Episode 106

Posted on Thursday, Mar 4, 2021
This week we talk about more BootHole-like vulnerabilities in GRUB2, a Spectre exploit found in-the-wild, security updates for xterm, screen, Python, wpa_supplicant and more.

Show Notes

Overview

This week we talk about more BootHole-like vulnerabilities in GRUB2, a Spectre exploit found in-the-wild, security updates for xterm, screen, Python, wpa_supplicant and more.

This week in Ubuntu Security Updates

52 unique CVEs addressed

[USN-4698-2] Dnsmasq regression [00:44]

[USN-4746-1] xterm vulnerability [01:14]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • taviso - crafted UTF-8 could cause a crash - related to very similar bug in screen

[USN-4747-1, USN-4747-2] GNU Screen vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Crash in screen from crafted UTF-8 - found by users crashing a minecraft server with this crafted content - ? - server was running under screen so would log this crafted content - screen dies, minecraft server dies - lots of tutorials for running a minecraft server mention to run it under screen so this is a common thing apparently

[USN-4748-1] Linux kernel vulnerabilities [02:54]

[USN-4749-1] Linux kernel vulnerabilities

[USN-4750-1] Linux kernel vulnerabilities

[USN-4751-1] Linux kernel vulnerabilities

[USN-4752-1] Linux kernel (OEM) vulnerabilities

[USN-4753-1] Linux kernel (OEM) vulnerability

[USN-4754-1] Python vulnerabilities [03:07]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • unsafe sprintf() call to format doubles - heap buffer overflow - BUT on Ubuntu Python (like the vast majority of the archive) is compiled with FORTIFY_SOURCE - just one of various hardening features - so can detect some buffer overflows at runtime - turns this into a DoS
  • test code calls eval on content received via HTTP - so if ran the tests and someone could interpose on connection, could get RCE

[USN-4754-2] Python regression

[USN-4754-4] Python 2.7 vulnerability

[USN-4755-1] LibTIFF vulnerabilities [04:21]

  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Heap buffer overflow in tiff2pdf tool and integer overflow -> buffer overflow from crafted tiff file input

[USN-4737-2] Bind vulnerability [04:39]

[USN-4757-1] wpa_supplicant and hostapd vulnerability [04:53]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • When using P2P could result in a UAF -> crash or possible RCE from a remote user within local radio range

Goings on in Ubuntu Security Community

GRUB2 Secure Boot Bypass 2021 [05:31]

First Spectre Exploit discovered in the wild [09:47]

  • https://dustri.org/b/spectre-exploits-in-the-wild.html
  • Uploaded to VT last month - not the first artefacts the use Spectre to be uploaded - back in 2018 the original PoCs and various variants thereof were uploaded to VT but these were all benign.
  • This one is a real exploit with versions targeting Windows and Linux - the Linux variant reads /etc/shadow by default - it does this by spawning a call to su to get the file paged into memory, then by walking in-kernel file-system structures through their spec exec read gadget to eventually read and dump out the file
  • Was developed by Immunity as part of their CANVAS tool (https://vimeo.com/271127615)

Linux Mint to more forcefully encourage security updates be installed [12:02]

  • https://blog.linuxmint.com/?p=4037
  • Update manager will track metrics, can then detect cases where updates are overlooked, remind or even insist to apply updates
  • Focus on not getting in the way, here to help, employ smart patters and usages, will be configurable etc
  • Still forming strategies but space to watch

Get in contact