Episode 196

Show Notes

Overview

This week we look at some recent security developments from PyPI, the Linux Security Summit North America and the pending transition of Ubuntu 18.04 to ESM, plus we cover security updates for cups-filter, the Linux kernel, Git, runC, ncurses, cloud-init and more.

This week in Ubuntu Security Updates

83 unique CVEs addressed

[USN-6083-1] cups-filters vulnerability (01:03)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-24805
Legacy BEH (Backend Error Handler) allows to create a network accessible printer - allowed to do pretty easy RCE since used system() to run a command which contained various values that can be controlled by the attacker
Fixed by upstream to use fork() and execve() plus some other smaller changes to perform sanitisation of the input

[USN-6084-1] Linux kernel vulnerabilities (01:45)

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 18.04 GCP + Oracle, 16.04 Oracle

[USN-6085-1] Linux kernel (Raspberry Pi) vulnerabilities (02:00)

10 CVEs addressed in Jammy (22.04 LTS)
5.15 Raspi kernel
Various UAFs in different drivers and subsystems, possible speculative execution attack against AMD x86-64 processors with SMT enabled, a few type confusion bugs leading to OOB reads etc

[USN-6090-1] Linux kernel vulnerabilities (02:26)

10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
Same set of vulns as above
5.15 22.04 GKE, GCP; 20.04 GKE, GCP, Oracle

[USN-6089-1] Linux kernel (OEM) vulnerability (02:45)

1 CVEs addressed in Jammy (22.04 LTS)
- CVE-2022-4139
6.0 OEM
i915 failed to flush GPU TLB in some cases -> DoS / RCE

[USN-6091-1] Linux kernel vulnerabilities (03:09)

25 CVEs addressed in Kinetic (22.10)
5.19 IBM + Oracle
Lots of the previously mentioned issues and more - same kinds of issues though (race conditions, UAFs, OOB writes etc in various drivers / subsystems)

[USN-6096-1] Linux kernel vulnerabilities (03:34)

25 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
22.10 GCP, 22.04 HWE
Same as above

[USN-6092-1] Linux kernel (Azure) vulnerabilities (03:45)

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 Azure on both 18.04, 16.04 ESM + 14.04 ESM

[USN-6093-1] Linux kernel (BlueField) vulnerabilities (03:54)

9 CVEs addressed in Focal (20.04 LTS)
5.4
NVIDIA BlueField platform

[USN-6094-1] Linux kernel vulnerabilities (04:02)

8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 20.04 / 18.04 HWE on all generic, Azure, GKE, IBM, OEM, AWS, KVM, Low latency etc

[USN-6095-1] Linux kernel vulnerabilities (04:29)

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 18.04 snapdragon + raspi2; 16.04 HWE etc

[USN-6050-2] Git vulnerabilities (04:50)

2 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2023-29007
- CVE-2023-25652
RCE via a crafted .gitmodules file with submodule URLs longer than 1024 chars - could inject arbitrary config into the users git config - eg. could configure the pager or editor etc to run some arbitrary command
Local file overwrite via crafted input to git apply --reject

[USN-6088-1] runC vulnerabilities (05:39)

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
Vuln where the cgroup hierarchy of the host may be exposed within the container and be writable - could possibly use this to privesc
Regression from a previous vuln fix in CVE-2019-19921 (see [USN-4297-1] runC vulnerabilities in Episode 66)
Possible to bypass AppArmor (or SELinux) restrictions on runc if a container

[USN-6088-2] runC vulnerabilities (06:26)

6 CVEs addressed in Xenial ESM (16.04 ESM)

[USN-6086-1] minimatch vulnerability (06:31)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2022-3517
ReDoS against nodejs package

[USN-6087-1] Ruby vulnerabilities (06:39)

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2023-28756
- CVE-2023-28755
Speaking of ReDoS - two in ruby - mentioned previously in [USN-6055-2] Ruby regression Episode 194 - has been fixed properly now without introducing the previous regression

[USN-5900-2] tar vulnerability (07:03)

1 CVEs addressed in Lunar (23.04)
- CVE-2022-48303
[USN-5900-1] tar vulnerability from Episode 189

[USN-5996-2] Libloius vulnerabilities (07:17)

3 CVEs addressed in Lunar (23.04)
Braille translation library
3 different buffer overflows

[USN-6099-1] ncurses vulnerabilities (07:27)

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
Most interesting vuln here was possible memory corruption via malformed terminfo database which can be set via TERMINFO of though ~/.terminfo - will get used by a setuid binary as well - turns out though that ncurses has a build-time configuration option to disable the use of custom terminfo/termcap when running - fixed this by enabling that

[USN-6073-6, USN-6073-7, USN-6073-8, USN-6073-9] Cinder, Glance store, Nova, os-brick regressions (08:34)

Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
[USN-6073-1, USN-6073-2, USN-6073-3, USN-6073-4] Cinder, Glance Store, Nova, os-brick vulnerability from Episode 195

[USN-5725-2] Go vulnerability (08:50)

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2020-16845

[USN-6042-2] Cloud-init regression (08:55)

Affecting Focal (20.04 LTS)
Published an update to cloud-init a few weeks ago - this was due to a vuln where credentials may get accidentally logged to the cloud-init log file - this was a newer version of cloud-init and it relied on a feature in the netplan package that was not published to the security pocket - easy fix would be to publish this version of netplan to -security but this is not in the spirit of the pocket - so instead cloud-init was updated to include a fallback to ensure routes were appropriately retained

[USN-6098-1] Jhead vulnerabilities (09:48)

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
EXIF JPEG header manipulation tool written in C
Heap buffer overflows, NULL ptr derefs, OOB reads etc

[USN-6102-1] xmldom vulnerabilities (10:12)

3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
NodeJS javascript DOMParser and XMLSerializer
Logic error where failed to preserve identifiers or namespaces when parsing malicious documents
Prototype pollution
Parses documents with multiple top-level elements and combines all their elements

[USN-6101-1] GNU binutils vulnerabilities (10:50)

6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
Assembler, linker and other utils for handling binary files
Generally not expected to be fed untrusted input, but notheless
- various buffer overflows (read and write) - DoS / RCE

[USN-6074-3] Firefox regressions (11:38)

11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
113.0.2

[USN-6103-1] JSON Schema vulnerability (11:50)

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2021-3918
NodeJS package for JSON document manipulation - prototype pollution vuln
- [USN-5967-1] object-path vulnerabilities from Episode 192

Goings on in Ubuntu Security Community

Removing PGP from PyPI
- will no longer support new PGP signatures for PyPI packages in response to a recent public blog post detailing an audit of the PGP ecosystem with PyPI
  - most devs not uploading PGP signatures and of those that were, 30% were not available on major public keyservers and of those that were nearly half were not able to be meaningfully verified - some had expired, others had no binding signature to be able to verify them
PyPI was subpoenaed
- Ordered by DOJ to provide details on 5 PyPI usernames, including names, addresses, connection records, payment details, which packages and IP logs etc
- Provided these details after consulting with their lawyers
- Includes the specific attributes which were provided including the database queries used to lookup those records
- likely in response to recent security issues like typosquatting of popular packages with credential stealers and other malware embedded - over the past weekend, account sign-up and package uploads were blocked due to an overwhelming large number of malicious users and projects being created which the admins could not keep up with
Securing PyPI accounts via Two-Factor Authentication
- Every account that maintains a project / organisation will be required to enable 2FA by the end of this year
  - supports both TOTP and WebAuthN
- Already announced this for most critical projects last year where they gave away Google Titan security keys to those projects and mandated them to use 2FA

LSS NA 2023 (16:11)

Attended by John Johansen and Mark Esler from the Ubuntu Security Team
John presented in the LSM Maintainers Panel with Mickaël Salaün, Casey Schaufler, Mimi Zohar & moderated by Paul Moore
All presentations now online: https://www.youtube.com/playlist?list=PLbzoR-pLrL6q4vmwFP7-ZZ1LJc5mA3Hqu
Lots of interesting bits like:
- systemd and TPM2
- Verifiable End to End Secure OCI Native Machines
- Progress on Bounds Checking in C and the Linux Kernel
  - for more great content with Kees check out Seth and John talk Linux Kernel Security with Kees Cook from Episode 145
- Building the Largest Working Set of Apparmor Profiles
- Controlling Script Execution

Announcement of 18.04 LTS going into ESM on 31 May 2023 (18:55)

https://lists.ubuntu.com/archives/ubuntu-security-announce/2023-May/007371.html
18.04 LTS released on 26 April 2018
https://canonical.com/blog/18-04-end-of-standard-support