Episode 172

Show Notes

Overview

Finally, Ubuntu 22.04.1 LTS is released and we look at how best to upgrade, plus we cover security updates for NVIDIA graphics drivers, OpenJDK, Django, libxml, the Linux kernel and more.

This week in Ubuntu Security Updates

52 unique CVEs addressed

[USN-5547-1] NVIDIA graphics drivers vulnerabilities [00:43]

• 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-31608
  • CVE-2022-31615
  • CVE-2022-31607
• Local priv-esc by user with basic capabilities (?) - likely memory corruption since apparently could also DoS, perform data tampering and info leaks
• Also NULL ptr deref in kernel driver able to be triggered from “local user with basic capabilities” -> DoS
• Also shipped a DBus configuration for the Dynamic Boost component - this is a system wide power controller which manages CPU and GPU power basd on overall system workload to get best system performance per watt - according to upstream documentation. Is only active when on AC power.
  • Is not enabled by default but shipped a DBus policy file that allowed any process to communicate with the nvidia-powerd server and hence to perform privileged actions through it

[USN-5546-1, USN-5546-2] OpenJDK vulnerabilities [03:09]

• 10 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-34169
  • CVE-2022-21549
  • CVE-2022-21541
  • CVE-2022-21540
  • CVE-2022-21496
  • CVE-2022-21476
  • CVE-2022-21443
  • CVE-2022-21434
  • CVE-2022-21426
  • CVE-2022-21449
• openjdk-8,11,17 for Ubuntu 18.04, 20.04 & 22.04 LTS
• openjdk-8 for Ubuntu 16.04 ESM
• Most interesting is “Psychic Signatures” bug - described even in the upstream advisory as an “easily exploitable vuln”, where an attacker could forge certain SSL certificates (ie ones using ECDSA signatures) and hence allow them to intercept or modify communications without being detected.
• When adding support for validating ECDSA signatures, failed to check the provided signature values were not zero - a signature consists of two values, r and s and these are used to then perform a bunch of calculations to check it is valid - this involves comparing r against r multiplied by a value derived from s - so if r and s are both zero you effectively check 0 = 0
• Affects anything which uses ECDSA signatures - including signed JWTs, SAML assertions, WedAuthn messages etc
• This only affected openjdk 15 though 18 since this code was rewritten in native Java (previously was C++ which was not vulnerable) for Java 15 - so for Ubuntu this is openjdk-17 only which is not the default JRE (openjdk-11 is)

[USN-5549-1] Django vulnerability [06:16]

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-36359
• Possible “Reflected File Download” attack - attack type first detailed at BH Euroe in 2014 - causes a web application to “virtually” download a file from a trusted domain - which then can get executed since is trusted
• Usually involves the application failing to validate input such that an attacker can craft header content to get reflected into the response body - this is then the contents for a file, as well as get some content injected in the resulting filename - and then cause the response to be downloaded which will
• In this case, if a Django application was setting the Content-Disposition header of a FileResponse object based on a filename which is derived from user input - fixed to escape the filename so can’t then inject content into the Content-Disposition header

[USN-5550-1] GnuTLS vulnerabilities [07:55]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-2509
  • CVE-2021-4209
• NULL pointer deref and double-free during verification of pkcs7 signatures -> DoS / RCE

[USN-5551-1] mod-wsgi vulnerability [08:10]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-2255
• Would pass through the X-Client-IP header to WSGI applications, even when it came from an untrusted proxy and hence could allow unintended access to services

[USN-5548-1] libxml2 vulnerability [08:32]

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2016-3709
• Possible HTML/code injection -> XSS since would fail to properly handle escape server-side includes
• Reported back in 2016 to GNOME project, was seemingly ignored until the offending commit which introduced the vuln was reverted ~2 years ago
• Later versions not affected then
• CVE only assigned a few weeks ago
• Interestingly the discussion in 2018 included a pointer to three different CVEs in other XML/HTML parsing and sanitization libraries for the same type of issue - but in this case was ignored and no CVE assigned until now

[USN-5552-1] phpLiteAdmin vulnerability [11:29]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-46709
• XSS through failure to validate the newRows parameter

[USN-5553-1] libjpeg-turbo vulnerabilities [11:42]

