Episode 173

Posted on Friday, Aug 19, 2022
This week we take a look at the recent announcement of .NET 6 for Ubuntu 22.04 LTS, plus we cover security updates for the Linux kernel, Booth, WebKitGTK, Unbound and more.

Show Notes

Overview

This week we take a look at the recent announcement of .NET 6 for Ubuntu 22.04 LTS, plus we cover security updates for the Linux kernel, Booth, WebKitGTK, Unbound and more.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5562-1] Linux kernel vulnerabilities [00:49]

  • 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 20.04 LTS GA etc + 18.04 HWE etc
  • 3 high priority CVEs
    • 2 of these covered in last week’s episode 1 in netfilter and 1 in network packet scheduler
    • New this week is a second CVE in the netfilter subsystem - affects kernels since 4.1 - type confusion bug leading to a buffer overflow -> code execution within the kernel and hence privilege escalation - requires an attacker to gain CAP_NET_ADMIN which is privileged, but with unprivileged user-namespaces this is trivial - so can mitigate this by disabling unpriv userns - but this may then affect applications like Google Chrome and others which use this to setup their sandboxes etc
sudo sysctl kernel.unprivileged_userns_clone=0

[USN-5564-1] Linux kernel (Intel IoTG) vulnerabilities [02:32]

[USN-5566-1] Linux kernel vulnerabilities [03:08]

[USN-5565-1] Linux kernel vulnerabilities [03:34]

[USN-5567-1] Linux kernel (OEM) vulnerabilities [03:48]

[USN-5563-1] http-parser vulnerability [04:00]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • HTTP parsing library written in C by Joyent (not actively maintained anymore either) - parses requests & responses without making any syscalls, memory allocations or buffering of data
  • Request smuggling vuln - would allow two copies of a particular header within a HTTP message - ie. 2 Transfer-Encoding - but would only process the first - could then allow the second to be misinterpreted by other proxies etc which could then be used for a request smuggling attack

[USN-5556-1] Booth vulnerability [05:20]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Ignored the authfile directive in its config file, allowing sites / nodes which did not have the correct auth key to communicate with nodes that did - oops… - upstream refactored code previously which introduced this vuln - reverted the refactor to fix this

[USN-5568-1] WebKitGTK vulnerabilities [05:57]

  • 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Heap buffer overflow in WebRTC, UI spoofing and OOB write - all able to be triggered by a malicious website -> RCE or other

[USN-5569-1] Unbound vulnerabilities [06:22]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Failed to properly handle delegation caching - an attacker could query unbound just at the time when the cached delegation info is about to expire - unbound then queries the upstream nameserver which could then delay its response until the cache expires in unbound - when receiving the response unbound would overwrite the now expired one - and so the attacker can continue to do this and hence keep the rogue delegation information in the unbound cache

[USN-5526-2] PyJWT regression [07:10]

  • Affecting Jammy (22.04 LTS)
  • [USN-5526-1] PyJWT vulnerability [08:58]​ - upstream patch bumped the package version to 2.4.0 and so when including this, the internal package version got bumped even though the deb package version didn’t - so would get files installed as say 2.4.0 even though the deb is 2.3.0 which could possibly cause a regression due to a change in path - fixed to revert this internal package version bump

Goings on in Ubuntu Security Community

.NET 6 now available in Ubuntu 22.04 LTS [07:45]

  • https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
  • dotnet6 package in Ubuntu contains the .NET 6 SDK - so can do .NET development on Ubuntu
  • In the future, Microsoft will share CVE info ahead of public releases with Ubuntu so that we can release updates for the package in Ubuntu as they become publicly known
  • Also includes new ‘chiseled’ containers - ultra-slimmed down docker containers to provide just the minimum needed - think of it as the Canonical version of distroless containers.
  • results in a 100MB saving in container size whilst still providing everything that is needed
    • Similar in size to Alpine containers (Chiseled Ubuntu 22.04 aspnet 104MB cf. apsnet:6.0-alpine 100MB)
    • Alpine has traditionally been praised for their minimal size, but use a different libc (musl) and has other differences too
    • So can now get the benefit of a familiar Ubuntu container environment that you know and love along with the benefits of a super small container image (including things like decreased attack surface etc)
  • Also includes the benefit of a secure supply chain from Canonical direct to Microsoft so that the provenance of Ubuntu-based .NET images is known - instead of previously where these were pulled from Dockerhub
    • And in the future will include signed images as well so that consumers of these images can also verify them too

Get in contact