Episode 147
Posted on Friday, Feb 4, 2022
We’re back after a few weeks off to cover the launch of the Ubuntu Security
Guide for DISA-STIG, plus we detail the latest vulnerabilities and updates
for lxml, PolicyKit, the Linux Kernel, systemd, Samba and more.
Show Notes
Overview
We’re back after a few weeks off to cover the launch of the Ubuntu Security Guide for DISA-STIG, plus we detail the latest vulnerabilities and updates for lxml, PolicyKit, the Linux Kernel, systemd, Samba and more.
This week in Ubuntu Security Updates
100 unique CVEs addressed
[USN-5225-1] lxml vulnerability [00:57]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Python bindings for venerable libxml2 + libxslt - used by many other python packages for parsing XML etc
- HTML cleaner module - designed to clean up HTML by removing embedded scripts, special tags, CSS style annotations and more.
- Would allow crafted scripts to bypass the filter - same for SVG which could embed scripts via data URIs - code execution as a result -> RCE
[USN-5210-2] Linux kernel regression [02:03]
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Episode 136 - [USN-5210-1] - caused boot failure on machines that had AMD Secure Encrypted Virtualisation enabled
[USN-5223-1] Apache Log4j 1.2 vulnerability [02:21]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- JMS Appender module in Log4j 1.2 - requires the attacker to be able to first modify the Log4j config - but can then get code execution - similar to the original Log4Shell CVE-2021-44228 but not as severe
[USN-5224-2] Ghostscript vulnerabilities [02:57]
- 2 CVEs addressed in Xenial ESM (16.04 ESM)
- Episode 146
[USN-5227-1, USN-5227-2] Pillow vulnerabilities [03:06]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Various DoS / possible RCE via crafted image files
[USN-5229-1] Firefox vulnerabilities [03:27]
- 13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- 96.0
- Usual mix of web issues with standard consequences -> DoS / spoof browser UI, bypass security / content restrictions, info leak, RCE
[USN-5233-1, USN-5233-2] ClamAV vulnerability [03:59]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- OOB read when using the
CL_SCAN_GENERAL_COLLECT_METADATAoption and handling OOXML files - remote attacker could supply an input file which could trigger this -> crash
[USN-5235-1] Ruby vulnerabilities [04:24]
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
[USN-5234-1] Byobu vulnerability [04:25]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Apport hook for Byobu would upload the local
.screenrcfile which could possibly contain private info
[USN-5240-1] Linux kernel vulnerability [05:09]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Integer underflow -> OOB write when parsing file system properties - possible code execution -> requires root privileges to trigger BUT can also be done from a user namespace - ie where a local user can masquerade as root
[LSN-0084-1] Linux kernel vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Livepatch for the above issue
[USN-5242-1] Open vSwitch vulnerability [06:16]
- 1 CVEs addressed in Impish (21.10)
- Memory leak when handling fragmented packets - only affects most recent versions of Open vSwitch so LTS releases etc not affected
[USN-5243-1, USN-5243-2] AIDE vulnerability [06:34]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Advanced Intrusion Detection Environment
- checks integrity of files - common security tool
- Heap buffer overflow when performing various base64 operations, as done when handling XFS extended attributes or tmpfs ACLs - local privesc
[USN-5246-1] Thunderbird vulnerabilities [07:21]
- 26 CVEs addressed in Impish (21.10)
- CVE-2021-43546
- CVE-2021-4126
- CVE-2021-44538
- CVE-2021-43528
- CVE-2022-22751
- CVE-2022-22748
- CVE-2022-22747
- CVE-2022-22745
- CVE-2022-22743
- CVE-2022-22742
- CVE-2022-22741
- CVE-2022-22740
- CVE-2022-22739
- CVE-2022-22738
- CVE-2022-22737
- CVE-2021-43656
- CVE-2021-43545
- CVE-2021-43543
- CVE-2021-43542
- CVE-2021-43541
- CVE-2021-43539
- CVE-2021-43538
- CVE-2021-43537
- CVE-2021-43536
- CVE-2021-4140
- CVE-2021-4129
- 91.5
- Usual web framework issues plus some TB specific ones
- JS interpreter was enabled in composition window - so if an attacker could exploit some other vuln to then be able to inject content into the composition window could get code execution
- Buffer overflow in Matrix chat client lib
- Mishandling of PGP/MIME - would only look at signature on inner signed message even if was contained in another signed message - so would show whole message as valid
[USN-5248-1] Thunderbird vulnerabilities
- 45 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2021-43546
- CVE-2021-4126
- CVE-2021-44538
- CVE-2021-43528
- CVE-2021-38502
- CVE-2022-22751
- CVE-2022-22748
- CVE-2022-22747
- CVE-2022-22745
- CVE-2022-22743
- CVE-2022-22742
- CVE-2022-22741
- CVE-2022-22740
- CVE-2022-22739
- CVE-2022-22738
- CVE-2022-22737
- CVE-2021-43656
- CVE-2021-43545
- CVE-2021-43543
- CVE-2021-43542
- CVE-2021-43541
- CVE-2021-43539
- CVE-2021-43538
- CVE-2021-43537
- CVE-2021-43536
- CVE-2021-43535
- CVE-2021-43534
- CVE-2021-38509
- CVE-2021-38508
- CVE-2021-38507
- CVE-2021-38506
- CVE-2021-38504
- CVE-2021-38503
- CVE-2021-38501
- CVE-2021-38500
- CVE-2021-38498
- CVE-2021-38497
- CVE-2021-38496
- CVE-2021-38495
- CVE-2021-29991
- CVE-2021-29987
- CVE-2021-29982
- CVE-2021-29981
- CVE-2021-4140
- CVE-2021-4129
[USN-5249-1] USBView vulnerability [08:52]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Failed to properly configure policykit to enforce proper restrictions - could allow a local user to execute arbitrary code by causing USBView to load other modules
- Future versions of USBView won’t run as root
[USN-5250-1] strongSwan vulnerability [09:59]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
[USN-5252-1, USN-5252-2] PolicyKit vulnerability [10:06]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Mishandling of argv in pkexec
- Normally, when an application runs, gets given argv + argc - argv[0] is the name of the application and arguments follow that - BUT this is only a convention - can fork/exec another binary and specify NULL argv
- pkexec in that case would then try and parse arguments outside of the valid argv array - generally env follows argv - so would process env as argv
- since pkexec is setuid root glibc sanitises env - BUT pkexec modifies
it’s own argv when processing arguments - so ends up modifying env - with
a crafted env input can trick pkexec to modify it’s own env to then
inject say a malicious
LD_PRELOADvalue to cause arbitrary code to be executed as root - Great find by Qualys
[USN-5226-1] systemd vulnerability [13:50]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Uncontrolled recursion in systemd-tmpfiles - local user could create a deeply nested directory structure, cause systemd-tmpfiles to overflow it’s own stack by recursively calling the same function over and over again -> crash -> DoS
[USN-5193-2] X.Org X Server vulnerabilities [14:58]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- Episode 142
[USN-5247-1] Vim vulnerabilities [15:07]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- Various memory corruption vulns when handling different files - DoS / code execution
- All found by fuzzing vim with ASan - participates in bug bounty - want some bug cash?
[USN-5254-1] shadow vulnerabilities [15:54]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5255-1] WebKitGTK vulnerabilities [16:03]
- 7 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
[USN-5257-1] ldns vulnerabilities [16:18]
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
[USN-5260-1, USN-5260-2] Samba vulnerabilities [16:19]
- 3 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
- 1 CVEs addressed in Bionic (18.04 LTS)
- Most interesting vuln:
- Heap OOB read/write in VFS fruit module - codeexec
- Used to provide enhanced compatibility with Apple SMB clients and others
- Not enabled by default but likely enabled in a bunch of different envs
- Occurs when parsing extattr metadata - requires a user to be able to modify a files xattrs but this is common in lots of envs
[USN-5259-1] Cron vulnerabilities [17:01]
- 4 CVEs addressed in Xenial ESM (16.04 ESM)
Goings on in Ubuntu Security Community
Ubuntu Security Guide tooling released for DISA-STIG compliance [17:11]
-
DISA-STIG is a U.S. Department of Defense security configuration standard consisting of configuration guidelines for hardening systems to improve a system’s security posture.
-
It can be seen as a checklist for securing protocols, services, or servers to improve the overall security by reducing the attack surface.
-
The Ubuntu Security Guide (USG) brings simplicity by integrating the experience of several teams working on compliance. It enables the audit, fixing, and customisation of a system while enabling a system-wide configuration for compliance, making management by diverse people in a DevOps team significantly easier.
-
The DISA-STIG automated configuration tooling for Ubuntu 20.04 LTS is available with Ubuntu Advantage subscriptions and Ubuntu Pro, alongside additional open source security and support services.
-
https://ubuntu.com/blog/ubuntu-introduces-the-ubuntu-security-guide-to-ease-disa-stig-compliance