Episode 173
Posted on Friday, Aug 19, 2022
This week we take a look at the recent announcement of .NET 6 for Ubuntu
22.04 LTS, plus we cover security updates for the Linux kernel, Booth,
WebKitGTK, Unbound and more.
Show Notes
Overview
This week we take a look at the recent announcement of .NET 6 for Ubuntu 22.04 LTS, plus we cover security updates for the Linux kernel, Booth, WebKitGTK, Unbound and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-5562-1] Linux kernel vulnerabilities [00:49]
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 20.04 LTS GA etc + 18.04 HWE etc
- 3 high priority CVEs
- 2 of these covered in last week’s episode 1 in netfilter and 1 in network packet scheduler
- New this week is a second CVE in the netfilter subsystem - affects
kernels since 4.1 - type confusion bug leading to a buffer overflow ->
code execution within the kernel and hence privilege escalation -
requires an attacker to gain
CAP_NET_ADMINwhich is privileged, but with unprivileged user-namespaces this is trivial - so can mitigate this by disabling unpriv userns - but this may then affect applications like Google Chrome and others which use this to setup their sandboxes etc
sudo sysctl kernel.unprivileged_userns_clone=0
[USN-5564-1] Linux kernel (Intel IoTG) vulnerabilities [02:32]
- 15 CVEs addressed in Jammy (22.04 LTS)
- 5.15 Intel IOTG
- https://ubuntu.com/download/iot/intel-iotg
- Atom x6000E, Pentium, Celeron N and J series processors
- Similar to above, but also includes a 4th high priority CVE in the POSIX timers subsystem - UAF which could be triggered by an unpriv user -> priv esc - since kernel 5.7 only
[USN-5566-1] Linux kernel vulnerabilities [03:08]
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 public cloud optimised kernels (IBM, GCP, AWS, GKE, Azure, Oracle) + KVM and Raspi
- All 4 high priority CVEs mentioned above
[USN-5565-1] Linux kernel vulnerabilities [03:34]
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 22.04 LTS GA + 20.04 LTS HWE
- POSIX timers, netfilter and network scheduler UAFs
[USN-5567-1] Linux kernel (OEM) vulnerabilities [03:48]
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.17 OEM 22.04 LTS, 5.14 OEM 20.04 LTS
- POSIX timers, netfilter and network scheduler UAFs
[USN-5563-1] http-parser vulnerability [04:00]
- 1 CVEs addressed in Bionic (18.04 LTS)
- HTTP parsing library written in C by Joyent (not actively maintained anymore either) - parses requests & responses without making any syscalls, memory allocations or buffering of data
- Request smuggling vuln - would allow two copies of a particular header
within a HTTP message - ie. 2
Transfer-Encoding- but would only process the first - could then allow the second to be misinterpreted by other proxies etc which could then be used for a request smuggling attack
[USN-5556-1] Booth vulnerability [05:20]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Ignored the
authfiledirective in its config file, allowing sites / nodes which did not have the correct auth key to communicate with nodes that did - oops… - upstream refactored code previously which introduced this vuln - reverted the refactor to fix this
[USN-5568-1] WebKitGTK vulnerabilities [05:57]
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Heap buffer overflow in WebRTC, UI spoofing and OOB write - all able to be triggered by a malicious website -> RCE or other
[USN-5569-1] Unbound vulnerabilities [06:22]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Failed to properly handle delegation caching - an attacker could query unbound just at the time when the cached delegation info is about to expire - unbound then queries the upstream nameserver which could then delay its response until the cache expires in unbound - when receiving the response unbound would overwrite the now expired one - and so the attacker can continue to do this and hence keep the rogue delegation information in the unbound cache
[USN-5526-2] PyJWT regression [07:10]
- Affecting Jammy (22.04 LTS)
- [USN-5526-1] PyJWT vulnerability [08:58] - upstream patch bumped the package version to 2.4.0 and so when including this, the internal package version got bumped even though the deb package version didn’t - so would get files installed as say 2.4.0 even though the deb is 2.3.0 which could possibly cause a regression due to a change in path - fixed to revert this internal package version bump
Goings on in Ubuntu Security Community
.NET 6 now available in Ubuntu 22.04 LTS [07:45]
- https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
dotnet6package in Ubuntu contains the .NET 6 SDK - so can do .NET development on Ubuntu- In the future, Microsoft will share CVE info ahead of public releases with Ubuntu so that we can release updates for the package in Ubuntu as they become publicly known
- Also includes new ‘chiseled’ containers - ultra-slimmed down docker containers to provide just the minimum needed - think of it as the Canonical version of distroless containers.
- results in a 100MB saving in container size whilst still providing
everything that is needed
- Similar in size to Alpine containers (Chiseled Ubuntu 22.04
aspnet104MBcf.apsnet:6.0-alpine100MB) - Alpine has traditionally been praised for their minimal size, but use a
different libc (
musl) and has other differences too - So can now get the benefit of a familiar Ubuntu container environment that you know and love along with the benefits of a super small container image (including things like decreased attack surface etc)
- Similar in size to Alpine containers (Chiseled Ubuntu 22.04
- Also includes the benefit of a secure supply chain from Canonical direct
to Microsoft so that the provenance of Ubuntu-based .NET images is
known - instead of previously where these were pulled from Dockerhub
- And in the future will include signed images as well so that consumers of these images can also verify them too