Episode 164

Posted on Friday, Jun 17, 2022
More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we cover security vulnerabilities and updates for ca-certificates, Varnish Cache, FFmpeg, Firefox, PHP and more.

Show Notes

Overview

More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we cover security vulnerabilities and updates for ca-certificates, Varnish Cache, FFmpeg, Firefox, PHP and more.

This week in Ubuntu Security Updates

64 unique CVEs addressed

[USN-5473-1] ca-certificates update [00:41]

  • Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
  • Updates to the latest 2.50 version of the Mozilla CA bundle - in particular this removes a bunch of expired certs plus an old (but still valid) GeoTrust certificate and others - also adds some new CA certs from GlobalTrust, Certum, GlobalSign too

[USN-5396-2] Ghostscript vulnerability [01:30]

[USN-5474-1] Varnish Cache vulnerabilities [01:41]

  • 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Thanks to Luís Infante da Câmara for preparing, testing and providing the debdiff’s for these updates
    • Possible HTTP/1 and HTTP/2 request smuggling attacks
    • DoS via triggering an assertion failure
    • Pointer of one client reused on the next if both share the same connection - can expose info from the old client to the new one

[USN-5472-1] FFmpeg vulnerabilities [02:30]

[USN-5475-1] Firefox vulnerabilities [03:04]

[USN-5476-1] Liblouis vulnerabilities [03:54]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Braille translation library + utils
  • Buffer overflow -> crash -> DoS
  • OOB write -> crash -> DoS / RCE

[USN-5359-2] rsync vulnerability [04:27]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Episode 156 (zlib memory corruption issue when compressing input data)

[USN-5477-1] ncurses vulnerabilities [04:54]

[USN-5478-1] util-linux vulnerability [05:28]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Memory leak in libblkid when parsing crafted MSDOS partition table

[USN-5479-1] PHP vulnerabilities [05:40]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • both issues in handling of crafted inputs into database drivers - 1 for postgres and 1 for mysql
    • uninitialised var in pg driver -> UAF in certain error scenario -> RCE
    • buffer overflow in password handler for mysqlnd (native driver) - rogue MySQL server could trigger this to get RCE

Goings on in Ubuntu Security Community

News on latest Intel security issues [06:33]

  • Hertzbleed & MMIO stale data both disclosed this week
  • Hertzbleed - interesting new crypto side-channel attack demonstrated against SIKE (Supersingular Isogeny Key Encapsulation - post-quantum key encapsulation mechanism)
    • Turns a frequency side-channel into a timing side-channel such that code which was previously assumed to be constant time can still leak information about the key, allowing it to be recovered by mounting a chosen cipher-text attack from a client, observing the timing response of the server and then inferring the secret key as a result
    • Acknowledged by both Intel and AMD but likely all modern processors which employ dynamic voltage and frequency scaling are affected
    • Intel have released guidance for how to harden crypto implementations against this attack
    • No changes/fixes for this in kernel/microcode/toolchain etc - instead will be up to individual libraries to assess if they may be affected and then refactor accordindly
  • MMIO stale-data
    • Vulns in memory mapped I/O - generally only applicable to virtualisation when untrusted guest have access to MMIO
      • not transient execution attacks themselves but since these vulns allow stale data to persist, can then be inferred by a TEA (think Spectre etc)
    • consists of a series of different issues for various microarchitectural buffers / registers where stale data is left after being copied / moved - then can be sampled via a TEA to infer the value
    • different processor models have different microarchitectural buffers so some may or may not be affected
    • 3 separate vulns (CVEs) identified based on the microarchitectural buffer affected and the technique used to read from it
    • Fixes required in both kernel and intel-microcode packages
      • Kernels will have already been released by the time you hear this
      • Microcode is currently being released via the -updates pocket of the archive - will then publish to -security once fully phased to all users
        • Likely early on Monday next week
  • More details in next week’s episode

Get in contact