Episode 114

Show Notes

Overview

This week we look at the response from the Linux Technical Advisory Board to the UMN Linux kernel incident, plus we cover the 21Nails Exim vulnerabilities as well as updates for Bind, Samba, OpenVPN and more.

This week in Ubuntu Security Updates

40 unique CVEs addressed

[USN-4928-1] GStreamer Good Plugins vulnerabilities [00:40]

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-3498
  • CVE-2021-3497
• UAF or heap corruption when handling crafted Matroska files - crash / RCE

[USN-4929-1] Bind vulnerabilities [01:18]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-25216
  • CVE-2021-25215
  • CVE-2021-25214
• 2 possible crasher bugs (failed assertions) -> DoS, 1 buffer over-read or possible overflow -> crash / RCE

[USN-4930-1] Samba vulnerability [02:08]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-20254
• Failed to properly handle negative idmap cache entries - could then end up with incorrect group entries and as such could possibly allow a user to access / modify files they should not have access to

[USN-4931-1] Samba vulnerabilities [02:51]

• 4 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2021-20254
  • CVE-2020-14383
  • CVE-2020-14323
  • CVE-2020-14318
• negative idmap cache entries issue plus some older vulns (Episode 95)

[LSN-0076-1] Linux kernel vulnerability [03:03]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-29154
  • CVE-2021-3493
• 2 local user privesc vulns fixed:
  • BPF JIT branch displacement issue (Episode 112)
  • Overlayfs / file system capabilities interaction

[USN-4918-3] ClamAV regression [03:52]

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-1405
  • CVE-2021-1404
  • CVE-2021-1252
• Previous clamav update (back in April ) introduced a regression where clamdscan would crash if called with –multiscan and –fdpass AND you had an ExcludePath configured in the configuration - backported the upstream commit from the development branch to fix this

[USN-4932-1] Django vulnerability [04:30]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-31542
• Directory traversal via uploaded files with crafted names

[USN-4933-1] OpenVPN vulnerabilities [04:47]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2020-15078
  • CVE-2020-11810
• Race condition in handling of data packets could allow an attacker to inject a packet using a victim’s peer-id before the crypto channel is properly initialised - could cause the victim’s connection to be dropped (DoS) but doesn’t appear to expose any sensitive info etc
• Attackers could possibly bypass auth on control channel and hence leak info

[USN-4934-1] Exim vulnerabilities [05:39]

• 21 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-27216
  • CVE-2020-28026
  • CVE-2020-28025
  • CVE-2020-28024
  • CVE-2020-28023
  • CVE-2020-28022
  • CVE-2020-28021
  • CVE-2020-28020
  • CVE-2020-28019
  • CVE-2020-28018
  • CVE-2020-28017
  • CVE-2020-28016
  • CVE-2020-28015
  • CVE-2020-28014
  • CVE-2020-28013
  • CVE-2020-28012
  • CVE-2020-28011
  • CVE-2020-28010
  • CVE-2020-28009
  • CVE-2020-28008
  • CVE-2020-28007
• Qualsys - 21Nails - various vulns which could be chained together to get full remote unauthenticated RCE and root privesc
  • Full write-up
• Possibly 60% of internet mail servers run exim and 4 million are publicly accessible
• Previously has been a target of Sandworm
• In the process of preparing the updates for 16.04 / 14.04 ESM - expect to be available in the next day or 2 so most likely will already be out by the time you are listening to this

[USN-4935-1] NVIDIA graphics drivers vulnerabilities [07:58]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-1077
  • CVE-2021-1076
• Not much detail from NVIDIA
  • improper access control -> DoS, infoleak or data corruption -> privesc etc
  • incorrect use of reference counting -> DoS (crash?) (UAF?)

Goings on in Ubuntu Security Community

Linux Technical Advisory Board response to UMN incident [08:56]

• Covered in Episode 113
• https://lore.kernel.org/lkml/202105051005.49BFABCE@keescook/
• Kees Cook (previously inaugural Tech Lead of Ubuntu Security Team) posted to LKML the Tab’s report (various folks from across the Linux Kernel community, including from Red Hat, Google, Canonical and others)
• Detailed timeline of events, identification of the “hypocrite” commits in question
• Recommendations going forward
  • UMN must improve quality of their submissions since even for a lot of what were good-faith patches, they actually had issues and either didn’t fix the purported issue or tried to fix a non-issue
  • TAB will create a best-practices document for all research groups when working with the kernel or other open source projects

Hiring [11:36]

AppArmor Security Engineer

• https://canonical.com/careers/2114847/apparmor-security-engineer-remote

Linux Cryptography and Security Engineer

• https://canonical.com/careers/2612092/linux-cryptography-and-security-engineer-remote

Security Engineer - Ubuntu

• https://canonical.com/careers/2925180/security-engineer-ubuntu-remote

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter