Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

December 02, 2022Episode 183
Overview
This week we look at a recent report from Elastic Security Labs on the global
Linux threat landscape, plus we look at a few of the security vulnerabilities
patched by the team in the past 7 days.
This week in Ubuntu Security Updates
81 unique CVEs addressed
[USN-5638-3] Expat vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-43680
[USN-5739-1] MariaDB vulnerabilities
36 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-32091
CVE-2022-32089
CVE-2022-32088
CVE-2022-32087
CVE-2022-32086
CVE-2022-32085
CVE-2022-32084
CVE-2022-32083
CVE-2022-32082
CVE-2022-32081
CVE-2022-27458
CVE-2022-27457
CVE-2022-27456
CVE-2022-27455
CVE-2022-27452
CVE-2022-27451
CVE-2022-27449
CVE-2022-27448
CVE-2022-27447
CVE-2022-27446
CVE-2022-27445
CVE-2022-27444
CVE-2022-27387
CVE-2022-27386
CVE-2022-27384
CVE-2022-27383
CVE-2022-27382
CVE-2022-27381
CVE-2022-27380
CVE-2022-27379
CVE-2022-27378
CVE-2022-27377
CVE-2022-27376
CVE-2022-21427
CVE-2021-46669
CVE-2018-25032
[USN-5740-1] X.Org X Server vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-3551
CVE-2022-3550
[USN-5736-1] ImageMagick vulnerabilities
17 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Kinetic (22.10)
CVE-2022-32547
CVE-2022-32546
CVE-2022-32545
CVE-2022-28463
CVE-2022-1114
CVE-2021-4219
CVE-2021-39212
CVE-2021-3574
CVE-2021-20313
CVE-2021-20312
CVE-2021-20309
CVE-2021-20246
CVE-2021-20245
CVE-2021-20244
CVE-2021-20243
CVE-2021-20241
CVE-2021-20224
[USN-5741-1] Exim vulnerability
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-3559
[USN-5742-1] JBIG-KIT vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2017-9937
[USN-5743-1] LibTIFF vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-3970
[USN-5744-1] libICE vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2017-2626
[USN-5745-1, USN-5745-2] shadow vulnerability & regression
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2013-4235
Upstream introduced a change in file-system handling in useradd that required
newer glibc - broke on older Ubuntu releases so that update has been reverted
for now on those releases - still is in place on Ubuntu 22.04 LTS / 22.10
[USN-5689-2] Perl vulnerability
1 CVEs addressed in Kinetic (22.10)
CVE-2020-16156
[USN-5746-1] HarfBuzz vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2015-9274
[USN-5747-1] Bind vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2016-6170
CVE-2016-2775
[USN-5748-1] Sysstat vulnerability
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-39377
[USN-5728-3] Linux kernel (GCP) vulnerabilities
12 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-42719
CVE-2022-40768
CVE-2022-39188
CVE-2022-3635
CVE-2022-3625
CVE-2022-3028
CVE-2022-29901
CVE-2022-2978
CVE-2022-2153
CVE-2022-20422
CVE-2022-41222
CVE-2022-42703
2 high priority vulnerabilities both found by Jann Horn (GPZ)
UAF in handling of anonymous VMA mappings
UAF in memory management subsytem handling of TLBs
both could be exploited by a local attacker to crash the kernel or get
possible code execution within the kernel and hence escalate privileges
[USN-5749-1] libsamplerate vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2017-7697
[USN-5750-1] GnuTLS vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-4209
[USN-5718-2] pixman vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2022-44638
Goings on in Ubuntu Security Community
A look at Elastic Security Labs Global Threat Report
https://www.elastic.co/pdf/elastic-global-threat-report-vol-1-2022.pdf
Summarises the findings of the Elastic telemetry, which incorporates data from
their various products like Endgame, Endpoint and Security solution.
54% of malware on Windows, 39% on Linux, 6% on MacOS
Of those, top 10 are:
Meterpreter, Gafgyt, Mirai, Camelot, Generic, Dofloo, BPFDoor, Ransomexx,
Neshta, Getshell
We covered BPFDoor previously
Of these 80% are trojan-based, 11% are cryptominers, 4% ransomware
Trojans commonly used to deploy stager and dropper binaries as part of
wider intrusion effort
Cryptominers generally mining Monero - mostly composed of XMRig family
Also covers details on Windows and MacOS - interestingly Windows still has
lots of CobaltStrike, Metasploit and MimiKatz which are all ostensibly
red-team tools - also see lots of keyloggers as well as credential stealers
(crypto wallets)
Mapped behaviour against MITRE ATT&CK - 34% doing defense evasion, 22%
execution, 10% credential access, 8% persistence, 7% C², 6% privesc and 4%
initial access
of this, masquerading (as another legitimate process) and system binary
proxy execution (using existing system binaries to perform malicious
actions) accounts for 72% of defense evasion techniques
Then dive into more detail on execution techniques (mostly native command and
scripting interpreters - think PowerShell, Windows Script Host etc) and
abusing Windows Management Instrumentation (WMI) - but won’t go too much into
this here as this is the Ubuntu Security Podcast, not Windows ;)
Also cover metrics from the various public clouds - AWS had 57% of detections
whilst GCP and Azure each had ~22% - why does AWS have so much more? AWS has
at least ⅓ of the global cloud market share whilst Azure has 20% and GCP only
11%
Also perhaps AWS users prefer to use Elastic?
Activities they see most in the clouds are Credential Access, Persistence,
Defense Evasion, Initial Access
58% of initial access attempts use brute-force combined with password spraying
Report then breaks down each cloud to look at the activities mostly performed in each
AWS - access token stealing is top, Azure showed a large usage of valid
account access to then attempt to retrieve other access tokens or do
phishing, whilst for Google service account abuse was the top
Perhaps is more indicative of what each cloud is used for - ie AWS general
purpose, whilst Azure is AD and managed services, and Google is service
workers
Finally, the report does a deep dive on 4 different threat samples and then
has forecasts and recommendations based on those
Of these most are windows specific, but one does predict that Linux VMs used
for backend DevOps in cloud environments will be an increased target
This is not really surprising nor novel, and most OSS devs would likely
expect this threat given the nature of modern CI/CD pipelines and the
follow-up threat to code integrity / supply chain security etc (ie if an
attacker can compromise these machines can then tamper with source code /
build artefacts etc)
As always, requires organisations to have a good security posture and practice
good security hygiene - configure for least privilege, audit what you have,
deploy defense-in-depth solutions, monitoring and logging so can help detect
and have good incident response etc
simple things too - deploy MFA, install security updates etc
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter,
...more
14min
November 25, 2022Episode 182
Overview
After a longer-than-expected break, the Ubuntu Security Podcast is back,
covering some highlights of the various security items planned during the 23.04
development cycle, our entrance into the fediverse of Mastodon, some open
positions on the team and some of the details of the various security updates
from the past week.
This week in Ubuntu Security Updates
67 unique CVEs addressed
[USN-5726-1] Firefox vulnerabilities [00:45]
19 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-45417
CVE-2022-45416
CVE-2022-45415
CVE-2022-45412
CVE-2022-45421
CVE-2022-45420
CVE-2022-45419
CVE-2022-45418
CVE-2022-40674
CVE-2022-45413
CVE-2022-45411
CVE-2022-45410
CVE-2022-45409
CVE-2022-45408
CVE-2022-45407
CVE-2022-45406
CVE-2022-45405
CVE-2022-45404
CVE-2022-45403
Firefox 107.0
apparently includes support for power profiling in Intel CPUs as part of the
developer tools
[LSN-0090-1] Linux kernel vulnerability [01:16]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-42722
CVE-2022-42721
CVE-2022-42720
CVE-2022-41674
CVE-2022-2602
CVE-2022-1015
Race condition in io_uring -> UAF (from Pwn2Own 2022)
OOB write in netfilter - requires CAP_NET_ADMIN but this can be obtained from
within an unprivileged user namespace
Another example of why the Ubuntu Security team is pushing to disable the
use of unprivileged user namespaces by arbitrary processes in future Ubuntu
releases
Livepatch version information per release
canonical-livepatch status

