Episode 121

Show Notes

Overview

Ubuntu One opens up two-factor authentication for all, plus we cover security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4989-2] BlueZ vulnerabilities [00:57]

• 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2020-27153
  • CVE-2020-26558
• Episode 120 - bluetooth spec issue around pairing takeover plus a possible double-free in gattool that is likely quite hard to exploit due to time window race between the two free() calls

[USN-4990-1] Nettle vulnerabilities [01:27]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2018-16869
  • CVE-2021-3580
• Low level crypto library used by lots of packages - chrony, dnsmasq, lighttpd, qemu, squid, supertuxkart
• Last covered just a few weeks ago in Episode 112 - is someone taking a closer look at this library?
• Bleichenbacher type side-channel base on a padding oracle attack in endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a process on the same physical core as the victim - but could then allow the plaintext to be extracted
• RSA algo possible crash which is able to be triggered on decryption of manipulated ciphertext
• Changes required for both of these are too intrusive to backport for the older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu release if you are using nettle on these older releases and are concerned about possible attacks

[USN-4991-1] libxml2 vulnerabilities [03:08]

• 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-3541
  • CVE-2021-3537
  • CVE-2021-3518
  • CVE-2021-3516
  • CVE-2021-3517
  • CVE-2020-24977
  • CVE-2019-20388
  • CVE-2017-8872
• Crafted XML could possibly trigger crash -> DoS or RCE

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

• 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-20233
  • CVE-2021-20225
  • CVE-2020-27779
  • CVE-2020-27749
  • CVE-2020-25632
  • CVE-2020-14372
• Episode 106 - BootHole 2021 updates published to the security pocket
• Vulns included the ability to load ACPI tables, UAF in rmmod, buffer overflow in command-line parser, cutmem command boot locking bypass, heap buffer overflow in option parser and menu rendering OOB write -> RCE —>@@ all could lead to a bypass of secure boot protections
• Includes one grub - ie. same grub efi binary used across all recent Ubuntu releases
• https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021

[USN-4993-1] Dovecot vulnerabilities [05:13]

• 2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-33515
  • CVE-2021-29157
• STARTTLS plaintext command injection vuln via SMTP, plus if a local attacker could write files to the disk, they could supply their own keys to validate their own supplied JSON Web Token and hence login as any other user and then access their emails if using OAUTH2

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

• 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-30641
  • CVE-2021-26691
  • CVE-2021-26690
  • CVE-2020-35452
  • CVE-2020-13950
• Various DoS issues where under certain configurations an attacker could issue particular requests and trigger various crashes in Apache

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

• 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2021-3605
  • CVE-2021-3598
  • CVE-2021-26260
  • CVE-2021-23215
  • CVE-2021-20296
• Usual mix of issues for a library which is written in memory unsafe language and handling complex image formats etc
• Courtesy of OSS-Fuzz

[USN-4995-1] Thunderbird vulnerabilities [06:48]

• 20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
  • CVE-2021-29957
  • CVE-2021-29956
  • CVE-2021-29949
  • CVE-2021-29948
  • CVE-2021-24002
  • CVE-2021-23995
  • CVE-2021-23993
  • CVE-2021-23992
  • CVE-2021-23991
  • CVE-2021-23984
  • CVE-2021-29967
  • CVE-2021-29946
  • CVE-2021-29945
  • CVE-2021-23999
  • CVE-2021-23998
  • CVE-2021-23994
  • CVE-2021-23987
  • CVE-2021-23982
  • CVE-2021-23981
  • CVE-2021-23961
• 78.11.0 - usual mix of untrusted content/web framework issues inherited from Firefox, plus fixes for OpenPGP key handling, message signature TOCTTOU-type condition due to writing out signatures to disk that then could be replaced before being verified, UX issue in display of inline signed/encrypted messages with additional unprotected parts

[USN-4997-1] Linux kernel vulnerabilities [08:22]

• 17 CVEs addressed in Hirsute (21.04)
  • CVE-2021-3543
  • CVE-2021-3506
  • CVE-2021-33034
  • CVE-2021-32399
  • CVE-2021-31829
  • CVE-2021-31440
  • CVE-2021-23134
  • CVE-2021-23133
  • CVE-2020-26147
  • CVE-2020-26145
  • CVE-2020-26141
  • CVE-2020-26139
  • CVE-2020-24588
  • CVE-2020-24587
  • CVE-2020-24586
  • CVE-2021-33200
  • CVE-2021-3609
• 5.11
• Basically the same set of fixes for all kernels, including a couple quite interesting ones:
  • eBPF verifier bypass provides OOB write primitive, could allow a local attacker to perform code execution in the kernel -> privesc
  • Race condition in CAN BCM networking protocol -> various UAFs -> code execution as well
• Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP race condition -> UAF etc

[USN-4999-1] Linux kernel vulnerabilities [09:51]

• 17 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2021-31829
  • CVE-2021-31440
  • CVE-2021-29155
  • CVE-2021-23133
  • CVE-2020-26147
  • CVE-2020-26145
  • CVE-2020-26141
  • CVE-2020-26139
  • CVE-2020-25673
  • CVE-2020-25672
  • CVE-2020-25671
  • CVE-2020-25670
  • CVE-2020-24588
  • CVE-2020-24587
  • CVE-2020-24586
  • CVE-2021-33200
  • CVE-2021-3609
• 5.8 (groovy, focal hwe)

[USN-5000-1] Linux kernel vulnerabilities [10:08]

• 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-3506
  • CVE-2021-33034
  • CVE-2021-32399
  • CVE-2021-31829
  • CVE-2021-23134
  • CVE-2021-23133
  • CVE-2020-26147
  • CVE-2020-26145
  • CVE-2020-26141
  • CVE-2020-26139
  • CVE-2020-24588
  • CVE-2020-24587
  • CVE-2020-24586
  • CVE-2021-33200
  • CVE-2021-3609
• 5.4 (focal, bionic hwe)

[USN-5001-1] Linux kernel (OEM) vulnerabilities

• 15 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-3543
  • CVE-2021-3506
  • CVE-2021-33034
  • CVE-2021-32399
  • CVE-2021-31440
  • CVE-2021-23134
  • CVE-2021-23133
  • CVE-2020-26147
  • CVE-2020-26145
  • CVE-2020-26141
  • CVE-2020-26139
  • CVE-2020-24588
  • CVE-2020-24587
  • CVE-2020-24586
  • CVE-2021-3609
• 5.10

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

• 1 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2021-3609
• 5.3
• CAN BCM

[USN-5003-1] Linux kernel vulnerabilities [10:35]

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2021-23133
  • CVE-2021-3600
  • CVE-2021-3609
• 4.15 (bionic, xenial esm hwe, trusty esm azure)
• CAN BCM and eBPF verifier OOB write

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

• https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one
• Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums, publishers on the Snap Store etc
• Allows to use a phone / desktop TOTP app as second factor, or Yubikey TOTP etc
• Has actually been supported since 2014 but only available to a beta testing group plus for all Canonical employees, due to challenges in account recovery
  • Since Ubuntu One purposefully doesn’t store any real identifying information (name, email, username) we can’t easily verify account holders if they lose the 2FA device
  • The intent is to be robust even in the event that a users email address is compromised
• Now have a comprehensive code recovery experience including printable backup codes and mechanisms in place to encourage users to exercise backup codes so that users can feel confident in using these if they need to (ie where did I put my backup codes again..?)

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter