Episode 192

Posted on Friday, Mar 31, 2023
Ubuntu gets pwned at Pwn2Own 2023, plus we cover security updates for vulns in GitPython, object-path, amanda, url-parse and the Linux kernel - and we mention the recording of Alex’s Everything Open 2023 presentation as well.

Show Notes

Overview

Ubuntu gets pwned at Pwn2Own 2023, plus we cover security updates for vulns in GitPython, object-path, amanda, url-parse and the Linux kernel - and we mention the recording of Alex’s Everything Open 2023 presentation as well.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-5968-1] GitPython vulnerability [00:46]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • RCE via a malicious URL when cloning a repo - would call git clone under the hood and pass the purported URL in without any validation
  • Used as a dependency for other Python based tools etc - in particular by Bandit, Python security checking tool - used to scan python projects for security issues - would be ironic if a tool used to scan for security problems could be used to leverage an attack - so I took a quick look at the source code for bandit and it seems to only use GitPython to check if the current directory is a git repo or not - so would not be able to be exploited by this issue

[USN-5967-1] object-path vulnerabilities [02:11]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • all prototype pollution vulns - a type of injection attack that particularly applies for languages like Javascript, where an attacker can add arbitrary properties to global / default javascript objects that then get inherited by user-defined objects - and so can result in the ability to change the logic of the application or potentially even get remote code execution (depending on how those object properties are used by the application)

[USN-5942-2] Apache HTTP Server vulnerability [02:56]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • request smuggling attack against mod_proxy

[USN-5966-1, USN-5966-2] amanda vulnerabilities [03:06]

  • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • amanda has several suid-root binaries - each was able to be abused in a different way - one to see if a given directory existed or not (info leak), and the others to both get code execution etc - update introduced a regression which was then also fixed

[USN-5969-1] gif2apng vulnerabilities [04:00]

[USN-5971-1] Graphviz vulnerabilities [04:12]

[USN-5954-2] Firefox regressions [04:40]

[USN-5972-1] Thunderbird vulnerabilities [04:58]

[USN-5973-1] url-parse vulnerabilities [05:11]

[USN-5974-1] GraphicsMagick vulnerabilities [06:24]

[USN-5686-4] Git vulnerability [06:37]

[USN-5970-1] Linux kernel vulnerabilities [06:45]

[LSN-0093-1] Linux kernel vulnerability [07:15]

  • 2 CVEs addressed in all the various Livepatch supported releases (LTS and 16.04 ESM) across various different kernels
  • UAF in Upper Level Protocol and buffer overflow in netfilter when handling VLAN headers - both could allow a local user to DoS / code execution in kernel -> EoP
Kernel type 22.04 20.04 18.04 16.04
aws 93.1 93.1 93.1
aws-5.15 93.1
aws-5.4 93.1
aws-hwe 93.1
azure 93.1 93.1 93.1
azure-4.15 93.1
azure-5.4 93.1
gcp 93.2 93.1 93.1
gcp-4.15 93.1
gcp-5.15 93.2
gcp-5.4 93.1
generic-4.15 93.1 93.1
generic-5.4 93.1 93.1
gke 93.2 93.1
gke-4.15 93.1
gke-5.15 93.2
gke-5.4 93.1
gkeop 93.1
gkeop-5.4 93.1
ibm 93.1 93.1
linux 93.1
lowlatency-4.15 93.1 93.1
lowlatency-5.4 93.1 93.1
oem 93.1

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

[USN-5975-1] Linux kernel vulnerabilities

[USN-5976-1] Linux kernel (OEM) vulnerabilities

[USN-5977-1] Linux kernel (OEM) vulnerabilities

[USN-5978-1] Linux kernel (OEM) vulnerabilities

[USN-5979-1] Linux kernel (HWE) vulnerabilities

[USN-5980-1] Linux kernel vulnerabilities

[USN-5981-1] Linux kernel vulnerabilities

[USN-5982-1] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community

pwn2own 2023 [08:02]

  • pwn2own - part of CanSecWest security conference in Vancouver, Canada
  • originally started as an informal event, now is organised by Trend’s ZDI and is attended by many of the best offensive security research teams in the world
  • compete to hack various known targets under various categories
  • Runs over 3 days
  • Ubuntu Desktop was a target again this year, in particular in the local user elevation of privilege category - standard unprivileged user account which can be used to escalate privileges to root - targeting the latest Ubuntu interim release 22.10 (Kinetic)
  • competitors get 3 attempts, each with a time limit of 10 minutes to get their exploit to work
  • From our side, we had a team of 4 engineers (Steve Beattie, John Johansen and Georgia Garcia from the Ubuntu Security team and Thadeu Cascardo from the Ubuntu Kernel team) who were on call to be shown the exploit and vulnerability and within 30 minutes would have to determine if it was already known or not
  • Day 1 saw 2 attempts
    • one unsuccessful, the other was a previously known (but unpatched)
  • Day 2 saw 1 successful attempt (incorrect pointer scaling issue)
  • Day 3 saw 3 successful attempts
    • one also previously known, the other two double free and a UAF
  • In total, 6 separate teams targeted Ubuntu Desktop, 5 were successful, and the other was not able to get their exploit to work in the allotted time limit
    • Details surrounding all of these vulnerabilities is embargoed for now, but will become available in the future
    • Only minor details have been released publicly by ZDI at this time (ie incorrect pointer scaling, double free and UAF) but all (unsurprisingly) related to the memory unsafety of C
  • Interesting to see the macOS was only targeted once (successful), and Windows 11 twice (both successful too) yet Ubuntu had 6
  • Yet last year, there were 6 for WIndows 11, and 4 for Ubuntu
  • Is Ubuntu seen as an easy target? Or are there more security researchers looking at Ubuntu compared to Windows nowadays?
  • Does the open source nature of Linux make it easier to find vulns since the source code is easily able to be inspected?
  • Pace of development of the upstream kernel is quite fast, lots of new subsystems like io_uring and large attack surfaces through unprivileged user namespaces perhaps make Ubuntu more of an easy target
    • Part of the motivation to want to restrict access to unprivileged user namespaces in the future
  • More details to follow once vulns have been made public
  • Thanks to Steve, JJ, Georgia and Thadeu
  • Day 1 Results
  • Day 2 Results
  • Day 3 Results

Securing a distro and you own open source project - Everything Open 2023 [14:27]

  • https://youtu.be/a-_5aJIjjLQ

  • Ubuntu is one of the most popular Linux distributions and is used by millions of people all over the world. It contains software from a wide array of different upstream projects and communities across a number of different language ecosystems. Ubuntu also aims to provide the best user experience for consuming all these various pieces of software, whilst being both as secure and usable as possible.

  • The Ubuntu Security team is responsible for keeping all of this software secure and patched against known vulnerabilities, as well as proactively looking for new possible security issues, and finally for ensuring the distribution as a whole is secured through proactive hardening work. They also have a huge depth of experience in working with upstream open source projects to report, manage patch and disclose security vulnerabilities. Find out both how they keep Ubuntu secure and how you can improve the security of your own open source project or the projects you contribute to.

Get in contact