Episode 135
Posted on Friday, Oct 22, 2021
Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security
updates for Linux kernel, nginx, Ardour and strongSwan.
Show Notes
Overview
Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-5091-3] Linux kernel (Azure) regression
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5092-3] Linux kernel (Azure) regression [00:50]
- 12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- Failure to boot on large Azure instance types - caused by a patch that
got backported to the 5.14 upstream stable kernel that was purported to
head off possible future problems, but itself caused issues on say the
Standard_D48_v3instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped that patch to resolve the issue
[USN-5109-1] nginx vulnerability [01:44]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Buffer overflow when handling files with modification dates a long time in the past - ie. 1969 or very far in the future - integer overflow in the autoindex module
[USN-5110-1] Ardour vulnerability [02:22]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- UAF in handling of crafted XML files - if using attacker provided files could DoS / RCE
[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Integer overflow when replacing certs in cache - if can send many requests with different certs can fill cache and then cause replacement of cache entries when gets full - LRU algorithm could then cause integer overflow and hence OOB write as a result
- Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a self-signed CA cert sent by an initiation
[USN-5113-1] Linux kernel vulnerabilities [04:13]
- 8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
- 5.11 hirsute kernel (20.04 HWE)
- overlayfs perms handling issue, race condition -> OOB read in VT subsystem, integer overflow in hashtable implementation in BPF, ext4 xattrs race -> UAF, ath9k race condition -> info leak
Goings on in Ubuntu Security Community
Tianfu Cup 2021 [05:30]
- https://www.tianfucup.com/en
- 16-17th October - China’s own Pwn2Own
- Teams required to use original vulns to hack target platforms - 1.5m USD total reward
- Targets
- Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04 desktop container with ssh access as root to the container running unprivileged w/o uidmap, volume mount and default bridge network - 60k USD price
- Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged user to escalate to root - 40k USD
- Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu - VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
- 3 5 minute attempts to run their exploits
- According to media reports - Ubuntu 20.04 root privesc - 4 times, Docker-CE and qemu VM - once
- Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus Google Chrome to get kernel privesc on Windows as well
- Also according to one media outlet “details unknown but vendors are expected to release patches in coming weeks” - so far no contact / details have been provided to us…
- Same has happened in previous years - no details get provided to vendors so issues don’t get patched - in the past, exploits which have been showcased at Tianfu have then allegedly gone on to be used in hacking campaigns by the Chinese government
- Contrast with Pwn2Own - we are invited by organisers to watch and verify attempts in real-time to help judge whether exploits used are actually unique and new, and then ZDI provide details immediately regarding the vulns along with PoCs so we can patch them ASAP