Episode 160

Posted on Friday, May 20, 2022
Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at security updates for the Linux kernel, RSyslog, ClamAV, Apport and more.

Show Notes

Overview

Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at security updates for the Linux kernel, RSyslog, ClamAV, Apport and more.

This week in Ubuntu Security Updates

57 unique CVEs addressed

[USN-5413-1] Linux kernel vulnerabilities [01:06]

  • 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • 4.4 - 16.04 ESM GA + 14.04 ESM
  • UAF in nouveau driver when device is removed - external NVIDIA GPU? or local user unbinding the driver?
  • UAF due to race condition in network packet scheduler
  • OOB write in NFS - user who had access to an NFS mount could possibly exploit this
  • Buffer overflow in ST Micro NFC driver - failed to validate parameters from NFC device - physically approximate attacker could possibly exploit this but would need custom hw/sw
  • Similarly, Xilinx USB2 gadget driver failed to validate USB endpoints
  • ESM CAN/USB double-free

[USN-5415-1] Linux kernel vulnerabilities [02:27]

[USN-5417-1] Linux kernel vulnerabilities [03:07]

[USN-5418-1] Linux kernel vulnerabilities [03:19]

[USN-5416-1] Linux kernel (OEM) vulnerabilities [03:26]

  • 5 CVEs addressed in Focal (20.04 LTS)
  • 5.14 - 20.04 LTS OEM
  • KVM mishandled guest page table updates -> guest VM crash host OS
  • 2 similar issues in CAN bus drivers - 8 Devices USB2CAN and Microchip CAN Bus analyzer both had double-free on error paths - local attacker could crash -> DoS
  • Plus ESM CAN/USB issue from above

[USN-5419-1] Rsyslog vulnerabilities [04:26]

  • 3 CVEs addressed in Xenial ESM (16.04 ESM)
  • 2 issues in handling of various message types (AIX + Cisco log messages failed to properly validate contents and so could result in heap buffer overflow)
  • 1 in handling of plain TCP socket comms - but this module is not enabled in the default rsyslog configuration for Ubuntu

[USN-5420-1] Vorbis vulnerabilities [05:01]

[USN-5421-1] LibTIFF vulnerabilities [05:16]

[USN-5422-1] libxml2 vulnerabilities [05:32]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • UAF plus possible integer overflows -> unspec impact (but requires victim to process a multiGB XML file)

[USN-5311-2] containerd regression [06:03]

  • 1 CVEs addressed in Focal (20.04 LTS), Impish (21.10)
  • Episode 152 - subsequent update to containerd by different team reverted the CVE fix accidentally - reinstated it

[USN-5423-1, USN-5423-2] ClamAV vulnerabilities [06:24]

[USN-5424-1] OpenLDAP vulnerability [06:53]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • SQL injection in the sql backend of slapd via an SQL statement within a LDAP query

[USN-5425-1] PCRE vulnerabilities [07:09]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • OOB read -> info leak
  • integer overflow -> buffer overflow? -> crash / code execution

[USN-5426-1] needrestart vulnerability [07:20]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • detects daemons that need to be restarted after libraries are upgraded
  • uses various regex’s to detect scripting languages - but since these were not specific enough, it could allow a user to get their own script executed in the context of the user which is running needrestart - which could be root

[USN-5427-1] Apport vulnerabilities [08:08]

  • 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Gerrit Venema reported a heap of issues in Apport - thanks to Marc Deslauriers on our team for working on these
  • Crash handler in Ubuntu - is invoked by the kernel when an application crashes to collect various data to then upload to Ubuntu developers
  • Runs as root but can be invoked as a regular user so has been a target for privesc vulns in the past
  • Has various code to drop privileges etc but these were found to be incomplete
  • Impacts of these issues range from DoS by crashing Apport through to local privesc to root

[USN-5428-1] libXrandr vulnerabilities [09:14]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • Integer overflows -> OOB write plus another different OOB write - all able to be triggered by a malicious remote X server

Goings on in Ubuntu Security Community

Ubuntu in Pwn2Own Vancouver 2022 [09:39]

Get in contact