Episode 136

Posted on Friday, Nov 5, 2021
The road to Ubuntu 22.04 LTS begins so we look at some of its planned features plus we cover security updates for the Linux kernel, Mailman, Apport, PHP, Bind and more.

Show Notes

Overview

The road to Ubuntu 22.04 LTS begins so we look at some of its planned features plus we cover security updates for the Linux kernel, Mailman, Apport, PHP, Bind and more.

This week in Ubuntu Security Updates

92 unique CVEs addressed

[USN-5114-1] Linux kernel vulnerabilities [01:15]

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • 4.15 + HWE on ESM
  • Race in ath9k -> could fail to properly encrypt traffic -> info leak
  • KVM shadow pages perms -> local user DoS
  • ext4 race in xattr handling - local DoS / priv-esc
  • 6pack driver validation failure -> DoS / code-exec

[USN-5115-1] Linux kernel (OEM) vulnerabilities [02:19]

[USN-5116-1, USN-5116-2] Linux kernel vulnerabilities [02:55]

  • 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 + KVM + bionic HWE + clouds (AWS, Azure, GCP, GKE, IBM, Oracle + RPi)
  • Race in ath9k -> could fail to properly encrypt traffic -> info leak
  • KVM shadow pages perms -> local user DoS
  • ext4 race in xattr handling - local DoS / priv-esc
  • 6pack driver validation failure -> DoS / code-exec
  • overlayfs + xilinx

[USN-5117-1] Linux kernel (OEM) vulnerabilities [03:29]

[USN-5120-1] Linux kernel (Azure) vulnerabilities [03:40]

[USN-5119-1] libcaca vulnerabilities [03:53]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • text mode graphics handling library
  • 2 buffer overflows -> crash / code exec in handling of TGA images and when exporting to troff format

[USN-5121-1, USN-5121-2] Mailman vulnerabilities [04:24]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), 5 CVEs addressed in Focal (20.04 LTS)
  • 2 different CSRF attacks against mailman - in first, failed to properly associate CSRF tokens with accounts - could be used to take over another account
  • In second, CSRF tokens which are generated are derived from the admin password - could then allow a remote attacker to use this to help brute force guess admin pw
  • In both cases need to already be an existing list member and be logged in to mount attacks
  • For focal also included a couple medium priority vulns (don’t affect older versions):
    • Possible arbitrary content injection in 2 different ways which allow content to be provided by an attacker as POST parameters to form handling scripts which will then be incorporated into the page shown to a user
    • So could allow an attacker to say inject a URL to be displayed on a legitimate mailman admin page instance which an unsuspecting user may then follow thinking this is trusted etc.

[USN-5122-1, USN-5122-2] Apport vulnerability [05:41]

  • Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Could trick Apport into writing core files into arbitrary directories - then these could say be interpreted by other root-level applications to escalate privileges
  • Changed Apport to write core files to known location /var/lib/apport/coredump

[USN-5123-1, USN-5123-2] MySQL vulnerabilities [06:25]

[USN-5124-1] GNU binutils vulnerabilities [06:53]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 2 issues in libbfd (binary file descriptor) - can be triggered by crafted files
    • UAF in when using hash table impl
    • cause large memory allocation - crash

[USN-5009-2] libslirp vulnerabilities [07:30]

[USN-5125-1] PHP vulnerability [07:41]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Root code exec in PHP-FPM - uses a privileged root level process and unpriv child worker processes but child could access shared memory with parent and cause it to do OOB R/W -> code execution in parent -> priv-esc

[USN-5126-1, USN-5126-2] Bind vulnerability [08:33]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Possible cache poisoning could lead to DoS via excessive entries in the cache causing slow lookup performance

[USN-5127-1] WebKitGTK vulnerabilities [08:55]

  • 3 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Usual web engine vulns - plus one in the bubblewrap launcher which allows a limited sandbox bypass - could trick host processors into believing a sandboxed process was not and hence could potentially escalate privs

[USN-5128-1] Ceph vulnerabilities [09:35]

Goings on in Ubuntu Security Community

22.04 LTS development cycle begins [09:46]

  • Will include all the features from the various interim releases since the last 20.04 LTS plus some more
  • Since is an LTS, this cycle is mostly to be spent making things as solid and stable as possible, but a few new features are planned:
    • nftables supported
      • firewalling on Linux has 2 components - kernel-space mechanism and userspace tooling to control that
      • traditionally kernel supported iptables (aka xtables - ip,ip6,arp,eb -tables)
      • nftables as introduced into the kernel in 3.13 as a new mechanism to implement network packet classification and handling - aka firewalling etc
      • kernel has 2 mechanisms then - xtables and nftables
      • userspace then has 2 primary tools for handling these - iptables for xtables and nftables (nft) for nftables
      • iptables userspace added a nft backend so existing iptables rules and users would be switched to that automatically - was already switched to use nft backend in Ubuntu 21.04
      • now want to support the nftables userspace package for handling nftables as a first class system
      • also look at implementing a nftables backend in ufw so it can drive nftables directly rather than iptables
    • Improvements to OVAL data
      • Improved information around ESM products etc
    • Improved handling of pivot_root in AppArmor
      • Upstream issue https://gitlab.com/apparmor/apparmor/-/issues/113
      • once a pivot_root occurs, AppArmor loses track of the original paths so if a root level process is granted pivot_root permission, can move around inside it’s own mount namespace to be able to escape outside the AppArmor policy
      • AppArmor needs to track root before and after and allow to specify policy both pre-and-post

Hiring [14:46]

Security - Product Manager

  • HOME BASED - EMEA (Europe, Middle East, Africa)
  • Role includes:
    • guiding the evolution of security offerings from Canonical and Ubuntu
    • driving compliance and certification of Ubuntu
    • engaging with the open source security community
    • telling the story of Canonical’s work to deliver secure platforms
  • https://canonical.com/careers/2278145/security-product-manager-remote

Get in contact