Episode 177

Show Notes

Overview

Alex talks with special guests Nishit Majithia and Matthew Ruffell about a recent systemd regression on Ubuntu 18.04 LTS plus we cover security updates for Dnsmasq, the Linux kernel, poppler, .NET 6, rust-regex and more.

This week in Ubuntu Security Updates

28 unique CVEs addressed

[USN-4976-2] Dnsmasq vulnerability [00:55]

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2021-3448
• [USN-4976-1] Dnsmasq vulnerability for Episode 118
• Failed to properly randomise source port (ie used a fixed port) when forwarding queries when configured to use a specific server for a given network interface - could then allow a remote attacker to more easily perform cache poisoning attacks (ie just need to guess the transmission ID once know the source port to get a forged reply accepted)
  • As I said back in Episode 118, this is very similar to the issues that were discovered back in 2008 by Dan Kaminsky - the whole reason source port randomisation was introduced as part of the DNS protocol

[USN-5602-1] Linux kernel (Raspberry Pi) vulnerabilities [02:11]

• 9 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-2959
  • CVE-2022-2873
  • CVE-2022-2503
  • CVE-2022-1973
  • CVE-2022-1943
  • CVE-2022-1852
  • CVE-2022-1729
  • CVE-2022-1012
  • CVE-2021-33061
• See [USN-5594-1, USN-5599-1] Linux kernel (+ Oracle) vulnerabilities from last week

[USN-5603-1] Linux kernel (Raspberry Pi) vulnerabilities [02:29]

• 2 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2021-33656
  • CVE-2021-33061
• See [USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities from last week

[USN-5605-1] Linux kernel (Azure CVM) vulnerabilities [02:38]

• 2 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-33656
  • CVE-2021-33061
• See [USN-5592-1, USN-5595-1, USN-5596-1, USN-5600-1] Linux kernel (+ OEM, HWE) vulnerabilities from last week

[USN-5523-2] LibTIFF vulnerabilities [02:45]

• 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-19144
  • CVE-2020-19131
  • CVE-2022-22844
  • CVE-2022-0924
  • CVE-2022-0909
  • CVE-2022-0908
  • CVE-2022-0907
• [USN-5523-1] LibTIFF vulnerabilities from Episode 169

[USN-5604-1] LibTIFF vulnerabilities [03:13]

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2022-2868
  • CVE-2022-2869
  • CVE-2022-2867

[USN-5606-1] poppler vulnerability [03:23]

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-38784
• Integer overflow in JBIG2 decoder -> heap buffer overflow via crafted PDF / JBIG2 image - very similar to CVE-2022-38171 in xpdf
  • poppler started life as a fork of code from xpdf-3.0 but now has diverged so much that in general a vuln in one cannot be assumed to exist in the other, hence the separate CVE IDs for these two vulns

[USN-5607-1] GDK-PixBuf vulnerability [04:11]

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2021-44648
• Heap buffer overflow when decoding lzw compressed stream from GIF files

[USN-5608-1] DPDK vulnerability [04:26]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-2132
• Crafted Vhost header could cause a DoS

[USN-5609-1] .NET 6 vulnerability [04:39]

• 1 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-38013
• DoS in .NET Core - “a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding”
• https://devblogs.microsoft.com/dotnet/september-2022-updates/
• Updates to latest upstream release 6.0.109

[USN-5583-2] systemd regression [05:16]

• 1 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2022-2526
• Mentioned in passing in both the last 2 weeks episodes

[USN-5610-1] rust-regex vulnerability

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-24713
• ReDoS in regex crate - already includes various mitigations against DoS via untrusted regexes (and these can be tuned by users of the crate) - however was able to be bypassed by a regex that specified an empty subexpression that should be matched up to say 294 million times - this then gets compiled but is able to evade the existing mitigations since doesn’t take any memory - but it does take a lot of CPU time
• Fixed by changing code such that it will take a fake amount of memory for each empty subexpression and therefore will trip the existing detection logic in a reasonable amount of time

[USN-5611-1] WebKitGTK vulnerability [06:53]

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-32893
• OOB write via malicious web content - Apple reported that this was being actively exploited for iOS users (Safari uses Webkit)

Goings on in Ubuntu Security Community

Discussion of the recent systemd regression in Ubuntu 18.04 LTS with Nishit Majithia and Matthew Ruffell [07:49]

• Gathered media attention
• https://thenewstack.io/ubuntu-linux-and-azure-dns-problem-gives-azure-fits/
• Matthew is from the Sustaining Engineering Team at Canonical - I talked about his blog in Analysis of the dovecat and hy4 Linux Malware - from Episode 97

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter