Episode 196

Posted on Friday, May 26, 2023
This week we look at some recent security developments from PyPI, the Linux Security Summit North America and the pending transition of Ubuntu 18.04 to ESM, plus we cover security updates for cups-filter, the Linux kernel, Git, runC, ncurses, cloud-init and more.

Show Notes

Overview

This week we look at some recent security developments from PyPI, the Linux Security Summit North America and the pending transition of Ubuntu 18.04 to ESM, plus we cover security updates for cups-filter, the Linux kernel, Git, runC, ncurses, cloud-init and more.

This week in Ubuntu Security Updates

83 unique CVEs addressed

[USN-6083-1] cups-filters vulnerability (01:03)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Legacy BEH (Backend Error Handler) allows to create a network accessible printer - allowed to do pretty easy RCE since used system() to run a command which contained various values that can be controlled by the attacker
  • Fixed by upstream to use fork() and execve() plus some other smaller changes to perform sanitisation of the input

[USN-6084-1] Linux kernel vulnerabilities (01:45)

[USN-6085-1] Linux kernel (Raspberry Pi) vulnerabilities (02:00)

[USN-6090-1] Linux kernel vulnerabilities (02:26)

[USN-6089-1] Linux kernel (OEM) vulnerability (02:45)

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • 6.0 OEM
  • i915 failed to flush GPU TLB in some cases -> DoS / RCE

[USN-6091-1] Linux kernel vulnerabilities (03:09)

[USN-6096-1] Linux kernel vulnerabilities (03:34)

[USN-6092-1] Linux kernel (Azure) vulnerabilities (03:45)

[USN-6093-1] Linux kernel (BlueField) vulnerabilities (03:54)

[USN-6094-1] Linux kernel vulnerabilities (04:02)

[USN-6095-1] Linux kernel vulnerabilities (04:29)

[USN-6050-2] Git vulnerabilities (04:50)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • RCE via a crafted .gitmodules file with submodule URLs longer than 1024 chars - could inject arbitrary config into the users git config - eg. could configure the pager or editor etc to run some arbitrary command
  • Local file overwrite via crafted input to git apply --reject

[USN-6088-1] runC vulnerabilities (05:39)

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Vuln where the cgroup hierarchy of the host may be exposed within the container and be writable - could possibly use this to privesc
  • Regression from a previous vuln fix in CVE-2019-19921 (see [USN-4297-1] runC vulnerabilities in Episode 66)
  • Possible to bypass AppArmor (or SELinux) restrictions on runc if a container

[USN-6088-2] runC vulnerabilities (06:26)

[USN-6086-1] minimatch vulnerability (06:31)

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • ReDoS against nodejs package

[USN-6087-1] Ruby vulnerabilities (06:39)

[USN-5900-2] tar vulnerability (07:03)

[USN-5996-2] Libloius vulnerabilities (07:17)

[USN-6099-1] ncurses vulnerabilities (07:27)

  • 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Most interesting vuln here was possible memory corruption via malformed terminfo database which can be set via TERMINFO of though ~/.terminfo - will get used by a setuid binary as well - turns out though that ncurses has a build-time configuration option to disable the use of custom terminfo/termcap when running - fixed this by enabling that

[USN-6073-6, USN-6073-7, USN-6073-8, USN-6073-9] Cinder, Glance store, Nova, os-brick regressions (08:34)

[USN-5725-2] Go vulnerability (08:50)

[USN-6042-2] Cloud-init regression (08:55)

  • Affecting Focal (20.04 LTS)
  • Published an update to cloud-init a few weeks ago - this was due to a vuln where credentials may get accidentally logged to the cloud-init log file - this was a newer version of cloud-init and it relied on a feature in the netplan package that was not published to the security pocket - easy fix would be to publish this version of netplan to -security but this is not in the spirit of the pocket - so instead cloud-init was updated to include a fallback to ensure routes were appropriately retained

[USN-6098-1] Jhead vulnerabilities (09:48)

[USN-6102-1] xmldom vulnerabilities (10:12)

  • 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • NodeJS javascript DOMParser and XMLSerializer
  • Logic error where failed to preserve identifiers or namespaces when parsing malicious documents
  • Prototype pollution
  • Parses documents with multiple top-level elements and combines all their elements

[USN-6101-1] GNU binutils vulnerabilities (10:50)

  • 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Assembler, linker and other utils for handling binary files
  • Generally not expected to be fed untrusted input, but notheless
    • various buffer overflows (read and write) - DoS / RCE

[USN-6074-3] Firefox regressions (11:38)

[USN-6103-1] JSON Schema vulnerability (11:50)

Goings on in Ubuntu Security Community

  • Removing PGP from PyPI

    • will no longer support new PGP signatures for PyPI packages in response to a recent public blog post detailing an audit of the PGP ecosystem with PyPI
      • most devs not uploading PGP signatures and of those that were, 30% were not available on major public keyservers and of those that were nearly half were not able to be meaningfully verified - some had expired, others had no binding signature to be able to verify them
  • PyPI was subpoenaed

    • Ordered by DOJ to provide details on 5 PyPI usernames, including names, addresses, connection records, payment details, which packages and IP logs etc
    • Provided these details after consulting with their lawyers
    • Includes the specific attributes which were provided including the database queries used to lookup those records
    • likely in response to recent security issues like typosquatting of popular packages with credential stealers and other malware embedded - over the past weekend, account sign-up and package uploads were blocked due to an overwhelming large number of malicious users and projects being created which the admins could not keep up with
  • Securing PyPI accounts via Two-Factor Authentication

    • Every account that maintains a project / organisation will be required to enable 2FA by the end of this year
      • supports both TOTP and WebAuthN
    • Already announced this for most critical projects last year where they gave away Google Titan security keys to those projects and mandated them to use 2FA

LSS NA 2023 (16:11)

Announcement of 18.04 LTS going into ESM on 31 May 2023 (18:55)

Get in contact