Show Notes
Overview
Ubuntu gets pwned at Pwn2Own 2023, plus we cover security updates for vulns in
GitPython, object-path, amanda, url-parse and the Linux kernel - and we mention
the recording of Alex’s Everything Open 2023 presentation as well.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-5968-1] GitPython vulnerability [00:46]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- RCE via a malicious URL when cloning a repo - would call git clone under the
hood and pass the purported URL in without any validation
- Used as a dependency for other Python based tools etc - in particular by
Bandit, Python security checking tool - used to scan python projects for
security issues - would be ironic if a tool used to scan for security problems
could be used to leverage an attack - so I took a quick look at the source
code for bandit and it seems to only use GitPython to check if the current
directory is a git repo or not - so would not be able to be exploited by this
issue
[USN-5967-1] object-path vulnerabilities [02:11]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- all prototype pollution vulns - a type of injection attack that particularly
applies for languages like Javascript, where an attacker can add arbitrary
properties to global / default javascript objects that then get inherited by
user-defined objects - and so can result in the ability to change the logic of
the application or potentially even get remote code execution (depending on
how those object properties are used by the application)
[USN-5942-2] Apache HTTP Server vulnerability [02:56]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- request smuggling attack against
mod_proxy
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- amanda has several suid-root binaries - each was able to be abused in a
different way - one to see if a given directory existed or not (info leak),
and the others to both get code execution etc - update introduced a regression
which was then also fixed
[USN-5969-1] gif2apng vulnerabilities [04:00]
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5971-1] Graphviz vulnerabilities [04:12]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- 2 different NULL ptr derefs, 1 buffer overflow -> DoS / RCE
[USN-5954-2] Firefox regressions [04:40]
- 9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 111.0.1 - fixes a couple regressions on macOS and Windows apparently
[USN-5972-1] Thunderbird vulnerabilities [04:58]
- 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- 102.9.0
[USN-5973-1] url-parse vulnerabilities [05:11]
- 8 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- nodejs module for parsing URLs - even for such a seemingly simple task as
parsing URLs, can have various vulnerabilities
- DoS, SSRF, open-redirect, or bypass various other authorisation checks
- upstream project now recommends to use the URL interface from nodejs and the
various browsers for “better security and accuracy”
[USN-5974-1] GraphicsMagick vulnerabilities [06:24]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-5686-4] Git vulnerability [06:37]
[USN-5970-1] Linux kernel vulnerabilities [06:45]
- 9 CVEs addressed in Kinetic (22.10)
[LSN-0093-1] Linux kernel vulnerability [07:15]
- 2 CVEs addressed in all the various Livepatch supported releases (LTS and
16.04 ESM) across various different kernels
- UAF in Upper Level Protocol and buffer overflow in netfilter when handling
VLAN headers - both could allow a local user to DoS / code execution in kernel
-> EoP
Kernel type |
22.04 |
20.04 |
18.04 |
16.04 |
aws |
93.1 |
93.1 |
93.1 |
— |
aws-5.15 |
— |
93.1 |
— |
— |
aws-5.4 |
— |
— |
93.1 |
— |
aws-hwe |
— |
— |
— |
93.1 |
azure |
93.1 |
93.1 |
— |
93.1 |
azure-4.15 |
— |
— |
93.1 |
— |
azure-5.4 |
— |
— |
93.1 |
— |
gcp |
93.2 |
93.1 |
— |
93.1 |
gcp-4.15 |
— |
— |
93.1 |
— |
gcp-5.15 |
— |
93.2 |
— |
— |
gcp-5.4 |
— |
— |
93.1 |
— |
generic-4.15 |
— |
— |
93.1 |
93.1 |
generic-5.4 |
— |
93.1 |
93.1 |
— |
gke |
93.2 |
93.1 |
— |
— |
gke-4.15 |
— |
— |
93.1 |
— |
gke-5.15 |
— |
93.2 |
— |
— |
gke-5.4 |
— |
— |
93.1 |
— |
gkeop |
— |
93.1 |
— |
— |
gkeop-5.4 |
— |
— |
93.1 |
— |
ibm |
93.1 |
93.1 |
— |
— |
linux |
93.1 |
— |
— |
— |
lowlatency-4.15 |
— |
— |
93.1 |
93.1 |
lowlatency-5.4 |
— |
93.1 |
93.1 |
— |
oem |
— |
— |
93.1 |
— |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status
[USN-5975-1] Linux kernel vulnerabilities
- 31 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5976-1] Linux kernel (OEM) vulnerabilities
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
[USN-5977-1] Linux kernel (OEM) vulnerabilities
- 3 CVEs addressed in Jammy (22.04 LTS)
[USN-5978-1] Linux kernel (OEM) vulnerabilities
- 12 CVEs addressed in Jammy (22.04 LTS)
[USN-5979-1] Linux kernel (HWE) vulnerabilities
- 9 CVEs addressed in Jammy (22.04 LTS)
[USN-5980-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Focal (20.04 LTS)
[USN-5981-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Xenial ESM (16.04 ESM)
[USN-5982-1] Linux kernel vulnerabilities
- 15 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
pwn2own 2023 [08:02]
- pwn2own - part of CanSecWest security conference in Vancouver, Canada
- originally started as an informal event, now is organised by Trend’s ZDI and
is attended by many of the best offensive security research teams in the world
- compete to hack various known targets under various categories
- Runs over 3 days
- Ubuntu Desktop was a target again this year, in particular in the local user
elevation of privilege category - standard unprivileged user account which can
be used to escalate privileges to root - targeting the latest Ubuntu interim
release 22.10 (Kinetic)
- competitors get 3 attempts, each with a time limit of 10 minutes to get their
exploit to work
- From our side, we had a team of 4 engineers (Steve Beattie, John Johansen and
Georgia Garcia from the Ubuntu Security team and Thadeu Cascardo from the
Ubuntu Kernel team) who were on call to be shown the exploit and vulnerability
and within 30 minutes would have to determine if it was already known or not
- Day 1 saw 2 attempts
- one unsuccessful, the other was a previously known (but unpatched)
- Day 2 saw 1 successful attempt (incorrect pointer scaling issue)
- Day 3 saw 3 successful attempts
- one also previously known, the other two double free and a UAF
- In total, 6 separate teams targeted Ubuntu Desktop, 5 were successful, and the
other was not able to get their exploit to work in the allotted time limit
- Details surrounding all of these vulnerabilities is embargoed for now, but
will become available in the future
- Only minor details have been released publicly by ZDI at this time (ie
incorrect pointer scaling, double free and UAF) but all (unsurprisingly)
related to the memory unsafety of C
- Interesting to see the macOS was only targeted once (successful), and Windows
11 twice (both successful too) yet Ubuntu had 6
- Yet last year, there were 6 for WIndows 11, and 4 for Ubuntu
- Is Ubuntu seen as an easy target? Or are there more security researchers
looking at Ubuntu compared to Windows nowadays?
- Does the open source nature of Linux make it easier to find vulns since the
source code is easily able to be inspected?
- Pace of development of the upstream kernel is quite fast, lots of new
subsystems like
io_uring
and large attack surfaces through unprivileged user
namespaces perhaps make Ubuntu more of an easy target
- Part of the motivation to want to restrict access to unprivileged user
namespaces in the future
- More details to follow once vulns have been made public
- Thanks to Steve, JJ, Georgia and Thadeu
- Day 1 Results
- Day 2 Results
- Day 3 Results
Securing a distro and you own open source project - Everything Open 2023 [14:27]
-
https://youtu.be/a-_5aJIjjLQ
-
Ubuntu is one of the most popular Linux distributions and is used by millions
of people all over the world. It contains software from a wide array of
different upstream projects and communities across a number of different
language ecosystems. Ubuntu also aims to provide the best user experience for
consuming all these various pieces of software, whilst being both as secure
and usable as possible.
-
The Ubuntu Security team is responsible for keeping all of this software
secure and patched against known vulnerabilities, as well as proactively
looking for new possible security issues, and finally for ensuring the
distribution as a whole is secured through proactive hardening work. They also
have a huge depth of experience in working with upstream open source projects
to report, manage patch and disclose security vulnerabilities. Find out both
how they keep Ubuntu secure and how you can improve the security of your own
open source project or the projects you contribute to.