Episode 150

Posted on Friday, Feb 25, 2022
Ubuntu 20.04.4 LTS is released, plus we talk about Google Project Zero’s metrics report as well as security updates for the Linux kernel, expat, c3p0, Cyrus SASL and more.

Show Notes

Overview

Ubuntu 20.04.4 LTS is released, plus we talk about Google Project Zero’s metrics report as well as security updates for the Linux kernel, expat, c3p0, Cyrus SASL and more.

This week in Ubuntu Security Updates

62 unique CVEs addressed

[USN-5292-2, USN-5292-3] snapd vulnerabilities [00:44]

[USN-5294-1, USN-5294-2] Linux kernel vulnerabilities [01:38]

[USN-5295-1, USN-5295-2] Linux kernel (HWE) vulnerabilities [02:57]

[USN-5297-1] Linux kernel (GKE) vulnerabilities [03:17]

[USN-5298-1] Linux kernel vulnerabilities [03:29]

[USN-5299-1] Linux kernel vulnerabilities [03:46]

[USN-5302-1] Linux kernel (OEM) vulnerabilities [03:57]

[USN-5288-1] Expat vulnerabilities [04:12]

  • 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • XML parser written in C - used by a huge number of other applications from audacity, avahi, ceph, dbus, gdb, git, fontconfig, python, mesa, squid and a lot more
  • 2 possible RCE vulns - possible to inject content into XML namespace tags, and failure to validate encoding e.g. for UTF-8 in particular contexts
    • critical severity according to upstream since if expat passes malformed data back to the application could result in memory corruption etc -> RCE (thanks to upstream for the heads-up on the possible impact of these)
    • Plus a bunch of DoS and other less severe bugs fixed too (stack exhaustion, integer overflows when multi-gigabyte input is parsed etc)

[USN-5293-1] c3p0 vulnerability [05:41]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • JDBC connection pooling library
  • billion laughs attack (aka XML bomb) when parsing XML config via recursive XML entity expansion - have one entity defined as 10 of the previous entity - then do this 10 times - 1 billion copies of the original entity - memory exhaustion
  • billion laughs comes from original PoC which used an entity called lol which was defined as 10 copies of lol8 which was defined as 10 copies of lol7 etc…

[USN-5301-1, USN-5301-2] Cyrus SASL vulnerability [06:44]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • SASL implementation for Cyrus IMAP server, used also by exim, ldap-utils, mutt, php, postfix and others
  • SQL plugin failed to properly validate input - SQL injection

[USN-5300-1] PHP vulnerabilities [07:23]

Goings on in Ubuntu Security Community

GPZ report on vulnerability metrics [07:48]

  • https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html
  • Looks at vulns which GPZ has reported between Jan 2019 - Dec 2021 and how fast they get patched
  • 376 vulns
    • 351 (93%) fixed, 14 (4%) wontfix, 11 (3%) unfixed
    • 96 (26%) Microsoft, 85 (23%) Apple, 60 (16%) Google
  • Strict 90-day deadline to fix and ship (with additional 14-day grace period)
  • When looking at vulns, group by Vendor - Apple, MS, Google, Linux (kernel), Adobe, Mozilla, Samsung, Oracle and Others
    • Others: includes both vendors: Apache, AWS, Canonical, Intel, Qualcomm, RedHat etc, but also individual OSS projects: c-ares, git, glibc, gnupg, libseccomp, systemd and more
  • Time-to-patch:
    • Linux - 25 days on average
    • Google + Others - 44 days
    • Mozilla - 61
    • Adobe - 65
    • Apple - 69
    • Microsoft - 83
    • Oracle - 109
  • If look by year - shows most vendors have gotten faster over time - but in particular Linux and Others are twice as fast in 2021 cf. 2019
    • Good news for Ubuntu users as these encompass the Linux relevant vulns
  • Also look into stats on Phone - comparing iOS, Android (Samsung), Android (Google) - and all have a TTP of ~70 days
  • Then also dig into specifics of timelines for OSS projects, focusing on browsers since can break down the process into 2 discrete steps:
    • time from report to a public patch being available
    • time from public patch to release
  • And compare these across Chrome, WebKit and Firefox
    • Chrome is fastest overall at 30 days total, Firefox 38 days, WebKit 73
    • When looking at the two steps:
      • Chrome has a very short initial patch time - 5 days - but both WebKit and Firefox are respectible with 12 and 17 days respectively
      • But release cycle of WebKit is so long (61 days)compared to Chrome (25) and Firefox (21) that this significantly delays the time to fixes being available to users
      • Also puts them at more risk, since once a patch is publicly available, it is usually not too hard to engineer a PoC for motivated researchers, so they then have 2 months to use this on average before it is patched
      • WebKit is used for all web rendering on iOS so iPhone users are then vulnerable for quite a while no matter what browser they use - hopefully Apple get faster at doing WebKit releases
      • Compared to Firefox and Chrome - both 4 week cycle now
      • Is not enough to develop fixes - you actually have to get them into the hands of users to protect them

Ubuntu 20.04.4 LTS Released [15:27]

The Ubuntu team is pleased to announce the release of Ubuntu 20.04.4 LTS (Long-Term Support) for its Desktop, Server, and Cloud products, as well as other flavours of Ubuntu with long-term support.

Like previous LTS series, 20.04.4 includes hardware enablement stacks for use on newer hardware. This support is offered on all architectures.

Ubuntu Server defaults to installing the GA kernel; however you may select the HWE kernel from the installer bootloader.

As usual, this point release includes many updates, and updated installation media has been provided so that fewer updates will need to be downloaded after installation. These include security updates and corrections for other high-impact bugs, with a focus on maintaining stability and compatibility with Ubuntu 20.04 LTS.

Kubuntu 20.04.4 LTS, Ubuntu Budgie 20.04.4 LTS, Ubuntu MATE 20.04.4 LTS, Lubuntu 20.04.4 LTS, Ubuntu Kylin 20.04.4 LTS, Ubuntu Studio 20.04.4 LTS, and Xubuntu 20.04.4 LTS are also now available. More details can be found in their individual release notes:

https://wiki.ubuntu.com/FocalFossa/ReleaseNotes#Official_flavours

Maintenance updates will be provided for 5 years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. All the remaining flavours will be supported for 3 years. Additional security support is available with ESM (Extended Security Maintenance).

Get in contact