Episode 179

Posted on Friday, Sep 30, 2022
Finer grained control for unprivileged user namespaces is on the horizon for Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS, Squid and more.

Show Notes

Overview

Finer grained control for unprivileged user namespaces is on the horizon for Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS, Squid and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-5626-2] Bind vulnerabilities [00:40]

[USN-5627-1] PCRE vulnerabilities [01:01]

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • 2 OOB read with crafted regexes - possible info leak

[USN-5628-1] etcd vulnerabilities [01:19]

  • 4 CVEs addressed in Focal (20.04 LTS)
  • distributed key/value store used by kubernetes
  • all these vulns come from a security audit conducted by Trail of Bits in January of 2020.
    • performed both manual and automated review -> go-sec, errcheck, ineffassign etc
    • also fuzzed the WAL file handling (write-ahead logging - used to record transactions that have been committed but not yet applied to the main database)
  • 2 issues in WAL file handling (crash), plus one in handling of directory permissions for a directory that may already exist (info leak) and one in setup of endpoints that could allow a DoS

[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]

[USN-5633-1, USN-5635-1, USN-5640-1, USN-5644-1] Linux kernel vulnerabilities [03:09]

[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • 5.17 OEM
  • netfilter remote DoS via crafted packet with a very short payload

[USN-5632-1] OAuthLib vulnerability [03:40]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • OAuth implementation for Python3 - used by various other applications like keystone, django, duplicity
  • DoS via a malicious redirect URL specifying an IPv6 address - could trigger an exception -> application crash -> DoS

[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]

  • 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Various issues in handling of crafted JPEG/PPM files - stack buffer overflow, heap buffer overflow, NULL pointer dereference, resource consumption based DoS in cjpeg utility - crafted file with a valid Targa header but incomplete data - would keep trying pixel after reaching EOF - internally used getc() which returns the special value EOF when the end of file is reached - this is actually -1 but requires the caller to check for this special value - if not, would interpret this as pixel data (all bits set -> 255,255,255 -> white) resulting in JPEG file that was possibly thousands of times bigger than the input file - fixed to use existing input routines to read the data which already check for EOF condition

[USN-5629-1] Python vulnerability [05:54]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Open redirect in http.server through a URI which has multiple / at the beginning - a URI such as //path gets treated as an absolute URI rather than a path - could then end up sending a 301 location header with a misleading target
  • Upstream dispute this - state that it should not be used in production as it only implements basic security checks

[USN-5636-1] SoS vulnerability [06:39]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • sosreport - used to gather details of a system etc for debug/analysis
  • Redacts passwords - previously used a hardcoded list of possible things that could contain passwords - instead now looks for anything with the name password and redacts that

[USN-5637-1] libvpx vulnerability [07:45]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • OOB read -> info leak / crash

[USN-5638-1] Expat vulnerability [07:55]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • UAF with crafted XML content -> crash / RCE

[USN-5641-1] Squid vulnerabilities [08:06]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Failed to properly handle ACLs for cache manager, allowing a trusted client to read other client ids / credentials and internal network structure
  • Integer overflow -> buffer overread when using SSPI/SMB authentication helpers for NTLM authentication - since this is in handling of credentials, could allow an attacker to read decrypted user credentials or other memory regions from Squid

[USN-5642-1] WebKitGTK vulnerabilities [08:57]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Buffer overflow when handling malicious web content -> RCE

[USN-5643-1] Ghostscript vulnerabilities [09:18]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • 2 issues in PDF file handling
    • NULL pointer dereference -> DoS
    • heap buffer overflow -> DoS / RCE

Goings on in Ubuntu Security Community

Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]

Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]

  • Often has been a source of increased attack surface for the kernel
  • Disabling of unpriv userns has often been recommended to mitigate various kernel vulns
  • This is done via sysctl in Ubuntu:
sudo sysctl kernel.unprivileged_userns_clone=0
  • Big hammer - either on or off
  • Various applications have legitimate uses of unpriv userns
    • flatpak / bubblewrap etc
    • some of these ship a helper application which is setuid root so they can still use user namespaces but this then creates another attack surface - the setuid-root binary
    • instead it would be better to have a way to only allow particular applications to use unprivileged user namespaces and then deny it to others
    • would provide much finer grained control to this potentially risky feature
  • AppArmor developers have added support for just this
    • all unconfined applications would be denied and only confined applications which have the userns permission would be allowed
  • For now, it is planned to have this disabled by default for 22.10
    • AppArmor will have a sysctl to enable it so can be tested
    • Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle
  • With any luck, 23.04 will ship with this enabled along with AppArmor confinement for things like bubblewrap etc that require this capability
  • Snaps will get it for free since they are confined by AppArmor out of the box
  • John Johansen is working with the kernel team to land this in the kernel for 22.10
  • Georgia Garcia is working on the userspace side to add support for creating policy that specifies the userns permission in apparmor package too
  • Hopefully can all land both via the FeatureFreezeException (FFe) process

Ubuntu Security Podcast on break for 1 week

Get in contact