Kernel type
22.04
20.04
18.04

aws
90.3
90.2
—

aws-5.15
—
90.3
—

aws-5.4
—
—
90.2

azure
90.2
90.2
—

azure-5.4
—
—
90.2

gcp
90.3
90.2
—

gcp-5.15
—
90.3
—

gcp-5.4
—
—
90.2

generic-5.4
—
90.2
90.2

gke
90.3
90.2
—

gke-5.15
—
90.3
—

gke-5.4
—
—
90.2

gkeop
—
90.2
—

gkeop-5.4
—
—
90.2

ibm
90.2
90.2
—

ibm-5.4
—
—
90.2

linux
90.2
—
—

lowlatency
90.2
—
—

lowlatency-5.4
—
90.2
90.2

[USN-5727-1] Linux kernel vulnerabilities [02:31]
7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2022-40768
CVE-2022-36879
CVE-2022-3635
CVE-2022-3028
CVE-2022-2978
CVE-2022-2153
CVE-2022-20422
[USN-5728-1] Linux kernel vulnerabilities
12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-42719
CVE-2022-40768
CVE-2022-39188
CVE-2022-3635
CVE-2022-3625
CVE-2022-3028
CVE-2022-29901
CVE-2022-2978
CVE-2022-2153
CVE-2022-20422
CVE-2022-41222
CVE-2022-42703
[USN-5729-1] Linux kernel vulnerabilities
8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-40768
CVE-2022-39190
CVE-2022-3635
CVE-2022-3625
CVE-2022-3028
CVE-2022-2978
CVE-2022-2905
CVE-2022-20422
[USN-5727-2] Linux kernel (GCP) vulnerabilities
7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2022-40768
CVE-2022-36879
CVE-2022-3635
CVE-2022-3028
CVE-2022-2978
CVE-2022-2153
CVE-2022-20422
[USN-5728-2] Linux kernel vulnerabilities
12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-42719
CVE-2022-40768
CVE-2022-39188
CVE-2022-3635
CVE-2022-3625
CVE-2022-3028
CVE-2022-29901
CVE-2022-2978
CVE-2022-2153
CVE-2022-20422
CVE-2022-41222
CVE-2022-42703
[USN-5729-2] Linux kernel vulnerabilities
8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-40768
CVE-2022-39190
CVE-2022-3635
CVE-2022-3625
CVE-2022-3028
CVE-2022-2978
CVE-2022-2905
CVE-2022-20422
[USN-5730-1] WebKitGTK vulnerabilities [02:41]
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-42824
CVE-2022-42823
CVE-2022-42799
CVE-2022-32923
CVE-2022-32888
Latest upstream version 2.38.2 fixing various web-engine related
vulnerabilities
[USN-5731-1] multipath-tools vulnerabilities [03:05]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-41974
CVE-2022-41973
2 issues discovered by Qualys - one in handling of symlinks in /dev/shm and
the other around the handling of UNIX domain sockets - could be combined
together with another unspecified vulnerability in a different component
installed by default on Ubuntu Server 22.04 to achieve privilege escalation to
root - will be interesting to find out what this other vulnerability is in the
future
[USN-5638-2] Expat vulnerabilities [03:53]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-43680
CVE-2022-40674
[USN-5638-1] Expat vulnerability from Episode 179
[USN-5732-1] Unbound vulnerability [04:02]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-3204
[USN-5686-2, USN-5686-3] Git vulnerabilities
2 CVEs addressed in Xenial ESM (16.04 ESM), Kinetic (22.10)
CVE-2022-39260
CVE-2022-39253
[USN-5686-1] Git vulnerabilities from Episode 181
[USN-5733-1] FLAC vulnerabilities
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2021-0561
CVE-2020-0499
CVE-2017-6888
[USN-5658-3] DHCP vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2022-2929
CVE-2022-2928
[USN-5716-2] SQLite vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2022-35737
[USN-5734-1] FreeRDP vulnerabilities [04:15]
8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
CVE-2022-39347
CVE-2022-39320
CVE-2022-39319
CVE-2022-39318
CVE-2022-39317
CVE-2022-39316
CVE-2022-39283
CVE-2022-39282
[USN-5735-1] Sysstat vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-39377
[USN-5737-1] APR-util vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2017-12618
Goings on in Ubuntu Security Community
23.04 Ubuntu Security roadmap [04:52]
Since the last podcast in Episode 181, had both the 23.04 start-of-cycle
product roadmap sprint and engineering sprints in Prague (followed by the
Ubuntu Summit)
Some of the highlights for the Ubuntu Security team’s 23.04 roadmap
Tabletop exercises
Improvements to OVAL data
Various AppArmor improvements including user namespace mediation across the
distro, plus working with upstream kernel developers on io_uring mediation
Security improvements for Ubuntu Core including better integrity
verification
Usual security and other ongoing maintenance tasks
CVE patching, MIR package reviews, Snap Store security reviews, FIPS
maintenance and more
A heap of customer specific / commercially sensitive stuff too
Will talk more about a lot of these topics in future episodes
Hiring [08:46]
Security Engineer - Ubuntu
https://canonical.com/careers/2925180
Engineer position in the security maintenance team
Linux Cryptography and Security Engineer
https://canonical.com/careers/4717512
Engineer in the security certifications team
Ubuntu Security Manager
https://canonical.com/careers/4192903
One requisition, looking to fill multiple different manager positions -
Security Maintenance, Security Certifications and Security Technologies teams
The Ubuntu Security Team is now part of the Mastodon Fediverse [10:10]
@[email protected]
With all the recent drama on twitter, decided to establish a presence on the
fosstodon.org Mastodon instance as well
Mastodon is similar to twitter but instead of being one single centralised
service, consists of multiple federated servers - so a user on one server can
follow users on other servers - but allows different communities to have their
own servers if desired
Appears to be a good alternative to Twitter
Will operate both and try to keep the two in-sync
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@[email protected], @ubuntu_sec on twitter,
...more
13min
October 21, 2022Episode 181
Overview
It’s the release of Ubuntu 22.10 Kinetic Kudu, and we give you all the details
on what’s new and improved, with a particular focus on the security features,
plus we cover a high priority vulnerability in libksba as well.
This week in Ubuntu Security Updates
39 unique CVEs addressed
[USN-5672-1] GMP vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-43618
[USN-5673-1] unzip vulnerabilities
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-0530
CVE-2022-0529
CVE-2021-4217
[USN-5674-1] XML Security Library vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2017-1000061
[USN-5675-1] Heimdal vulnerabilities
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-3116
CVE-2021-3671
CVE-2019-12098
CVE-2018-16860
[USN-5677-1] Linux kernel vulnerabilities
11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-36879
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-3176
CVE-2022-26373
CVE-2022-26365
CVE-2022-2318
CVE-2022-20369
CVE-2021-4159
[USN-5678-1] Linux kernel vulnerabilities
9 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2022-32296
CVE-2022-1012
CVE-2022-0812
[USN-5679-1] Linux kernel (HWE) vulnerabilities
9 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2022-32296
CVE-2022-1012
CVE-2022-0812
[USN-5676-1] PostgreSQL vulnerability
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-1552
[USN-5680-1] gThumb vulnerabilities
2 CVEs addressed in Focal (20.04 LTS)
CVE-2020-36427
CVE-2019-20326
[USN-5682-1] Linux kernel (AWS) vulnerabilities
11 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-36879
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-3176
CVE-2022-26373
CVE-2022-26365
CVE-2022-2318
CVE-2022-20369
CVE-2021-4159
[USN-5683-1] Linux kernel (IBM) vulnerabilities
16 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-39189
CVE-2022-36946
CVE-2022-36879
CVE-2022-34495
CVE-2022-34494
CVE-2022-33744
CVE-2022-33743
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-3176
CVE-2022-26373
CVE-2022-26365
CVE-2022-2318
CVE-2022-1882
CVE-2021-33655
[USN-5684-1] Linux kernel (Azure) vulnerabilities
9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2022-32296
CVE-2022-1012
CVE-2022-0812
[USN-5570-2] zlib vulnerability
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-37434
[USN-5685-1] FRR vulnerabilities
2 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-37035
CVE-2022-37032
[USN-5686-1] Git vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-39260
CVE-2022-39253
[USN-5687-1] Linux kernel (Azure) vulnerabilities
9 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2022-32296
CVE-2022-1012
CVE-2022-0812
[USN-5688-1] Libksba vulnerability [01:24]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-3515
libksba library used to parse and build ASN.1 objects contained within S/MIME,
X.509 certificates etc
ASN.1 supports various encoding formats - BER, DER (basic and distinguised
encoding rules respectively)
Both use a tag-length-value scheme to encode objects
When copying these objects around, would copy both a header as well as the
object itself - if an object was really large, the sum of the header size plus
the object would overflow - allowing a size check to be bypassed (since when
overflowing wraps around to be a small sized integer)
Integer overflow leading to a buffer overflow
Considered a severe bug by upstream
in Ubuntu is used by gpgsm (used to handled SMIME signed data) and dirmngr -
responsible for parsing and loading CRLS and verifying certs used by TLS
Goings on in Ubuntu Security Community
Ubuntu 22.10 Kinetic Kudu release [04:02]
https://ubuntu.com/blog/canonical-releases-ubuntu-22-10-kinetic-kudu
kernel 5.19
security wise
Faster RNG (entropy extraction switched from SHA1 to BLAKE2)
Support for Intel Trust Domain Extensions (TDX)
successor to SGX, builds on lessons learned
virtualisation based confidential computing environment
equivalent to an SGX enclave
uses a new processor mode called SEAM
allows to deploy legacy applications without having to adapt them a
different programming model as was done for SGX
AppArmor support for posix-mq and unprivileged user namespace mediation
idea is that only applications which are running under an AppArmor profile
with permission to user userns will be able to - unconfined will not -
this kernel configuration is disabled by default but can be enabled via a
sysctl:
then unconfined applications will not be able to use them
helps limit an attack surface for exploits - 4 out of 5 pwn2own exploits
against Ubuntu this year used unprivileged userns as part of their attack
chain
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
Desktop
pipewire is now default instead of pulseaudio - improved bluetooth handling
GNOME 43 - gedit replaced by gnome-text-editor, gnome-terminal still there
but likely will be new gnome-console in 23.04
LibreOffice 7.4
FF 106/ TB 102
Updated bluez, CUPS, network-manager, Mesa 22 etc
Server
socket-activated SSH daemon to reduce memory footprint inside containers etc
improved support for integration with Windows Server w/ LDAP channel binding and LDAP signing in cyrus-sasl2
bind9 support for remote TLS verification in both named and dig to allow to implement strict and mutual TLS authentication
updated containerd, runc, docker.io
updated qemu - improved emulation of RISC-V, s390x
updated libvirt - ppc64 Power10 processor support
For developers:
debuginfod
updated gcc, Go, Ruby and Rust toolchains
Canonical Product Roadmap + Engineering Sprints + Ubuntu Summit [12:32]
No podcast for the next 3 weeks
Thanks and farewell to Shaun Murphy [13:45]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
15min
October 14, 2022Episode 180
Overview
Ubuntu Pro beta is announced and we cover all the details with Lech Sandecki and
Eduardo Barretto, plus we cover security updates for DHCP, kitty, Thunderbird,
LibreOffice, the Linux kernel, .NET 6 and more.
This week in Ubuntu Security Updates
49 unique CVEs addressed
[USN-5658-1] DHCP vulnerabilities [00:53]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2929
CVE-2022-2928
2 different DoS against ISC DHCP server
a client could send a lease query to the server
which would fail to properly decrement a reference count and hence eventually
could overflow the reference counter -> abort -> DoS
memory leak could be triggered by a client sending a crafted DHCP packet
with a FQDN label longer than 64 bytes - eventually would run out of memory
-> crash -> DoS
[USN-5659-1] kitty vulnerabilities [01:45]
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-41322
CVE-2020-35605
Cross-platform, fast, feature-rich, GPU based terminal
Includes support for image display, but if it failed to read an image file
then would display an error message containing the file name - as such, could
craft the name of the filename to then inject terminal control characters and
hence arbitrary input into the shell itself and hence execute arbitrary
code
Also supports showing desktop notifications via OSC escape codes - ie. a shell
script or even a file could output these and kitty would interpret that to
show a desktop notification. Also includes support for actions on
notifications through a named notification id. However, would also fail to
sanitize these ids, again allowing terminal control characters to be injected
and hence arbitrary code to be executed if the user were to then click on a
notification popup
requires an attacker can get the user to display arbitrary content, and then
for the user to click the notification
[USN-5657-1] Graphite2 vulnerability [03:16]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2018-7999
NULL pointer deref via crafted ttf
[USN-5663-1] Thunderbird vulnerabilities [03:27]
12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-36059
CVE-2022-3033
CVE-2022-3034
CVE-2022-3032
CVE-2022-38478
CVE-2022-38477
CVE-2022-38476
CVE-2022-38473
CVE-2022-38472
CVE-2022-36319
CVE-2022-36318
CVE-2022-2505
102.2.2
DoS against the inbuilt Matrix client
2 different methods to cause TB to make a network request when an email was
opened - both via html within an iframe - allows sender to track whether the
email was opened etc
Various web framework issues via rendering untrusted content - DoS, mount
pointer and addressbar spoofing, RCE etc
[USN-5371-3] nginx vulnerability [04:22]
3 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-3618
CVE-2020-36309
CVE-2020-11724
HTTP request smuggling, first covered back in [USN-5371-1] nginx vulnerabilities in Episode 157
[USN-5666-1] OpenSSH vulnerability [04:35]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-41617
Failed to properly drop permissions when executing helper commands for
AuthorizedKeysCommand and AuthorizedPrincipalsCommand and so would run these
with group membership of the sshd process itself (even if configured to run as
a different user)
As such is a form of privilege escalation - low impact since is a non-default
configuration
[USN-5665-1] PCRE vulnerabilities [05:19]
2 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2017-7186
CVE-2017-6004
2 different OOB read via crafted regexs -> DoS
[USN-5661-1] LibreOffice vulnerabilities [05:31]
3 CVEs addressed in Focal (20.04 LTS)
CVE-2022-26307
CVE-2022-26306
CVE-2022-26305
Document macros have been a common attack vector for Microsoft Office
To mitigate this, can configure to only execute macros which have a trusted
signature
Failed to properly validate these (would only verify that the certificate for
the signature had the same serial number and issuer string of the trusted
certificate) - instead has to actually compare the hash of the certificate
itself as well
Also has its own password database for storing authentication info for various
web connections
A couple issues existing when encrypting the master key which result in it
being much easier to crack the encryption via a brute force attack than should
otherwise be - a local attacker with access to a user’s LibreOffice config
(and hence PW DB) could potentially get access to their credentials as used by
LO
[USN-5660-1] Linux kernel (GCP) vulnerabilities [07:02]
6 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-36946
CVE-2022-2503
CVE-2022-1729
CVE-2022-32296
CVE-2022-1012
CVE-2021-33655
5.4 GCP on Ubuntu 18.04 LTS
Most of these have seen in previous weeks - framebuffer driver OOB when
changing font/screen sizes -> DoS/codeexec, perf race-condition -> UAF ->
DoS/codeexec, netfilter remote DoS via crafted packet causing truncation below
packet header size, lack of good enough IP source port randomisation allows a
malicious TCP server to identify a host by the chosen source port, dm-verity
DoS/code execution by bypassing LoadPin restrictions to load untrusted kernel
modules / firmware (but requires root privileges in the first place)
x*** [USN-5667-1] Linux kernel vulnerabilities [08:01]
5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-39189
CVE-2022-36879
CVE-2022-3176
CVE-2022-26373
CVE-2022-1882
5.15 22.04 GA / 20.04 HWE - generic/clouds/lowlatency/raspi etc
race condition -> UAF in internal pipe impl -> DoS/codeexec
speculative execution vuln - Enhanced Indirect Branch Restricted Speculation
(eIBRS) on some processors did not properly handle RET instructions in some
cases - local attacker could read sensitive info as a result
io_uring UAF
netlink xfrm ref counting bug -> underflow -> OOPS -> DoS
Unpriv guest user can compromise guest kernel since KVM failed to properly
handle TLB flushing in some cases
[USN-5668-1] Linux kernel vulnerabilities [09:07]
11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-36879
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-3176
CVE-2022-26373
CVE-2022-26365
CVE-2022-2318
CVE-2022-20369
CVE-2021-4159
5.4 20.04 GA / 18.04 HWE
More of the same
[USN-5669-1, USN-5669-2] Linux kernel vulnerabilities [09:18]
9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2022-33744
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2022-32296
CVE-2022-1012
CVE-2022-0812
4.15 18.04 GA / 16.04 ESM HWE
[USN-5670-1] .NET 6 vulnerability [09:27]
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-41032
Patch Tuesday!
EoP via NuGet Client to allow a local attacker to get code execution
[USN-5671-1] AdvanceCOMP vulnerabilities [09:44]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2019-8383
CVE-2019-8379
recompression utils
NULL ptr deref + heap buffer overflow could be triggered by opening a crafted
files
Goings on in Ubuntu Security Community
Ubuntu Pro Beta overview with Lech Sandecki and Eduardo Barretto [10:08]
Hinted at briefly back in Preparing for the release of Ubuntu Pro [09:44]
https://ubuntu.com/blog/ubuntu-pro-beta-release
https://ubuntu.com/pro
https://youtu.be/tHXL2_QTRwo
We want your feedback:
https://discourse.ubuntu.com/c/ubuntu-pro/116
Lech is hosting a webinar on 25th October 2022 16:00 UTC (5pm UK time, 12pm EDT)
https://ubuntu.com/engage/introduction-to-ubuntu-pro
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
36min
September 30, 2022Episode 179
Overview
Finer grained control for unprivileged user namespaces is on the horizon for
Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS,
Squid and more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-5626-2] Bind vulnerabilities [00:40]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2022-38177
CVE-2022-2795
[USN-5626-1] Bind vulnerabilities from Episode 178
[USN-5627-1] PCRE vulnerabilities [01:01]
2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-1587
CVE-2022-1586
2 OOB read with crafted regexes - possible info leak
[USN-5628-1] etcd vulnerabilities [01:19]
4 CVEs addressed in Focal (20.04 LTS)
CVE-2020-15114
CVE-2020-15113
CVE-2020-15112
CVE-2020-15106
distributed key/value store used by kubernetes
all these vulns come from a security audit conducted by Trail of Bits in January of 2020.
performed both manual and automated review -> go-sec, errcheck, ineffassign etc
also fuzzed the WAL file handling (write-ahead logging - used to record
transactions that have been committed but not yet applied to the main
database)
2 issues in WAL file handling (crash), plus one in handling of directory
permissions for a directory that may already exist (info leak) and one in
setup of endpoints that could allow a DoS
[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-36946
CVE-2022-2503
CVE-2022-1729
CVE-2022-32296
CVE-2022-1012
CVE-2021-33655
5.4 Raspi HWE 18.04 LTS / Azure CVM 20.04 LTS
Same set of vulnerabilities covered in last weeks episode - [USN-5622-1] Linux kernel vulnerabilities
[USN-5633-1, USN-5635-1, USN-5640-1, USN-5644-1] Linux kernel vulnerabilities [03:09]
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-36946
CVE-2022-34495
CVE-2022-34494
CVE-2022-33744
CVE-2022-33743
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2021-33655
5.15 Raspi + GKE/GCP + Oracle + GCP (20.04)
[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-36946
5.17 OEM
netfilter remote DoS via crafted packet with a very short payload
[USN-5632-1] OAuthLib vulnerability [03:40]
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-36087
OAuth implementation for Python3 - used by various other applications like
keystone, django, duplicity
DoS via a malicious redirect URL specifying an IPv6 address - could trigger an
exception -> application crash -> DoS
[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-46822
CVE-2020-35538
CVE-2020-17541
CVE-2018-11813
Various issues in handling of crafted JPEG/PPM files - stack buffer overflow,
heap buffer overflow, NULL pointer dereference, resource consumption based DoS
in cjpeg utility - crafted file with a valid Targa header but incomplete
data - would keep trying pixel after reaching EOF - internally used getc()
which returns the special value EOF when the end of file is reached - this is
actually -1 but requires the caller to check for this special value - if not,
would interpret this as pixel data (all bits set -> 255,255,255 -> white)
resulting in JPEG file that was possibly thousands of times bigger than the
input file - fixed to use existing input routines to read the data which
already check for EOF condition
[USN-5629-1] Python vulnerability [05:54]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-28861
Open redirect in http.server through a URI which has multiple / at the
beginning - a URI such as //path gets treated as an absolute URI rather than a
path - could then end up sending a 301 location header with a misleading target
Upstream dispute this - state that it should not be used in production as it
only implements basic security checks
[USN-5636-1] SoS vulnerability [06:39]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2806
sosreport - used to gather details of a system etc for debug/analysis
Redacts passwords - previously used a hardcoded list of possible things that
could contain passwords - instead now looks for anything with the name
password and redacts that
[USN-5637-1] libvpx vulnerability [07:45]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2020-0034
OOB read -> info leak / crash
[USN-5638-1] Expat vulnerability [07:55]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-40674
UAF with crafted XML content -> crash / RCE
[USN-5641-1] Squid vulnerabilities [08:06]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-41318
CVE-2022-41317
Failed to properly handle ACLs for cache manager, allowing a trusted client to
read other client ids / credentials and internal network structure
Integer overflow -> buffer overread when using SSPI/SMB authentication helpers
for NTLM authentication - since this is in handling of credentials, could
allow an attacker to read decrypted user credentials or other memory regions
from Squid
[USN-5642-1] WebKitGTK vulnerabilities [08:57]
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-32886
Buffer overflow when handling malicious web content -> RCE
[USN-5643-1] Ghostscript vulnerabilities [09:18]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2085
CVE-2020-27792
2 issues in PDF file handling
NULL pointer dereference -> DoS
heap buffer overflow -> DoS / RCE
Goings on in Ubuntu Security Community
Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]
https://lists.ubuntu.com/archives/ubuntu-announce/2022-September/000284.html
Includes details on how to upgrade - as per when we covered the Ubuntu 22.04.1
release - if you do want to upgrade to the beta, and you are using 22.04
desktop, then first log out, switch to a virtual console (Ctrl-Alt-F2) and run
it from there as less chance that it takes down your whole graphical session
and hence the upgrade process partway through
Will cover in more detail when the final release comes out in a few weeks
Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]
Often has been a source of increased attack surface for the kernel
Disabling of unpriv userns has often been recommended to mitigate various
kernel vulns
This is done via sysctl in Ubuntu:
sudo sysctl kernel.unprivileged_userns_clone=0
Big hammer - either on or off
Various applications have legitimate uses of unpriv userns
flatpak / bubblewrap etc
some of these ship a helper application which is setuid root so they can
still use user namespaces but this then creates another attack surface - the
setuid-root binary
instead it would be better to have a way to only allow particular
applications to use unprivileged user namespaces and then deny it to others
would provide much finer grained control to this potentially risky feature
AppArmor developers have added support for just this
all unconfined applications would be denied and only confined applications
which have the userns permission would be allowed
For now, it is planned to have this disabled by default for 22.10
AppArmor will have a sysctl to enable it so can be tested
Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle
With any luck, 23.04 will ship with this enabled along with AppArmor
confinement for things like bubblewrap etc that require this capability
Snaps will get it for free since they are confined by AppArmor out of the box
John Johansen is working with the kernel team to land this in the kernel for 22.10
Georgia Garcia is working on the userspace side to add support for creating
policy that specifies the userns permission in apparmor package too
Hopefully can all land both via the FeatureFreezeException (FFe) process
Ubuntu Security Podcast on break for 1 week
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
17min
September 23, 2022Episode 178
Overview
You can’t test your way out of security vulnerabilities (at least when writing
your code in C), plus we cover security updates for Intel Microcode, vim,
Wayland, the Linux kernel, SQLite and more.
This week in Ubuntu Security Updates
68 unique CVEs addressed
[USN-5606-2] poppler regression [00:45]
Affecting Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5606-1] poppler vulnerability from Episode 177 - integer overflow in
JBIG2 decoder
When backporting the series of patches, missed one that updated the
CMakeLists.txt to ensure a new header file that was added as part of the
security update is actually installed by the libpoppler-dev package - without
this if installed the update and then tried to recompile something locally it
would fail
[USN-5612-1] Intel Microcode vulnerability [01:29]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-21233
Latest upstream Intel Microcode release (IPU 2022.2) - only security relevant
for SGX
[USN-5613-1, USN-5613-2] Vim vulnerabilities [01:54]
7 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-1621
CVE-2022-1620
CVE-2022-1619
CVE-2022-1616
CVE-2022-1420
CVE-2022-1154
CVE-2022-0943
Various buffer overflows and the like that could be triggered when editing
crafted files - have said in the past that vim is fast becoming one of the
most security-patched packages in Ubuntu - all driven by their bug-bounty
https://huntr.dev/repos/vim/vim/
[USN-5614-1] Wayland vulnerability [02:17]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2021-3782
Reference count overflow - used a 32-bit int to count the number of
references - but on a 64-bit machine it is quite possible that a malicious
client could allocate a huge amount of buffers to overflow and then possibly
get a UAF - highly unlikely to be able to exploit in practice since would also
need a large number of connections to the compositor as well - fixed by
limiting the max number of objects that can be allocated
[USN-5615-1] SQLite vulnerabilities [03:01]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-20223
CVE-2020-35527
CVE-2020-35525
NULL ptr deref, OOB read, unicode parsing issue - disputed by upstream as an
actual vuln
Has such a large amount of tests - https://www.sqlite.org/testing.html
for 151 KSLOC has 92,038 KSLOC of tests -> 608 times as much code in tests
that the actual library itself
4 different test harnesses, 100% branch coverage, OOM tests, I/O error
tests, fuzz tests, boundary conditions, regression tests, valgrind, UB etc
yet still has new vulns discovered every now and then
you can’t test your way out of security issues - at least when you write
your code in C which has just too many different operations that have UB
you can perhaps do it via formal methods (seL4 etc) but is very expensive..
$200-400/LoC
eg. to formally prove SQLite would then cost ~$18.4M-$36.8M
use rust?
would hopefully help at least for the first 2 issues - can still have
logic flaws and hence security vulns (eg. failing to properly validate a
TLS cert or similar)
[USN-5616-1] Linux kernel (Intel IoTG) vulnerabilities [06:00]
10 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-2959
CVE-2022-2873
CVE-2022-2503
CVE-2022-1973
CVE-2022-1943
CVE-2022-1852
CVE-2022-1729
CVE-2022-32296
CVE-2022-1012
CVE-2021-33061
5.15
Some of these have covered previously
Intel 10GbE PCI Express driver, IP source port randomisation failure, perf
UAF, KVM NULL ptr deref, various file-system OOB R/W etc
[USN-5621-1] Linux kernel vulnerabilities [06:32]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 GA 18.04 LTS, HWE 16.04 ESM
CVE-2022-36946
CVE-2021-33655
console framebuffer and netfilter OOB writes covered in previous episodes
[USN-5622-1] Linux kernel vulnerabilities [06:57]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-36946
CVE-2022-2503
CVE-2022-1729
CVE-2022-32296
CVE-2022-1012
CVE-2021-33655
5.4 GA 20.04 LTS / HWE 18.04 LTS
x*** [USN-5624-1] Linux kernel vulnerabilities [07:05]
11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-36946
CVE-2022-34495
CVE-2022-34494
CVE-2022-33744
CVE-2022-33743
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
CVE-2022-2318
CVE-2021-33655
5.15 GA 22.04 LTS / Azure 20.04 LTS
[USN-5623-1] Linux kernel (HWE) vulnerabilities [07:12]
21 CVEs addressed in Focal (20.04 LTS)
CVE-2022-36946
CVE-2022-34495
CVE-2022-34494
CVE-2022-33744
CVE-2022-33743
CVE-2022-33742
CVE-2022-33741
CVE-2022-33740
CVE-2022-2959
CVE-2022-2873
CVE-2022-26365
CVE-2022-2503
CVE-2022-2318
CVE-2022-1973
CVE-2022-1943
CVE-2022-1852
CVE-2022-1729
CVE-2022-32296
CVE-2022-1012
CVE-2021-33655
CVE-2021-33061
5.15 20.04 HWE
all the vulns mentioned earlier plus a bunch in Xen (kernel side) - impact
ranges from crashing guest and exposing its memory to DoS services on the host
[USN-5617-1] Xen vulnerabilities [07:45]
20 CVEs addressed in Focal (20.04 LTS)
CVE-2020-25604
CVE-2020-25603
CVE-2020-25602
CVE-2020-25601
CVE-2020-25600
CVE-2020-25599
CVE-2020-25597
CVE-2020-25596
CVE-2020-25595
CVE-2020-15567
CVE-2020-15566
CVE-2020-15565
CVE-2020-15564
CVE-2020-15563
CVE-2020-11743
CVE-2020-11742
CVE-2020-11741
CVE-2020-11740
CVE-2020-11739
CVE-2020-0543
Community contributed update for xen - almost wins the award for the most CVEs
patched in a single update for this week
Most issues allow a malicious guest to attack the host -> DoS, privesc,
code-exec etc
[USN-5619-1] LibTIFF vulnerabilities [08:17]
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2058
CVE-2022-2057
CVE-2022-2056
CVE-2022-1355
CVE-2022-1354
CVE-2020-19144
CVE-2020-19131
Another package vying for most security updates recently
Usual memory corruption issues when handling crafted files - stack / heap
buffer overflows etc
[USN-5618-1] Ghostscript vulnerability [08:49]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2020-27792
Heap buffer overflow when parsing a crafted PDF
[USN-5626-1] Bind vulnerabilities [08:58]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-38178
CVE-2022-38177
CVE-2022-3080
CVE-2022-2906
CVE-2022-2881
CVE-2022-2795
Memory leaks when handling certain crypto algorithms with DNSSEC,
resource-based DoS, buffer over-read -> info leak / crash, assertion-based
crash via crafted query
[USN-5625-1] Mako vulnerability [09:22]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-40023
ReDoS via crafted content
Goings on in Ubuntu Security Community
Preparing for the release of Ubuntu Pro [09:44]
Team has worked on this for the last few years - finally will see the light of
day in the coming week or two - more details to come
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
11min
September 16, 2022Episode 177
Overview
Alex talks with special guests Nishit Majithia and Matthew Ruffell about a
recent systemd regression on Ubuntu 18.04 LTS plus we cover security updates for
Dnsmasq, the Linux kernel, poppler, .NET 6, rust-regex and more.
This week in Ubuntu Security Updates
28 unique CVEs addressed
[USN-4976-2] Dnsmasq vulnerability [00:55]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2021-3448
[USN-4976-1] Dnsmasq vulnerability for Episode 118
Failed to properly randomise source port (ie used a fixed port) when
forwarding queries when configured to use a specific server for a given
network interface - could then allow a remote attacker to more easily
perform cache poisoning attacks (ie just need to guess the transmission
ID once know the source port to get a forged reply accepted)
As I said back in Episode 118, this is very similar to the issues that were
discovered back in 2008 by Dan Kaminsky - the whole reason source port
randomisation was introduced as part of the DNS protocol
[USN-5602-1] Linux kernel (Raspberry Pi) vulnerabilities [02:11]
9 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-2959
CVE-2022-2873
CVE-2022-2503
CVE-2022-1973
CVE-2022-1943
CVE-2022-1852
CVE-2022-1729
CVE-2022-1012
CVE-2021-33061
See [USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities from last week
[USN-5603-1] Linux kernel (Raspberry Pi) vulnerabilities [02:29]
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2021-33656
CVE-2021-33061
See [USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities from last week
[USN-5605-1] Linux kernel (Azure CVM) vulnerabilities [02:38]
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-33656
CVE-2021-33061
See [USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities from last week
[USN-5523-2] LibTIFF vulnerabilities [02:45]
7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-19144
CVE-2020-19131
CVE-2022-22844
CVE-2022-0924
CVE-2022-0909
CVE-2022-0908
CVE-2022-0907
[USN-5523-1] LibTIFF vulnerabilities from Episode 169
[USN-5604-1] LibTIFF vulnerabilities [03:13]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2022-2868
CVE-2022-2869
CVE-2022-2867
[USN-5606-1] poppler vulnerability [03:23]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-38784
Integer overflow in JBIG2 decoder -> heap buffer overflow via crafted PDF /
JBIG2 image - very similar to CVE-2022-38171 in xpdf
poppler started life as a fork of code from xpdf-3.0 but now has diverged so
much that in general a vuln in one cannot be assumed to exist in the other,
hence the separate CVE IDs for these two vulns
[USN-5607-1] GDK-PixBuf vulnerability [04:11]
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2021-44648
Heap buffer overflow when decoding lzw compressed stream from GIF files
[USN-5608-1] DPDK vulnerability [04:26]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2132
Crafted Vhost header could cause a DoS
[USN-5609-1] .NET 6 vulnerability [04:39]
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-38013
DoS in .NET Core - “a malicious client could cause a stack overflow which may
result in a denial of service attack when an attacker sends a customized
payload that is parsed during model binding”
https://devblogs.microsoft.com/dotnet/september-2022-updates/
Updates to latest upstream release 6.0.109
[USN-5583-2] systemd regression [05:16]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-2526
Mentioned in passing in both the last 2 weeks episodes
[USN-5610-1] rust-regex vulnerability
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-24713
ReDoS in regex crate - already includes various mitigations against DoS via
untrusted regexes (and these can be tuned by users of the crate) - however was
able to be bypassed by a regex that specified an empty subexpression that
should be matched up to say 294 million times - this then gets compiled but is
able to evade the existing mitigations since doesn’t take any memory - but it
does take a lot of CPU time
Fixed by changing code such that it will take a fake amount of memory for each
empty subexpression and therefore will trip the existing detection logic in a
reasonable amount of time
[USN-5611-1] WebKitGTK vulnerability [06:53]
1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-32893
OOB write via malicious web content - Apple reported that this was being
actively exploited for iOS users (Safari uses Webkit)
Goings on in Ubuntu Security Community
Discussion of the recent systemd regression in Ubuntu 18.04 LTS with Nishit Majithia and Matthew Ruffell [07:49]
Gathered media attention
https://thenewstack.io/ubuntu-linux-and-azure-dns-problem-gives-azure-fits/
Matthew is from the Sustaining Engineering Team at Canonical - I talked about
his blog in Analysis of the dovecat and hy4 Linux Malware - from Episode 97
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
32min
September 09, 2022Episode 176
Overview
On this week’s episode we dive into the Shikitega Linux malware report from AT&T
Alien Labs, plus we cover security updates for the Linux kernel, curl and
Zstandard as well as some open positions on the team. Join us!
This week in Ubuntu Security Updates
13 unique CVEs addressed
[USN-5591-1, USN-5591-2, USN-5591-3, USN-5591-4, USN-5597-1, USN-5598-1] Linux kernel (+ HWE, AWS, Oracle) vulnerability [00:47]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-33656
OOB write in virtual terminal driver when changing VGA console fonts - covered
back in USN-5580-1 - Linux kernel (AWS) vulnerabilities - in Episode 175
[USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities [01:04]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2021-33656
CVE-2021-33061
OOB write in virtual terminal driver when changing VGA console fonts
Improper control flow mgmt in Intel 10GbE PCIe driver - local DoS
[USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities [01:28]
9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2959
CVE-2022-2873
CVE-2022-2503
CVE-2022-1973
CVE-2022-1943
CVE-2022-1852
CVE-2022-1729
CVE-2022-1012
CVE-2021-33061
Above issues plus:
NULL pointer deref in KVM on host if a VM tried to execute an illegal instruction
OOB write in UDF file-system driver
UAF in NFTS under certain error conditions
OOB write in Intel SMBus host controller driver
Race condition in handling of pipe buffers -> OOB
[USN-5587-1] curl vulnerability [02:12]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-35252
Cookies generally contain NAME=VALUE pairs using ASCII chars for both
ASCII character set contains usual A-Za-z0-9 and punctuation (space, “!#&)
plus a bunch of control codes - NUL, BEL, LF, CR, HT (\t) and more
These have a byte value below 32
curl since 4.9 would accept cookies with control codes
As with cookies, these get sent back to the server on subsequent requests
Over time web servers have started rejecting cookies with control codes and
returning a HTTP 400 response code (Bad Request)
As such, a malicious “sister site” could return a cookie with control codes
inside it, this then would get sent by curl to other sites in the same domain,
which would then reject the request and effectively DoS the user
Fixed to have curl validate and then reject such cookies in the first place
[USN-5593-1] Zstandard vulnerability [04:34]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2019-11922
Originally discussed all the way back in Episode 44 - [USN-4108-1] Zstandard
vulnerability
Race condition when using single-pass compression, might allow attacker
to get OOB write IF the caller had provided a smaller output buffer than
the recommended size
So likely won’t affect all packages which use zstd (there are many) -
should always follow best practice
Goings on in Ubuntu Security Community
AT&T Alien Labs teardown of Shikitega Linux malware [05:40]
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
Targets endpoints and IoT devices running Linux
Uses multiple different binaries to achieve its purpose - each does one task
of the process
Uses various components of Metasploit along the way
Framework containing various exploits plus different tools to help develop
exploits as well as scan environments etc
Initial dropper is a very small binary that is encoded using one of the
standard Metasploit encoders to help it evade detection from AV scanners etc
Decodes basic shellcode to open a socket to the C2 server and downloads
additional shellcode to run plus the mettle interpreter so that it can make
use of off-the-shelf components from Metasploit in further stages
Also downloads the next stage dropper
This again is encoded the same as the first component - contained within is
shellcode to spawn a shell via /bin/sh - from this shell it then attempts to
run commands to exploit two known privesc vulns - CVE-2021-4034
([USN-5252-1, USN-5252-2] PolicyKit vulnerability from Episode 147) and
CVE-2021-3493 ([USN-4916-2] Linux kernel vulnerability in Episode 113)
Once has gained root privileges via these vulns, with then move on to achieve
persistence and execute the primary payload - cryptominer
Persistence is achieved simply by using cron to download the cryptominer from
C2 on boot - and then another cron job to execute the cryptominer - and this
is done for both the standard user and root
As such the only traces left on the machine at reboot is the crontabs
cryptominer is the XMRig and is configured to mine Monero
C2 is seemingly fronted by cloudflare and cloudfront
No details provided on initial compromise but is good to see details on the
privesc vulns - both of these were patched in Ubuntu quite a while ago - and
we released a Livepatch for the kernel privesc too - shows the value in such
services - can still stay protected against the kind of vulnerabilities that
attackers are actually exploiting without the need to reboot
Shows the increasing prevalence of Linux malware (and the resulting interest
in it from organisations like AT&T) but also the value in ensuring systems are
kept updated
systemd/open-vm-tools regression for Ubuntu 18.04 LTS [10:56]
Had mentioned last week that I would likely cover this - is still a
work-in-progress so hopefully next week 🤞
Hiring [11:30]
https://canonical.com/careers/engineering?search=security
Security Certifications Product Manager
Home based, EMEA
Security Engineer - Ubuntu
Home based, worldwide
Ubuntu Security Manager
Home based, worldwide
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
September 02, 2022Episode 175
Overview
An increased rate of CVEs in curl is a good thing, and we’ll tell you why, plus
we cover security updates for the Linux kernel, Firefox, Schroot, systemd and
more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-5474-2] Varnish Cache regression [00:43]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-11653
USN-5474-1 from Episode 164
incomplete fix in original update - required additional patches from
upstream - thanks to community member who reported this and provided the
associated debdiff to fix it
[USN-5572-2, USN-5579-1] Linux kernel vulnerabilities [01:27]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
4.4 AWS 14.04 ESM + 4.4 generic etc 16.04 ESM + 14.04 ESM
3 issues in Xen PV drivers - all memory management issues
See USN-5572-1 from Episode 174
[USN-5580-1] Linux kernel (AWS) vulnerabilities [01:54]
4 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-36946
CVE-2022-20368
CVE-2021-33656
CVE-2021-33655
4.4 AWS 16.04 ESM
One of these is an OOB write in the framebuffer driver - covered previously in
USN-5577-1 in Episode 174
Others:
OOB write in virtual terminal driver when changing VGA console fonts
OOB read in Packet network protocol -> info leak
Assertion failure (-> kernel panic) in netfilter when handling rules which
truncate packets below their header size -> remote DoS
[USN-5582-1] Linux kernel (Azure CVM) vulnerabilities [02:42]
11 CVEs addressed in Focal (20.04 LTS)
CVE-2022-28893
CVE-2022-1975
CVE-2022-1974
CVE-2022-1734
CVE-2022-1679
CVE-2022-1652
CVE-2022-1048
CVE-2022-0494
CVE-2022-2586
CVE-2022-2588
CVE-2022-34918
Azure Confidential Virtual Machines - implements FDE so that contents is
protected from VM host
5.4 kernel
3 high priority vulns that allow a local unpriv user to privesc - first
covered back in USN-5557-1 in Episode 172 - all in netfilter / network packet
scheduler subsystems
[USN-5588-1] Linux kernel vulnerability [03:43]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2022-2588
3.13 GA
[USN-5589-1] Linux kernel vulnerabilities [03:56]
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-33656
CVE-2021-33061
5.4 GA/OEM/Raspi/lowlatency
OOB write in virtual terminal driver mentioned earlier
Improper control flow mgmt in Intel 10GbE PCIe driver - local DoS
[USN-5590-1] Linux kernel (OEM) vulnerability [04:24]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2022-36946
5.14 OEM
Assertion failure on netfilter rules that truncate packets below their header
size mentioned earlier
[USN-5578-2] Open VM Tools vulnerability [04:34]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-31676
Privesc within guest - USN-5578-1 from Episode 174
[USN-5581-1] Firefox vulnerabilities [04:57]
5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-38478
CVE-2022-38477
CVE-2022-38475
CVE-2022-38473
CVE-2022-38472
104.0 - usual mix of browser security issues - DoS, chrome UI spoofing, bypass
security restrictions, RCE via malicious web content
[USN-5584-1] Schroot vulnerability [05:25]
1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2787
Not a tool that is normally used by most users / customers - BUT is used by
many Ubuntu developers - interesting avenue for a supply chain attack perhaps?
DoS via crafted schroot names - one user could launch a schroot with a crafted
name that would then result in schroot corrupting its internal state and then
stopping it from launching any more schroot sessions for any other users on
the machine
[USN-5586-1] SDL vulnerability [07:05]
1 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-34568
UAF in handling of crafted video content on X11
[USN-5583-1] systemd vulnerability [07:14]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2022-2526
Possible UAF when handling crafted DNS requests -> crash / RCE
Ask me about this one next week 😉
[USN-5585-1] Jupyter Notebook vulnerabilities [07:44]
8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-29238
CVE-2022-24758
CVE-2020-26215
CVE-2019-9644
CVE-2019-10856
CVE-2019-10255
CVE-2018-21030
CVE-2018-19351
Another community contributed update - fixes various issues such as XSS, open
redirect, info leak etc
Goings on in Ubuntu Security Community
Increased CVE activity in curl [08:09]
https://daniel.haxx.se/blog/2022/08/22/increased-cve-activity-in-curl/
Daniel Stenberg (curl maintainer) put a poll on twitter asking if folks had
noticed an increased rate in CVEs for curl in the last year
~45% - yes - and it’s good
~2% - yes - and it’s bad
~40% - no
~12% - I don’t understand the question
This can be seen easily on the curl dashboard https://curl.se/dashboard.html
in particular on https://curl.se/dashboard1.html#vulns-per-year
We can see the same results from the Ubuntu CVE Tracker via jq and gnuplot
(plus curl itself to fetch the data in the first place):
#!/bin/bash
for d in $(curl -s "https://ubuntu.com/security/cves.json?order=newest&package=curl&limit=100" | jq -r ".cves[].published"); do
date +%s -d "$d";
done > curlhist
#!/usr/bin/gnuplot
binwidth = 60*60*24*365 # ~30days in seconds
bin(x,width)=width*floor(x/width) + width/2.0
set xdata time
set datafile missing NaN
set boxwidth binwidth
set xtics format "%Y" time rotate
set style fill solid 0.5 # fill style
set title 'Frequency of curl CVEs in the Ubuntu CVE Tracker by year'
plot 'curlhist' using (bin($1,binwidth)):(1.0) \
smooth freq with boxes notitle
curl CVE frequency has increased in recent years
however is still less than what it was back in 2016
Daniel explains how for each CVE wounds his pride that he didn’t find it in
the first place (or actually not introduce it) - but overall it is good they
are being looked for and found and fixed
curl has a bug bounty - and this works as a good incentive
has paid out over $40kUSD since it started
This year though the 15 reports came from just 4 people
and 60% came from a single individual
shows that to do this kind of work you need to have a deep, intimate
knowledge of the code - can’t just drive by and find bugs - need to spend a
lot of time getting to know the code and protocols etc well to be able to
find these sorts of issues
indicates that curl is a high quality project since it is hard to find
security issues
long lived codebase that has been well studied and improved over the years
Speaking of being long-lived - Daniel also then looks at the average lifetime
of each CVE in curl - like the Linux kernel, curl developers go back and try
find out what commit introduced a particular vulnerability - they can then
compare the time from when that original commit was introduced to when the
commit which fixes the bug was made
On average, for all CVEs - 2,867 days - 7 years 10 months
For those in the past 12 months - 3,245 days - almost 9 years
I mentioned the Linux kernel - Kees Cook (ex Ubuntu Security) has done similar
analysis using the data we collect in the Ubuntu CVE Tracker over the years
and found that for kernel vulnerabilities the average lifetime is 5.5 years
In general, curl has had a steady rate of development of around 1300 commits
per year since 2007
So on average the same amount of code churn is happening still (although this
doesn’t tell us if say the same amount of new code is being written each
year - perhaps this is more refactoring / cleanups over time?)
but if we assume it is the same amount of new code being written each year,
but since the CVE lifetime is growing over time, then more CVEs are being
found in the older code than newer code - and as such the quality of the
code seems to be improving over time
we can clean a bunch of info from the dashboard:
test cases - these are growing linearly over time
number of CI jobs - also growing linearly over time
both indicate an increase in tooling to improve quality over time
Final thought: whilst on the surface the idea that curl has got more CVEs
recently sounds bad, this is actually a good thing - it means these long lived
vulnerabilties are being found and fixed - this is a good thing - and the bug
bounty provides a good incentive to first encourage vulns to be looked for and
found and then to make sure they get reported and hence fixed (and not say
hoarded or sold to third parties etc)
Great graph showing the rate of vulns introduced over time and vulns being fixed over time
Shows vulns get introduced linearly but they are getting fixed
exponentially - so over time the number of latent vulns in the curl codebase
is decreasing - and this is definitely a good thing
Also shows the benefit of having a bug bounty - if you want vulns to get
found and fixed you need to create an environment that encourages that - and
what is more motivating than cold hard cash?
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
August 26, 2022Episode 174
Overview
This week we cover the debate around the decision in Ubuntu 22.10 to disable
presenting platform security assessments to end users via GNOME, plus we look at
security updates for zlib, PostgreSQL, the Linux kernel, Exim and more.
This week in Ubuntu Security Updates
12 unique CVEs addressed
[USN-5570-1, USN-5573-1] zlib and rsync vulnerability [00:43]
1 CVEs addressed for zlib in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
1 CVEs addressed for rsync in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-37434
Heap-buffer over-read via crafted gzip header - requires an application to
call the inflateGetHeader() function so not everything that uses zlib would be
affected - impact is DoS via crash
Also turns out the original fix introduced a regression upstream so required a
couple different patches to fix this
thankfully by the time we got around to patching this the regression had
already been identified and fixed upstream but some other distros who were
quicker off-the-mark were affected by the regression
Also affects rsync in older Ubuntu releases since it contains a vendored copy
of zlib - but on newer releases rsync uses the system install zlib and so once
that is patched then rsync is also effectively patched too
[USN-5571-1] PostgreSQL vulnerability [02:12]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-2625
Allowed possible code execution as the postgres superuser via various
extensions - some of these are bundled with postgres itself and some may come
from external sources - was fixed however in the core postgres server so no
need to modify/fix other extensions to remediate this vuln - just need to
update to this new patched version
[USN-5572-1] Linux kernel (AWS) vulnerabilities [02:45]
3 CVEs addressed in Xenial ESM (16.04 ESM)
CVE-2022-33741
CVE-2022-33740
CVE-2022-26365
4.4 16.04 ESM AWS
3 issues all in Xen paravirtualisation handling - 1 in virtual block driver
and another in the PV frontend - both of which failed to properly initialise
memory - could then allow a local attacker to see guest memory contents
Third one - memory mgmt issue in PV frontend which could end up sharing
unrelated data when communicating with various backends - could then possibly
lead to a crash of the guest or info leak of guest memory etc
[USN-5577-1] Linux kernel (OEM) vulnerabilities [03:38]
2 CVEs addressed in Focal (20.04 LTS)
CVE-2021-33655
CVE-2021-33061
5.14 OEM kernels
Intel 10GbE PCI Express driver - insufficient control flow management -> local
DoS
Framebuffer driver failed to verify size limits when changing font / screen
sizes -> OOB write -> DoS/codeexec->privesc
[USN-5574-1] Exim vulnerability [04:11]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2022-37452
Single-byte heap buffer overflow when doing a host name lookup under certain
configurations - failed to account for terminating NUL byte and so could
overwrite this and hence leave a string without a trailing NUL - run of end of
string -> subsequent further buffer overflow
https://github.com/ivd38/exim_overflow
Requires to have set a custom configuration where the value of one config
items references the global variable sender_host_name so unlikely to affect
most installations
[USN-5575-1, USN-5575-2] Libxslt vulnerabilities [05:06]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2021-30560
CVE-2019-5815
originally reported against blink (chromium browser engine) - heap corruption
via crafted HTML
plus type confusion bug when handling crafted XML -> heap buffer overflow as
well
[USN-5576-1] Twisted vulnerability [05:41]
1 CVEs addressed in Jammy (22.04 LTS)
CVE-2022-24801
HTTP desync - form of HTTP request smuggling
parsed various HTTP requests more leniently than permitted by RFC 7230 - can
then allow requests which should have been blocked and hence lead to desync if
requests pass though multiple parsers -> request smuggling -> access to
privileged endpoints etc
[USN-5578-1] Open VM Tools vulnerability [06:23]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
CVE-2022-31676
VMWare OpenVM Tools - failed to properly check access controls on certain
requests - could then allow a local user who has non-admin access to a guest
VM to escalate privileges and gain root within the VM
Goings on in Ubuntu Security Community
Ubuntu 22.10 To Disable GNOME 43’s ‘Device Security’ Panel [07:09]
https://www.omgubuntu.co.uk/2022/08/ubuntu-22-10-device-security-panel-disabled
GNOME 43 (Ubuntu 22.10 / Kinetic Kudu) has as new Device Security Panel in
GNOME Control Center / Settings
Shows an assessment of the security of the hardware platform
HSI security levels for the host
https://fwupd.github.io/libfwupdplugin/hsi.html
Designed to raise awareness of platform security issues to put pressure on
vendors to build and provide security configurations OOTB
LVFS analyses firmware binaries to determine how they then affect the security
of hardware platforms
fwupd then assesses the hardware platform settings in conjuction with the
details from LVFS for the firmware of the machine and the results can be
viewed in g-c-c
Includes details like:
Whether SPI memory regions are defined and locked by the BIOS
TPM 2.0 presence
UEFI platform key
IOMMU
Intel BootGuard
Ability to accurately reconstruct the PCR0 value from the TPM event log
Intel CET (Episode 79 - Joe discusses Intel CET with John Johansen (aka JJ))
Unfortunately for most of these options, there is not a lot a user can do to
easily increase their security / get to a higher level of conformance
So showing this could just alarm users when there is no good action they can
take to remediate it
especially from the GUI - some of this could be done at a more low-level
but this has the chance of breaking things
e.g. could try and potentially recompile everything with CET enabled (this
is already done in Ubuntu for the vast majority of packages but not for
the kernel - still waiting on Intel to upstream patches required to make
this work)
but if you do this there is a good chance you could break your install if
you don’t get it right
Ideally if GNOME wants to display security information to the user,
especially if they want to try and increase security awareness etc, this
needs to be actionable - and be actionable from the same place as the info
is displayed - ie in g-c-c itself
and if g-c-c is going to then trigger steps to try and make things more
secure for the user this needs to be super robust to make sure we still
don’t brick machines etc
so overall, for Ubuntu the desktop and security teams feel this is not ready
to be included for Ubuntu 22.10 in such a prominent way
users can already get the same info via fwupd already (even in Ubuntu 22.04 LTS)
fwupdmgr security
interesting to note this shows a message:
The HSI specification is not yet complete. To ignore this warning, use --force
so even fwupd developers realise this is perhaps still not ready for prime
time
So the question then as LVFS/fwupd developer Richard Hughes put it:
“I suppose that not knowing is more secure?”
And as I responded in the LP bug - at this stage yes, since currently it
would just create alarm with no easy actions for a user to take to remediate
it - since then there is a risk of DoS by say enabling secure boot when
unknowingly using unsigned drivers etc
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
17min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.