• 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2020-17541
  • CVE-2020-14152
  • CVE-2018-14498
  • CVE-2018-11813
• Various memory corruption issues -> heap and stack buffer overflows
• Logic issue and a failure to limit overall memory consumption during decompression leading to very large memory usage -> DoS

[USN-5554-1] GDK-PixBuf vulnerability [12:06]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-46829
• Heap buffer overflow for crafted animated GIFs -> code execution particularly on 32-bit platforms

[USN-5555-1] GStreamer Good Plugins vulnerabilities [12:29]

• 7 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2022-2122
  • CVE-2022-1925
  • CVE-2022-1924
  • CVE-2022-1923
  • CVE-2022-1922
  • CVE-2022-1921
  • CVE-2022-1920
• Various integer overflows etc leading to heap buffer overflows in various video codec handlers -> DoS / RCE

[USN-5558-1] libcdio vulnerabilities [13:00]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2017-18199
  • CVE-2017-18198
• Audio CD read/control library
• 2 different memory management issues when handling crafted ISO files - heap buffer over-read and NULL pointer dereference -> DoS

[USN-5557-1] Linux kernel vulnerabilities [13:44]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2022-2586
  • CVE-2022-2588
• 4.4
• UAF in Network package scheduler - could create a route filter which when removed would still be referred to by other data structures and then allow a user to trigger access to this -> DoS / RCE
• Similarly in netfilter, could have one nft object be referred to by an nft set in another table -> UAF

[USN-5560-1, USN-5560-2] Linux kernel vulnerabilities [14:37]

• 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2022-34918
  • CVE-2022-33981
  • CVE-2022-1975
  • CVE-2022-1974
  • CVE-2022-1734
  • CVE-2022-1729
  • CVE-2022-1679
  • CVE-2022-1652
  • CVE-2022-1195
  • CVE-2022-1048
  • CVE-2022-0494
  • CVE-2022-2586
  • CVE-2022-2588
• 4.15 GA for 18.04 LTS, HWE etc for 16.04 ESM, Azure for 14.04 ESM
• Various vulns plus the 2 network related UAFs above

[USN-5561-1] GNOME Web vulnerabilities [14:58]

• 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-29536
  • CVE-2021-45087
  • CVE-2021-45086
  • CVE-2021-45085
• Epiphany web browser
• 3 different XSS issues, 1 buffer overflow via a very long page title -> gets ellipsised but UTF-8 length of ellipsis is not properly counted so then overflows bounds -> DoS/RCE

[USN-5559-1] Moment.js vulnerabilities [15:40]

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-31129
  • CVE-2022-24785
• Date handling library for nodejs applications
• Path traversal vuln since could end up using a user provided locale string to switch the locale which would then result in reading arbitrary local files
• Quadratic complexity algorithm due to use of regexps to parse strings to dates - in particular rfc2822 formats which are tried by default - ReDoS -> very large input could result in significant CPU-based DoS

Goings on in Ubuntu Security Community

Ubuntu 22.04.1 LTS released [16:43]

• https://lists.ubuntu.com/archives/ubuntu-announce/2022-August/000282.html
• https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668
• https://www.youtube.com/watch?v=REdxblQpsDE
• Includes all the various bug and security fixes that have gone into the 22.04 LTS release so far - if you are already running 22.04 LTS you don’t have to do anything to get this- just make sure you have been installing updates 😉
• The full list of changes targeted for this release can be found at https://discourse.ubuntu.com/t/jammy-jellyfish-point-release-changes/29835
• Now is when users of 20.04 LTS desktop will start being prompted to upgrade to 22.04 - I definitely recommend to upgrade, and to make the process as smooth as possible, do it from a virtual terminal
  • This is the standard interface used for Ubuntu Server - full-screen terminal running directly on a console - no graphical environment
  • as such, has a lot less processes and infrastructure running and so there is less chance that something may crash during the upgrade process - since libraries get swapped out from underneath various running processes etc
• Log out of your graphical session, then when at the GDM Greeter / user chooser log in screen hit CTRL + ALT + F2
• You will then be presented with a console prompt - log in with your username and password, then you can start the upgrade process by running

sudo do-release-upgrade

• This is the same way this is done for Ubuntu Server

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter