kernel (OEM) vulnerabilities (02:31)
6 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-26545
CVE-2023-23455
CVE-2023-1859
CVE-2023-0386
CVE-2023-0468
CVE-2023-1829
6.0
UAFs in TCINDEX, io_uring, logic issue in OverlayFS
[USN-6079-1] Linux kernel vulnerabilities (02:49)
25 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-1118
CVE-2023-32269
CVE-2023-26544
CVE-2023-23455
CVE-2023-23454
CVE-2023-2162
CVE-2023-21106
CVE-2023-21102
CVE-2023-1652
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-1074
CVE-2023-1073
CVE-2023-0459
CVE-2023-0458
CVE-2023-0394
CVE-2023-0210
CVE-2022-48424
CVE-2022-48423
CVE-2022-4842
CVE-2022-4129
CVE-2022-3707
CVE-2022-36280
CVE-2022-27672
5.19 22.10 / 22.04 Azure
[USN-6080-1] Linux kernel vulnerabilities (02:55)
10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-20938
CVE-2023-1513
CVE-2023-1078
CVE-2023-1075
CVE-2023-0459
CVE-2022-3707
CVE-2022-27672
5.15 22.04 / 20.04 HWE
[USN-6081-1] Linux kernel vulnerabilities (03:02)
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2023-1118
CVE-2023-32269
CVE-2023-2162
CVE-2023-1513
CVE-2023-0459
4.15 18.04 GA / 16.04 AWS (Ubuntu Pro)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability (03:14)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2088
Inconsistency between Cinder (block storage service of OpenStack) and Nova
(compute / virtual server provisioning) could result in storage volumes being
attached to the wrong compute instances - would happen when trying to detach a
volume from an instance
Lots of interacting components, all need a consistent view of the system etc
[USN-6073-5] Nova regression
Affecting Focal (20.04 LTS)
Above update meant that in some circumstances Nova would be unable to detach
volumes from instances
[USN-6074-1] Firefox vulnerabilities (04:15)
11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-32209
CVE-2023-32208
CVE-2023-32206
CVE-2023-32216
CVE-2023-32215
CVE-2023-32213
CVE-2023-32212
CVE-2023-32211
CVE-2023-32210
CVE-2023-32207
CVE-2023-32205
113.0
[USN-6074-2] Firefox regressions (04:27)
11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-32209
CVE-2023-32208
CVE-2023-32206
CVE-2023-32216
CVE-2023-32215
CVE-2023-32213
CVE-2023-32212
CVE-2023-32211
CVE-2023-32210
CVE-2023-32207
CVE-2023-32205
113.0.1 from upstream
[USN-6075-1] Thunderbird vulnerabilities (04:36)
7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-32206
CVE-2023-32215
CVE-2023-32213
CVE-2023-32212
CVE-2023-32211
CVE-2023-32207
CVE-2023-32205
102.11.0
[USN-6060-3] MySQL regression (05:02)
Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
[USN-6060-1, USN-6060-2] MySQL vulnerabilities from Episode 194
Latest upstream release 8.0.33 introduced a regression on 32-bit ARM (armhf) -
would crash on startup - to fix, reverted an upstream commit which was
introduced to help with performance of atomic operations
[USN-6076-1] Synapse vulnerabilities (05:39)
7 CVEs addressed in Bionic (18.04 LTS)
CVE-2018-16515
CVE-2019-5885
CVE-2018-12423
CVE-2019-11842
CVE-2018-10657
CVE-2018-12291
CVE-2019-18835
Matrix homeserver
Various issues - signature checking on APIs, failure to properly apply event
visibility rules, DoS - exploited in the wild, insufficient randomness when
generating random IDs made them guessable, ability for unauthorised users to
hijack rooms, more predictable randomness which could allow remote attackers
to impersonate users, event spoofing due to improper signature validation -
some of these require to be the admin of a room or to have a malicious server
etc - but since Matrix is federated, this is not so implausible
[USN-6078-1] libwebp vulnerability (06:38)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-1999
Double free when handling crafted content
[USN-6077-1] OpenJDK vulnerabilities (06:45)
7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-21968
CVE-2023-21967
CVE-2023-21954
CVE-2023-21939
CVE-2023-21938
CVE-2023-21937
CVE-2023-21930
Latest upstream point releases
Most Ubuntu releases support more then 1 version of OpenJDK - this update is
for OpenJDK versions 20, 17, 11 and 8 across the various Ubuntu releases
[USN-6082-1] EventSource vulnerability (07:02)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-1650
EventSource client for NodeJS - info leak - could leak cookies and
authorisation headers to third party applications - but should have been
sanitising headers to avoid this as per same-origin-policy
Goings on in Ubuntu Security Community
Datadog outage and management of security updates (07:32)
https://newsletter.pragmaticengineer.com/p/inside-the-datadog-outage
Alex and Camila discuss a recent outage at Datadog on their Ubuntu systems
that was triggered by a security update for systemd and the pros and cons of
automatic security updates plus other approaches which can be taken to allow
updates to be applied in a more controlled manner
https://ubuntu.com/blog/3-ways-to-apply-security-patches-in-linux
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
27min
May 11, 2023Episode 194
Overview
The team are back from Prague and bring with them a new segment, drilling into
recent academic research in the cybersecurity space - for this inaugural segment
new team member Andrei looks at modelling of attacks against network intrusion
detections systems, plus we cover the week in security updates looking at
vulnerabilities in Django, Ruby, Linux kernel, Erlang, OpenStack and more.
This week in Ubuntu Security Updates
57 unique CVEs addressed
[USN-6054-1] Django vulnerability (00:55)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-31047
Django supports file uploading via various form constructs - it then performs
validation on the file
Was possible to upload multiple files via the form by attacking more than one
HTML attribute to the form - in this case though only the last file would be
validated - and so other files would escape validation
Fixed to have Django raise an error in the case that an application tries to
use these forms for multiple files and adds a new option to restore the old
behaviour if really desired - AND it adds support for validating all files in
this case.
[USN-6055-1] Ruby vulnerabilities (02:11)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-28756
CVE-2023-28755
Two ReDoS issues - ability to cause a CPU-based DoS through crafted input that
is then validated by a regex which takes an inordinate amount of time to run
one in URI parsing and the other in Time parsing
[USN-6055-2] Ruby regression (03:11)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-28755
The URI parser regex fix caused a regression and so was reverted - is still
under investigation and hope to fix it again in a future update
[USN-6056-1] Linux kernel (OEM) vulnerability (03:13)
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-1859
UAF in Xen Plan 9 file system protocol -> DoS / info leak
[USN-6057-1] Linux kernel (Intel IoTG) vulnerabilities (03:31)
10 CVEs addressed in Jammy (22.04 LTS)
CVE-2023-26545
CVE-2023-1652
CVE-2023-1074
CVE-2023-1073
CVE-2023-0394
CVE-2022-4842
CVE-2022-47929
CVE-2022-4129
CVE-2023-0386
CVE-2023-1281
OverlayFS is a union file-system, allowing one FS to be stacked on top of
another - often used for things like schroots where you want to have the
pristine source and then a working session chroot where you can make changes
and then finally dispose of the whole thing back to the original
Interaction with setuid binaries and the nosuid mount option - nosuid means
the suid bit is ignored - in this case, if had setup an overlay with the
base file-system mounted nosuid, then in some cases it would be possible to
copy up an suid binary as an unprivileged user and have it retain the suid
bit - and then the user could just execute it to gain root privileges
UAF in Traffic-Control Index (TCINDEX) filter - found in March this year
[USN-6058-1] Linux kernel vulnerability (05:45)
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2023-1829
Another UAF in Traffic-Control Index (TCINDEX) filter from April this year -
seems upstream is sick of these UAFs in TCINDEX so their fix simply removes
this classifier from the kernel and hence so does ours - in general we try not
to introduce breaking changes but in this case prefer to stay consistent with
upstream - also upstream say this does not have many known users anyway
[USN-6059-1] Erlang vulnerability (06:23)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-37026
Failed to properly maintain state during TLS handshake when validating client
certificate - basically a malicious client could send the certificate and then
simply omit the TLS handshake message which tells the server to validate the
cert and the server state would then show the cert had been validated
Note only affects Erlang applications that use client certificates for
authentication (ie. the '{verify, verify_peer}' SSL option)
Still planning to try and update erlang in bionic (18.04 LTS) but backport is
more complicated
[USN-6060-1, USN-6060-2] MySQL vulnerabilities (07:40)
20 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-21982
CVE-2023-21980
CVE-2023-21977
CVE-2023-21976
CVE-2023-21972
CVE-2023-21966
CVE-2023-21962
CVE-2023-21955
CVE-2023-21953
CVE-2023-21947
CVE-2023-21946
CVE-2023-21945
CVE-2023-21940
CVE-2023-21935
CVE-2023-21933
CVE-2023-21929
CVE-2023-21920
CVE-2023-21919
CVE-2023-21912
CVE-2023-21911
2 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2023-21980
CVE-2023-21912
Latest upstream releases
8.0.33 for 20.04 LTS, 22.04 LTS, 22.10, and Lunar (23.04)
5.7.42 for 16.04 ESM and 18.04 LTS
As is the latest upstream point release, also includes bug fixes and possibly
new features / incompatible changes - full list of details from upstream:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-42.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-33.html
[USN-6061-1] WebKitGTK vulnerabilities (08:14)
6 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-28205
CVE-2023-27954
CVE-2023-27932
CVE-2023-25358
CVE-2022-32885
CVE-2022-0108
Various UAFs plus ability to track users across origins or bypass same origin
policy
[USN-6062-1] FreeType vulnerability (08:38)
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-2004
Integer overflow when parsing a malformed font - DoS / RCE (particurly with
the advent of web fonts)
[USN-6063-1] Ceph vulnerabilities (09:03)
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-3854
CVE-2022-3650
CVE-2022-0670
CVE-2021-3979
backport of:
17.2.5 for 22.10, 22.04 LTS
15.2.17 for 20.04 LTS
12.2.13 for 18.04 LTS
[USN-6066-1] OpenStack Heat vulnerability (09:29)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2023-1625
Orchestration Service for OpenStack - info leak via API
[USN-6067-1] OpenStack Neutron vulnerabilities (09:39)
5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-3277
CVE-2021-40797
CVE-2021-40085
CVE-2021-38598
CVE-2021-20267
Virtual Network Service
[USN-6068-1] Open vSwitch vulnerability (09:45)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2023-1668
Failed to properly handle IP packets which specified a protocol of 0 (used in
IPv6 to specify hop-by-hop options) - if a packet with protocol 0 was
encountered, OVS would install a dataflow path for both kernel and userspace
which would match on ALL IP protocols for this flow - so this would then
possibly match against other IP packets and so cause them to be handled
incorrectly (possibly allowing when should have been denied etc)
[USN-6065-1] css-what vulnerabilities (10:43)
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-21222
CVE-2021-33587
CSS selector parser for NodeJS
Two ReDoS issues
[USN-6064-1] SQL parse vulnerability (11:00)
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
CVE-2023-30608
Another ReDoS
Goings on in Ubuntu Security Community
Ubuntu 23.10 release cycle opens (11:41)
The Ubuntu Security is back from Prague (Engineering Sprint) - spent the week
diving deep into various aspects like what kinds of tooling and processes we
want to try and improve across the team, talking about the culture and history
of the team to make sure we maintain our great culture as the team grows.
Even discussing mundane stuff like how to refer to and name security updates
which go into Ubuntu Pro vs the regular Ubuntu Archive - making sure it is
clear to consumers of our USNs etc what is where, plus the various policies
around updated for Ubuntu Pro
Sessions devoted to snaps and how to do appropriate security reviews for them
plus how to coordinate better with the snapd team
Even looking at tech debt within our team and our tooling and how we can try
and tackle some of that
As for more concrete plans for the security team during 23.10
continue the work to use AppArmor to enable tighter controls over
unprivileged user namespaces within Ubuntu
various improvements to our OVAL feeds to make them more useful to users and
customers alike
utilising the Canonical Hardware Certifications Lab for testing of security
updates for packages that require particular hardware (think things like
intel-microcode, nvme-cli, various graphics drivers etc)
Improvements to AppArmor for more fine-grained network mediation and
io_uring
More work on supporting various confidential computing use-cases (for an
introduction to these types of topics see
https://ubuntu.com/engage/introduction-to-confidential-computing-webinar)
Usual work on FIPS / CIS / DISA-STIG updates plus usual security maintenance
Academic paper review with Andrei Iosif (14:40)
New segment to dig into the details of various interesting cybersecurity
research papers
Andrei joined the team just over 1 month ago - previously was Tech Lead at a
SecOps startup developing open source tools for automating various
cybersecurity solutions - brings a wide range of great experience to our team
Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems
Looks at what the study was about (developing a model for attacks against
Network Intrusion Detection Systems, with a particular focus on IDSs that are
based on AI/ML approaches)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter
...more
25min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.