Episode 118

Show Notes

This week we look at DMCA notices sent against Ubuntu ISOs plus security updates for nginx, DHCP, Lasso, Django, Dnsmasq and more.

24 unique CVEs addressed

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-23017
1 byte buffer overflow, able to be trigged by a crafted DNS response - UDP so could possibly be more easily forged than TCP (less state) - crash, RCE

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-3520
integer overflow -> OOB write -> crash, RCE - crafted lz4 archive

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-25217
Crafted lease file could trigger an OOB read - could be triggered against both dhclient and dhcpd - DoS. In case of dhcpd could also cause that lease to be deleted (and the one that follows it in the lease database). ISC claim impact is LESS is using compiler hardening (stack-protector-strong) - since in this case will trigger an abort - but if not used it will keep running…

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-33516
DNS rebinding attack - able to be exploited by a remote web server - cause the local web browser into triggering actions against local UPnP services that use gupnp library as it would not check that the Host header specified the expected IP address. Could then be used for data exfil / tampering etc.
Can be mitigated against by using a DNS resolver that prevents DNS rebinding

11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Google’s image format to relace both jpg/png and be faster (like vp8 video codec using predictive encoding - uses neighboring pixels to predict values in a block and then encodes only the difference)
C library :( - memory unsafe
OOB reads, heap buffer overflow, UAF, excessive memory allocation etc
- DoS, RCE etc

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Thanks to Christian Ehrhardt from the Ubuntu Server team for preparing these updates
Latest upstream point-releases
- 10.17 - 18.04
- 12.7 - 20.04 LTS, 20.10
- 13.3 - 21.04

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- CVE-2021-29921
ipaddress library in the python stdlib mishandled leading zero characters in octets of an IP address - could allow bypass of access controls that are based on IP addresses. Now treats leading zeros as invalid input (before would try and treat them as octal… but could end up confused as a result)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-28091
SAML protocol library
Reported by Akamai (uses Lasso in their Enterprise Application Access product) - and coordinated between affected distros and vendors etc
Could allow unauthenticated access to applications that use SAMLv2 (Security Assertion Markup Language v2) for authentication
If a SAML response contained both a signed and valid assertion, plus additional unsigned assertions appened to this, these unsigned assertions would be treated as valid as well.
So could allow an authenticated user to take their own signed SAML assertion and append assertions for other users to the end to then impersonate those other users.
https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
URLValidator failed to properly handle newlines, tabs - could be used to inject other headers into responses etc
Paths not properly sanitized in the admindocs module - could be used to probe for the existence of files or possibly obtain their contents
Leading zeros in IPv4 addresses - basically identical to the Python issue above

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-3448
Failed to properly randomise source port (ie used a fixed port) when forwarding queries when configured to use a specific server for a given network interface - could then allow a remote attacker to more easily perform cache poisoning attacks (ie just need to guess the transmission ID once know the source port to get a forged reply accepted)
- Very similar to the issues that were discovered back in 2008 by Dan Kaminsky - the whole reason source port randomisation was introduced as part of the DNS protocol

Last week was reported that a user downloading Ubuntu 20.04.2 iso via bittorrent received a DMCA violation notice from their ISP (Comcast)
Clearly absurd given Ubuntu is free (beer & freedom/libre)
Also the hash of the iso in question was legit too
Sent by “OpSec Online Antipiracy” not Canonical
OpSec responded saying their notice sending program was “spoofed” by unknown parties across multiple streaming platforms
Not clear then if the user spoofed it directly or if someone else spoofed the notice and sent it to the user…
Still being investigated by OpSec apparently - our legal team is also looking into it as well
Not the first time this sort of thing has happened - back in 2016 Paramount Pictures used the DMCA to send a takedown request to Google to remove a search result linking to the Ubuntu 12.04.2 alternate ISO at extratorrent.cc - this was listed as apparently being a link to the Transformers: Age of Extinction movie…
- Google did follow through on this - likely an automated system due to the sheer volume of such requests they get per day (3 million p/d pirate URLs to be removed from search results)