Episode 105

Show Notes

Overview

This week we discuss security updates in Linux Mint, Google funding Linux kernel security development and details for security updates in BIND, OpenSSL, Jackson, OpenLDAP and more.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-4737-1] Bind vulnerability [00:45]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-8625
• If using GSS-TSIG could be vulnerable to a DoS or possible RCE - this option is not enabled by default BUT is often used when bind is integrated with Samba or with a AD-DC. In Ubuntu we confine BIND with an AppArmor profile by default isolates BIND quite tightly so helps to mitigate any affect a possible RCE attack could have.
  • Was interesting to see upstream released 2 advisories that some of their upstream version updates (e.g. 9.16.12) for this caused some regressions as this included some new as well features - and they specifically ended up recommended downstreams ship the prior version (9.16.11) with just the fix for this backported - this is what we do in Ubuntu precisely for this reason, to minimise the chance of introducing regressions in our security updates by only backporting the patch for the particularly vulnerability

[USN-4738-1] OpenSSL vulnerabilities [02:13]

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-23841
  • CVE-2021-23840
• NULL ptr deref when parsing malicious issuer fields in X509 certificates - crash, DoS
• Possible buffer overflow if some library functions were used in an unlikely manner - had to specify an input length that was close to the bounds of an integer size of the platform - so only if calling with a buffer of INT_MAX or similar could this be an issue

[USN-4745-1] OpenSSL vulnerabilities [02:56]

• 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
  • CVE-2021-23841
  • CVE-2020-1971
• NULL ptr deref above plus separate NULL pointer deref in handling of EDIPartyNames as discussed in Episode 100

[USN-4739-1] WebKitGTK vulnerability [03:25]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-13558
• UAF in audio handling - specially crafted webpage could cause an RCE on local machine

[USN-4741-1] Jackson vulnerabilities [03:40]

• 3 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2019-10172
  • CVE-2017-7525
  • CVE-2017-15095
• JSON processor for Java - allows to map JSON to Java objects
• Flaws in (de)serialization could expose various classes to being mapped to the resulting input and hence allow a remote code execution attack - fix is to deny various classes being mapped as a result
• Also fixed an XML external entity issue that could also result in RCE

[USN-4740-1] Apache Shiro vulnerabilities [04:20]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-1957
  • CVE-2020-11989
• 2 different possible authentication bypass issues when using with Spring dynamic controllers

[USN-4742-1] Django vulnerability [04:33]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-23336
• Possible web-cache poisoning attack - due to difference in handling of requests between the proxy and the server - malicious requests can be cached as they look like safe ones due to difference in interpretation

[USN-4743-1] GDK-PixBuf vulnerability [05:06]

• 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-20240
• Integer underflow in GIF loader - code execution?

[USN-4744-1] OpenLDAP vulnerability [05:27]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-27212
• Assertion failure could be triggered by crafted timestamp content -> crash, DoS

[USN-4467-3] QEMU regression [05:46]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-13754
• In patching previous vulnerabilities in QEMU, we backported various patches but missed some related to riscv emulation so would cause a possible crash in this case - fixed to add missing patches to resolve this crash issue

Goings on in Ubuntu Security Community

Linux Mint users being slow with security updates, running old versions [06:33]

• https://www.zdnet.com/article/top-linux-distro-tells-users-stop-using-out-of-date-versions-update-your-software-now/
• https://www.theregister.com/2021/02/23/linux_mint_team_berates_users/
• https://blog.linuxmint.com/?p=4030
• Blog post from lead developer Clem (Clement Lefebvre) discussing how Linux Mint users seem to not be installing updates
• Linux Mint is a Ubuntu derivative - uses the Ubuntu archives plus some of their own repos - so in general all security updates for Ubuntu get propagated to Linux Mint - cf. relationship between Ubuntu and Debian.
• Interesting history in regards to security
  • In Febrary 2016, website was hacked and the link to the installer ISO was modified to point to a malicious one with a backdoor - https://blog.linuxmint.com/?p=2994
  • Recommend to turn of UEFI Secure Boot since their shim is not signed by Microsoft
  • Update Manager would offer security updates but would rate them in supposed terms of safety - so would in essence deter users from installing some security updates - and also would not select to install some updates which they deemed as more risky - but how did they assign this safety level? Based more on if a component was critical to boot (kernel/firmware would get rated as more risky) than anything to do with the actual update itself. So was intended to help guide users BUT created a system where users believed they were “safer” in terms of stability, but in fact were less safe in terms of security.
  • This created an impression that Linux Mint either blocked security updates or actively discouraged users from installing them - https://distrowatch.com/weekly.php?issue=20170320#myth
  • These levels were removed in the 19.2 release but it seems users are still wary
• 30% of users apply updates in less than a week (based on recent Firefox update)
• 30% of users are still running 17.x - EOLd in April 2019 - (based on Ubuntu 14.04)
• So it is not really surprising given their past history that their userbase is wary of security updates and are perhaps putting themselves at risk as a result by delaying installing security updates
• But good to see they are now actively encouraging users to install security updates
• Use of timeshift is interesting as a mitigation against possible issues with security updates
• Also was interesting to see they published an emergency update just for Firefox for the 17.x release to upgrade this from 66.0 to 78 ESR - so this gives some protection but perhaps again lessens the incentive for these users to upgrade to a newer supported release of Linux Mint

Google funds Linux kernel developers to work exclusively on security [14:20]

• https://www.linuxfoundation.org/en/press-release/google-funds-linux-kernel-developers-to-focus-exclusively-on-security/
• Gustavo Silva and Nathan Chancellor
• Chancellor - Triaging and fixing bugs found via Clang/LLVM, CI systems
  • Already leading a lot of the upstream ClangBuiltLinux work
• Silva - KSPP related work on eliminating bug classes - VLAs etc

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter