Episode 188

Posted on Friday, Feb 24, 2023
This week the common theme is vulnerabilities in setuid-root binaries and their use of environment variables, so we take a look at a great blog post from the Trail of Bits team about one such example in the venerable chfn plus we look at some security vulnerabilities in, and updates for the Linux kernel, Go Text, the X Server and more, and finally we cover the recent announcement of Ubuntu 22.04.2 LTS.
Audio Player
00:00
00:00
00:00
Use Up/Down Arrow keys to increase or decrease volume.

Show Notes

Overview

This week the common theme is vulnerabilities in setuid-root binaries and their use of environment variables, so we take a look at a great blog post from the Trail of Bits team about one such example in the venerable chfn plus we look at some security vulnerabilities in, and updates for the Linux kernel, Go Text, the X Server and more, and finally we cover the recent announcement of Ubuntu 22.04.2 LTS.

This week in Ubuntu Security Updates

75 unique CVEs addressed

[USN-5872-1] NSS vulnerabilities [00:57]

[USN-5874-1] Linux kernel vulnerabilities

[USN-5877-1] Linux kernel (GKE) vulnerabilities [01:06]

[USN-5875-1] Linux kernel (GKE) vulnerabilities [03:20]

[USN-5876-1] Linux kernel vulnerabilities

[USN-5878-1] Linux kernel (Azure) vulnerabilities

[USN-5879-1] Linux kernel (HWE) vulnerabilities

[USN-5873-1] Go Text vulnerabilities [03:54]

  • 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Go lib for text processsing, in particular for handling of Unicode
  • CPU-based DoS - possible infinite loop on crafted content
  • Various runtime DoS issues - crafted content could trigger a panic -> crash of application - often used for parsing of HTTP headers
  • One of the few cases of a USN where we list the -dev package as the affected package - quirk of the way Go packages are packaged in Debian and hence Ubuntu - since go binaries are generally statically compiled, another package will use the -dev package to build and get statically linked against this - so the security team has to then rebuild all the other packages in the archive that use this -dev package

[USN-5880-1] Firefox vulnerabilities [07:15]

[USN-5881-1] Chromium vulnerabilities

[USN-5778-2] X.Org X Server vulnerabilities [08:15]

[USN-5807-2] libXpm vulnerabilities [09:01]

  • 3 CVEs addressed in Xenial ESM (16.04 ESM)
  • X11 pixmap handling library
  • 2 CPU-based DoS (infinite loop) issues plus one in handling of compressed files - would call out to external binaries to decompress these - so if a malicious user could influence the PATH environment variable could get it to execute their binaries instead - particularly could be an issue if a setuid() binary uses libxpm - and this is mentioned in the glibc manual around tips for writing setuid programs

Goings on in Ubuntu Security Community

Readline crime: exploiting a SUID logic bug [10:06]

  • Trail of Bits blog has a great writeup of a bug they discovered in chfn as implemented by the util-linux package - used the readline library for input handling by many CLI applications - as a result, able to be abused to read the contents of a root-owned SSH private key
  • Great dive into the complexities and dangers of using third party libraries in privileged components
  • Inspired by a previous finding from Qualys, started out looking for setuid binaries that used environment variables as part of their operation - since this often allows an unprivileged user to set that env var and then run the setuid binary which then runs as root - if it then can be influenced by the value of that env var can possibly then go further to cause other effects as root (EoP?)
  • Found the chfn binary (which is used to set info about the current user in /etc/shadow) would use the readline library just to read input from the user - by default readline will parse its configuration from the INPUTRC environment variable
  • When it encounters an invalid config, it will helpfully print out the lines of the configuration which are invalid
  • So to get it to dump the contents of some other root-owned file, you can just set INPUTRC to point to that file and execute chfn and it will then go parse that - however, the file first has to appear close to the format which is expected - and it just so happens that SSH private keys fit this bill
  • One thing to note - it only affected a Arch since on most chfn comes from the standalone passwd package, not util-linux - and the chfn from passwd didn’t use readline
  • Looking for environment variable use (and setuid binaries) is one of the explicit things the security team does when auditing packages as part of the MIR security review process

Ubuntu 22.04.2 LTS released [14:55]

  • Delayed by 2 weeks - is finally here!
  • Includes various fixes rolled into the 22.04 LTS release - if you are already running 22.04 LTS with updates enabled you will already have it
    • Ubuntu Pro is now integrated within gnome-initial-setup - previously this was only Livepatch, but can now enable any of the Ubuntu Pro offerings as soon as you log in for the first time.
    • After logging in you can enrol the machine in Ubuntu Pro directly from the initial setup wizard and choose which elements - esm-infra / esm-apps / livepatch and even FIPS and USG (Ubuntu Security Guide for CIS and DISA-STIG compliance and auditing)
    • Uses the HWE kernel - 5.19 (22.10 - kinetic)
    • Kernel and shim etc are now signed by new signing key since old one has been deny-listed in latest shim due to having signed a version of grub2 which is now known to have various vulnerabilities that could enable a local attacker to bypass secure boot restrictions (Boot Hole v3 v4?)
    • Plus a heap of other changes
    • Complete list can be found on the Ubuntu Discourse

Get in contact