Episode 109

Posted on Friday, Mar 26, 2021
This week we look at security updates for containerd, Ruby, the Linux kernel, Pygments and more, plus we cover some open positions within the team as well.

Show Notes

Overview

This week we look at security updates for containerd, Ruby, the Linux kernel, Pygments and more, plus we cover some open positions within the team as well.

This week in Ubuntu Security Updates

28 unique CVEs addressed

[USN-4881-1] containerd vulnerability [00:38]

  • 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • When using the containerd CRI implementation (kubernetes container runtime interface) - would share environment variables etc between containers that shared the same image - so could allow an inadvertent info leak from one container to another - race condition so would be less likely to occur if not launching containers in rapid succession which share the same image

[USN-4882-1] Ruby vulnerabilities [01:27]

  • 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Crafted JSON could result in RCE - could create a malicious object within the interpreter
  • Possible info leak via unintialised memory across socket operations - heap info leak so could expose sensitive data from the interpreter
  • Failure to validate xfer encoding header - could bypass reverse proxy and so be vulnerable to HTTP request smuggling attacks

[USN-4883-1] Linux kernel vulnerabilities [02:32]

  • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
  • 4.15 kernel for bionic + 4.4 kernel for xenial
  • 3 iSCSI issues, most important was heap overflow that could be exploited by a local attacker -> code-exec as root
    • Other 2 are info leak via kernel pointers being disclosed to userspace and a OOB read -> crash or possible infoleak

[USN-4884-1] Linux kernel (OEM) vulnerabilities [03:13]

[USN-4885-1] Pygments vulnerability [03:36]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • infinite loop -> CPU based DoS when parsing crafted Standard ML files - input file containing just ‘exception’ would be enough to trigger this

[USN-4886-1] Privoxy vulnerabilities [04:18]

[USN-4887-1] Linux kernel vulnerabilities [05:03]

  • 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • BPF verifier failed to properly handle mod32 destination register truncation when source register was known to be 0 -> could be turned into an arbitrary memory read -> info-leak - and can’t rule out arbitrary memory write -> RCE
  • Spectre mitigations for BPF were found to be insufficient - could allow an attacker to read entirety of kernel memory via speculative execution attack through BPF
  • iSCSI issues discussed earlier too

Goings on in Ubuntu Security Community

Hiring [07:04]

AppArmor Security Engineer

Ubuntu Security Engineer

Security Engineer - Ubuntu

Get in contact