Show Notes
Overview
Ubuntu 20.04.4 LTS is released, plus we talk about Google Project Zero’s
metrics report as well as security updates for the Linux kernel, expat,
c3p0, Cyrus SASL and more.
This week in Ubuntu Security Updates
62 unique CVEs addressed
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Focal (20.04 LTS)
- Episode 149
[USN-5294-1, USN-5294-2] Linux kernel vulnerabilities [01:38]
- 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 - focal GA + clouds
- Usual sorts of issues - double-free (UAF) in packet network protocol, OOB
R/W in USB Gadget, race condition in Unix domain sockets - UAF, XFS info
leak, NFC race -> UAF, Intel GPU TLB flush missing - DoS/RCE, VMWare vGPU
missing cleanup on errors - stale entries in fd table - info leak /
privesc
[USN-5295-1, USN-5295-2] Linux kernel (HWE) vulnerabilities [02:57]
- 5 CVEs addressed in Impish (21.10), Focal (20.04 LTS)
- 5.13 - impish GA + focal HWE
[USN-5297-1] Linux kernel (GKE) vulnerabilities [03:17]
- 7 CVEs addressed in Focal (20.04 LTS)
- 5.4 gke specific kernel - focal + bionic
[USN-5298-1] Linux kernel vulnerabilities [03:29]
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- 4.15 bionic GA + xenial HWE + trusty azure
[USN-5299-1] Linux kernel vulnerabilities [03:46]
- 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 - xenial GA + trusty ESM
[USN-5302-1] Linux kernel (OEM) vulnerabilities [03:57]
- 6 CVEs addressed in Focal (20.04 LTS)
- 5.14 - focal OEM
[USN-5288-1] Expat vulnerabilities [04:12]
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- XML parser written in C - used by a huge number of other applications
from audacity, avahi, ceph, dbus, gdb, git, fontconfig, python, mesa,
squid and a lot more
- 2 possible RCE vulns - possible to inject content into XML namespace
tags, and failure to validate encoding e.g. for UTF-8 in particular
contexts
- critical severity according to upstream since if expat passes malformed
data back to the application could result in memory corruption etc ->
RCE (thanks to upstream for the heads-up on the possible impact of
these)
- Plus a bunch of DoS and other less severe bugs fixed too (stack
exhaustion, integer overflows when multi-gigabyte input is parsed etc)
[USN-5293-1] c3p0 vulnerability [05:41]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- JDBC connection pooling library
- billion laughs attack (aka XML bomb) when parsing XML config via
recursive XML entity expansion - have one entity defined as 10 of the
previous entity - then do this 10 times - 1 billion copies of the
original entity - memory exhaustion
- billion laughs comes from original PoC which used an entity called
lol
which was defined as 10 copies of lol8
which was defined as 10 copies of
lol7
etc…
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
- SASL implementation for Cyrus IMAP server, used also by exim, ldap-utils,
mutt, php, postfix and others
- SQL plugin failed to properly validate input - SQL injection
[USN-5300-1] PHP vulnerabilities [07:23]
- 6 CVEs addressed in Xenial ESM (16.04 ESM)
- php 7 - 4 different DoS vulns, 1 memory corruption - crash/RCE and one
info leak
GPZ report on vulnerability metrics [07:48]
- https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html
- Looks at vulns which GPZ has reported between Jan 2019 - Dec 2021 and how
fast they get patched
- 376 vulns
- 351 (93%) fixed, 14 (4%) wontfix, 11 (3%) unfixed
- 96 (26%) Microsoft, 85 (23%) Apple, 60 (16%) Google
- Strict 90-day deadline to fix and ship (with additional 14-day grace
period)
- When looking at vulns, group by Vendor - Apple, MS, Google, Linux
(kernel), Adobe, Mozilla, Samsung, Oracle and Others
- Others: includes both vendors: Apache, AWS, Canonical, Intel, Qualcomm,
RedHat etc, but also individual OSS projects: c-ares, git, glibc,
gnupg, libseccomp, systemd and more
- Time-to-patch:
- Linux - 25 days on average
- Google + Others - 44 days
- Mozilla - 61
- Adobe - 65
- Apple - 69
- Microsoft - 83
- Oracle - 109
- If look by year - shows most vendors have gotten faster over time - but
in particular Linux and Others are twice as fast in 2021 cf. 2019
- Good news for Ubuntu users as these encompass the Linux relevant vulns
- Also look into stats on Phone - comparing iOS, Android (Samsung), Android
(Google) - and all have a TTP of ~70 days
- Then also dig into specifics of timelines for OSS projects, focusing on
browsers since can break down the process into 2 discrete steps:
- time from report to a public patch being available
- time from public patch to release
- And compare these across Chrome, WebKit and Firefox
- Chrome is fastest overall at 30 days total, Firefox 38 days, WebKit 73
- When looking at the two steps:
- Chrome has a very short initial patch time - 5 days - but both WebKit
and Firefox are respectible with 12 and 17 days respectively
- But release cycle of WebKit is so long (61 days)compared to Chrome
(25) and Firefox (21) that this significantly delays the time to
fixes being available to users
- Also puts them at more risk, since once a patch is publicly
available, it is usually not too hard to engineer a PoC for motivated
researchers, so they then have 2 months to use this on average before
it is patched
- WebKit is used for all web rendering on iOS so iPhone users are then
vulnerable for quite a while no matter what browser they use -
hopefully Apple get faster at doing WebKit releases
- Compared to Firefox and Chrome - both 4 week cycle now
- Is not enough to develop fixes - you actually have to get them into
the hands of users to protect them
Ubuntu 20.04.4 LTS Released [15:27]
The Ubuntu team is pleased to announce the release of Ubuntu 20.04.4 LTS
(Long-Term Support) for its Desktop, Server, and Cloud products, as well
as other flavours of Ubuntu with long-term support.
Like previous LTS series, 20.04.4 includes hardware enablement stacks
for use on newer hardware. This support is offered on all architectures.
Ubuntu Server defaults to installing the GA kernel; however you may
select the HWE kernel from the installer bootloader.
As usual, this point release includes many updates, and updated
installation media has been provided so that fewer updates will need to
be downloaded after installation. These include security updates and
corrections for other high-impact bugs, with a focus on maintaining
stability and compatibility with Ubuntu 20.04 LTS.
Kubuntu 20.04.4 LTS, Ubuntu Budgie 20.04.4 LTS, Ubuntu MATE 20.04.4 LTS,
Lubuntu 20.04.4 LTS, Ubuntu Kylin 20.04.4 LTS, Ubuntu Studio 20.04.4 LTS,
and Xubuntu 20.04.4 LTS are also now available. More details can be found
in their individual release notes:
https://wiki.ubuntu.com/FocalFossa/ReleaseNotes#Official_flavours
Maintenance updates will be provided for 5 years for Ubuntu Desktop,
Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. All the remaining
flavours will be supported for 3 years. Additional security support is
available with ESM (Extended Security Maintenance).