Episode 179
Posted on Friday, Sep 30, 2022
Finer grained control for unprivileged user namespaces is on the horizon for
Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS,
Squid and more.
Show Notes
Overview
Finer grained control for unprivileged user namespaces is on the horizon for Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS, Squid and more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-5626-2] Bind vulnerabilities [00:40]
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- [USN-5626-1] Bind vulnerabilities from Episode 178
[USN-5627-1] PCRE vulnerabilities [01:01]
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 2 OOB read with crafted regexes - possible info leak
[USN-5628-1] etcd vulnerabilities [01:19]
- 4 CVEs addressed in Focal (20.04 LTS)
- distributed key/value store used by kubernetes
- all these vulns come from a security audit conducted by Trail of Bits in January of 2020.
- performed both manual and automated review -> go-sec, errcheck, ineffassign etc
- also fuzzed the WAL file handling (write-ahead logging - used to record transactions that have been committed but not yet applied to the main database)
- 2 issues in WAL file handling (crash), plus one in handling of directory permissions for a directory that may already exist (info leak) and one in setup of endpoints that could allow a DoS
[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 Raspi HWE 18.04 LTS / Azure CVM 20.04 LTS
- Same set of vulnerabilities covered in last weeks episode - [USN-5622-1] Linux kernel vulnerabilities
[USN-5633-1, USN-5635-1, USN-5640-1, USN-5644-1] Linux kernel vulnerabilities [03:09]
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 Raspi + GKE/GCP + Oracle + GCP (20.04)
[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]
- 1 CVEs addressed in Jammy (22.04 LTS)
- 5.17 OEM
- netfilter remote DoS via crafted packet with a very short payload
[USN-5632-1] OAuthLib vulnerability [03:40]
- 1 CVEs addressed in Jammy (22.04 LTS)
- OAuth implementation for Python3 - used by various other applications like keystone, django, duplicity
- DoS via a malicious redirect URL specifying an IPv6 address - could trigger an exception -> application crash -> DoS
[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Various issues in handling of crafted JPEG/PPM files - stack buffer overflow,
heap buffer overflow, NULL pointer dereference, resource consumption based DoS
in
cjpegutility - crafted file with a valid Targa header but incomplete data - would keep trying pixel after reaching EOF - internally usedgetc()which returns the special valueEOFwhen the end of file is reached - this is actually-1but requires the caller to check for this special value - if not, would interpret this as pixel data (all bits set -> 255,255,255 -> white) resulting in JPEG file that was possibly thousands of times bigger than the input file - fixed to use existing input routines to read the data which already check forEOFcondition
[USN-5629-1] Python vulnerability [05:54]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Open redirect in
http.serverthrough a URI which has multiple/at the beginning - a URI such as//pathgets treated as an absolute URI rather than a path - could then end up sending a301location header with a misleading target - Upstream dispute this - state that it should not be used in production as it only implements basic security checks
[USN-5636-1] SoS vulnerability [06:39]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
sosreport- used to gather details of a system etc for debug/analysis- Redacts passwords - previously used a hardcoded list of possible things that could contain passwords - instead now looks for anything with the name password and redacts that
[USN-5637-1] libvpx vulnerability [07:45]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- OOB read -> info leak / crash
[USN-5638-1] Expat vulnerability [07:55]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- UAF with crafted XML content -> crash / RCE
[USN-5641-1] Squid vulnerabilities [08:06]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Failed to properly handle ACLs for cache manager, allowing a trusted client to read other client ids / credentials and internal network structure
- Integer overflow -> buffer overread when using SSPI/SMB authentication helpers for NTLM authentication - since this is in handling of credentials, could allow an attacker to read decrypted user credentials or other memory regions from Squid
[USN-5642-1] WebKitGTK vulnerabilities [08:57]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Buffer overflow when handling malicious web content -> RCE
[USN-5643-1] Ghostscript vulnerabilities [09:18]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- 2 issues in PDF file handling
- NULL pointer dereference -> DoS
- heap buffer overflow -> DoS / RCE
Goings on in Ubuntu Security Community
Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]
- https://lists.ubuntu.com/archives/ubuntu-announce/2022-September/000284.html
- Includes details on how to upgrade - as per when we covered the Ubuntu 22.04.1 release - if you do want to upgrade to the beta, and you are using 22.04 desktop, then first log out, switch to a virtual console (Ctrl-Alt-F2) and run it from there as less chance that it takes down your whole graphical session and hence the upgrade process partway through
- Will cover in more detail when the final release comes out in a few weeks
Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]
- Often has been a source of increased attack surface for the kernel
- Disabling of unpriv userns has often been recommended to mitigate various kernel vulns
- This is done via sysctl in Ubuntu:
sudo sysctl kernel.unprivileged_userns_clone=0
- Big hammer - either on or off
- Various applications have legitimate uses of unpriv userns
- flatpak / bubblewrap etc
- some of these ship a helper application which is setuid root so they can still use user namespaces but this then creates another attack surface - the setuid-root binary
- instead it would be better to have a way to only allow particular applications to use unprivileged user namespaces and then deny it to others
- would provide much finer grained control to this potentially risky feature
- AppArmor developers have added support for just this
- all unconfined applications would be denied and only confined applications which have the userns permission would be allowed
- For now, it is planned to have this disabled by default for 22.10
- AppArmor will have a sysctl to enable it so can be tested
- Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle
- With any luck, 23.04 will ship with this enabled along with AppArmor confinement for things like bubblewrap etc that require this capability
- Snaps will get it for free since they are confined by AppArmor out of the box
- John Johansen is working with the kernel team to land this in the kernel for 22.10
- Georgia Garcia is working on the userspace side to add support for creating
policy that specifies the userns permission in
apparmorpackage too - Hopefully can all land both via the FeatureFreezeException (FFe) process