Episode 120
Posted on Friday, Jun 18, 2021
In this week’s episode we look at how to get media coverage for your shiny
new vulnerability, plus we cover security updates for ExifTool,
ImageMagick, BlueZ and more.
Show Notes
Overview
In this week’s episode we look at how to get media coverage for your shiny new vulnerability, plus we cover security updates for ExifTool, ImageMagick, BlueZ and more.
This week in Ubuntu Security Updates
49 unique CVEs addressed
[USN-4986-2] rpcbind vulnerability [00:44]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Episode 119 (bionic) - memory leak on crafted requests
[USN-4986-3, USN-4986-4] rpcbind regression [01:11]
- Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Original fix missed follow-up patches to correct problems in the upstream fix - required multiple other bits to work correctly
[USN-4971-2] libwebp vulnerabilities [01:34]
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Episode 118
[USN-4987-1] ExifTool vulnerability [01:50]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Was originally reported to gitlab via hackerone as exiftool is used on image uploads to redact image metadata etc - they coordinated the fix with exiftool upstream. RCE when parsing a malicious DjVu image - uses perl to parse DjVu and in doing so it eval’s certain constructs without properly validating them
[USN-4988-1] ImageMagick vulnerabilities [03:17]
- 34 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- CVE-2021-20176
- CVE-2020-27776
- CVE-2020-27775
- CVE-2020-27774
- CVE-2020-27773
- CVE-2020-27772
- CVE-2020-27771
- CVE-2020-27770
- CVE-2020-27769
- CVE-2020-27768
- CVE-2020-27767
- CVE-2020-27766
- CVE-2020-27765
- CVE-2020-27764
- CVE-2020-27763
- CVE-2020-27762
- CVE-2020-27761
- CVE-2020-27760
- CVE-2020-27759
- CVE-2020-27758
- CVE-2020-27757
- CVE-2020-27756
- CVE-2020-27755
- CVE-2020-27754
- CVE-2020-27753
- CVE-2020-27751
- CVE-2020-27750
- CVE-2020-25676
- CVE-2020-25675
- CVE-2020-25674
- CVE-2020-25666
- CVE-2020-25665
- CVE-2020-19667
- CVE-2017-14528
- every ~30 weeks we seem to have another ImageMagick update - so that time again ;)
- DoS, RCE etc
[USN-4989-1] BlueZ vulnerabilities [03:56]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 1 bluetooth core specification issue - during pairing a nearby attacker could interpose on the pairing process and hence complete the pairing instead of the intended device
- 2 issues in bluez code itself
- double free (UAF) + OOB read
Goings on in Ubuntu Security Community
How to get media coverage for your Linux vulnerabilities [04:48]
- In Episode 119 covered an update for polkit - the following day Github published a blog post with significant details of the vuln - then we saw a heap of media coverage
- Why did this vuln get so much coverage when lots of others don’t?
- Great technical detail from a reputable and popular source (github)
- Very clearly written and easy to understand
- Is a simple logic error that can be triggered via a race-condition in a privileged daemon
- PoC can be implemented as a 1 line bash invocation so is also simple to understand
- c.f. a complicated memory corruption vuln or similar (ie no need to understand memory management, heap grooming etc etc)
- Or give it a cool name and logo
- heartbleed was one of the first to do this and this likely helped it get noticed and patched (plus fame/notoriety for the researchers)
- Since then we have seen many (shellshock, stagefright, dirty cow, spectre, meltdown, boothole etc) but not all vulns that get names/logos are created equal - impact / exploitability varies greatly - so a name and a logo doesn’t necessarily mean a vuln is critical