Episode 147

Posted on Friday, Feb 4, 2022
We’re back after a few weeks off to cover the launch of the Ubuntu Security Guide for DISA-STIG, plus we detail the latest vulnerabilities and updates for lxml, PolicyKit, the Linux Kernel, systemd, Samba and more.

Show Notes

Overview

We’re back after a few weeks off to cover the launch of the Ubuntu Security Guide for DISA-STIG, plus we detail the latest vulnerabilities and updates for lxml, PolicyKit, the Linux Kernel, systemd, Samba and more.

This week in Ubuntu Security Updates

100 unique CVEs addressed

[USN-5225-1] lxml vulnerability [00:57]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Python bindings for venerable libxml2 + libxslt - used by many other python packages for parsing XML etc
  • HTML cleaner module - designed to clean up HTML by removing embedded scripts, special tags, CSS style annotations and more.
  • Would allow crafted scripts to bypass the filter - same for SVG which could embed scripts via data URIs - code execution as a result -> RCE

[USN-5210-2] Linux kernel regression [02:03]

[USN-5223-1] Apache Log4j 1.2 vulnerability [02:21]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • JMS Appender module in Log4j 1.2 - requires the attacker to be able to first modify the Log4j config - but can then get code execution - similar to the original Log4Shell CVE-2021-44228 but not as severe

[USN-5224-2] Ghostscript vulnerabilities [02:57]

[USN-5227-1, USN-5227-2] Pillow vulnerabilities [03:06]

[USN-5229-1] Firefox vulnerabilities [03:27]

[USN-5233-1, USN-5233-2] ClamAV vulnerability [03:59]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • OOB read when using the CL_SCAN_GENERAL_COLLECT_METADATA option and handling OOXML files - remote attacker could supply an input file which could trigger this -> crash

[USN-5235-1] Ruby vulnerabilities [04:24]

[USN-5234-1] Byobu vulnerability [04:25]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Apport hook for Byobu would upload the local .screenrc file which could possibly contain private info

[USN-5240-1] Linux kernel vulnerability [05:09]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Integer underflow -> OOB write when parsing file system properties - possible code execution -> requires root privileges to trigger BUT can also be done from a user namespace - ie where a local user can masquerade as root

[LSN-0084-1] Linux kernel vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Livepatch for the above issue

[USN-5242-1] Open vSwitch vulnerability [06:16]

  • 1 CVEs addressed in Impish (21.10)
  • Memory leak when handling fragmented packets - only affects most recent versions of Open vSwitch so LTS releases etc not affected

[USN-5243-1, USN-5243-2] AIDE vulnerability [06:34]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Advanced Intrusion Detection Environment
    • checks integrity of files - common security tool
  • Heap buffer overflow when performing various base64 operations, as done when handling XFS extended attributes or tmpfs ACLs - local privesc

[USN-5246-1] Thunderbird vulnerabilities [07:21]

[USN-5248-1] Thunderbird vulnerabilities

[USN-5249-1] USBView vulnerability [08:52]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • Failed to properly configure policykit to enforce proper restrictions - could allow a local user to execute arbitrary code by causing USBView to load other modules
  • Future versions of USBView won’t run as root

[USN-5250-1] strongSwan vulnerability [09:59]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

[USN-5252-1, USN-5252-2] PolicyKit vulnerability [10:06]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • Mishandling of argv in pkexec
  • Normally, when an application runs, gets given argv + argc - argv[0] is the name of the application and arguments follow that - BUT this is only a convention - can fork/exec another binary and specify NULL argv
  • pkexec in that case would then try and parse arguments outside of the valid argv array - generally env follows argv - so would process env as argv
  • since pkexec is setuid root glibc sanitises env - BUT pkexec modifies it’s own argv when processing arguments - so ends up modifying env - with a crafted env input can trick pkexec to modify it’s own env to then inject say a malicious LD_PRELOAD value to cause arbitrary code to be executed as root
  • Great find by Qualys

[USN-5226-1] systemd vulnerability [13:50]

  • 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • Uncontrolled recursion in systemd-tmpfiles - local user could create a deeply nested directory structure, cause systemd-tmpfiles to overflow it’s own stack by recursively calling the same function over and over again -> crash -> DoS

[USN-5193-2] X.Org X Server vulnerabilities [14:58]

[USN-5247-1] Vim vulnerabilities [15:07]

[USN-5254-1] shadow vulnerabilities [15:54]

[USN-5255-1] WebKitGTK vulnerabilities [16:03]

[USN-5257-1] ldns vulnerabilities [16:18]

[USN-5260-1, USN-5260-2] Samba vulnerabilities [16:19]

  • 3 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Most interesting vuln:
    • Heap OOB read/write in VFS fruit module - codeexec
    • Used to provide enhanced compatibility with Apple SMB clients and others
    • Not enabled by default but likely enabled in a bunch of different envs
    • Occurs when parsing extattr metadata - requires a user to be able to modify a files xattrs but this is common in lots of envs

[USN-5259-1] Cron vulnerabilities [17:01]

Goings on in Ubuntu Security Community

Ubuntu Security Guide tooling released for DISA-STIG compliance [17:11]

  • DISA-STIG is a U.S. Department of Defense security configuration standard consisting of configuration guidelines for hardening systems to improve a system’s security posture.

  • It can be seen as a checklist for securing protocols, services, or servers to improve the overall security by reducing the attack surface.

  • The Ubuntu Security Guide (USG) brings simplicity by integrating the experience of several teams working on compliance. It enables the audit, fixing, and customisation of a system while enabling a system-wide configuration for compliance, making management by diverse people in a DevOps team significantly easier.

  • The DISA-STIG automated configuration tooling for Ubuntu 20.04 LTS is available with Ubuntu Advantage subscriptions and Ubuntu Pro, alongside additional open source security and support services.

  • https://ubuntu.com/blog/ubuntu-introduces-the-ubuntu-security-guide-to-ease-disa-stig-compliance

  • https://ubuntu.com/advantage

Get in contact