Episode 197

Show Notes

Overview

The venerable Ubuntu 18.04 LTS release has transitioned into ESM, plus we look at Till Kamppeter’s excellent guide on how to set up your GitHub projects to receive private vulnerability reports, and we cover the week in security updates including PostgreSQL, Jhead, the Linux kernel, Linux PTP, snapd and a whole lot more.

This week in Ubuntu Security Updates

56 unique CVEs addressed

[USN-6104-1] PostgreSQL vulnerabilities (00:55)

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-2455
  • CVE-2023-2454
• Two issues, both requiring to be an authenticated user. One in mishandling of CREATE privileges - could then allow an auth user to execute arbitrary code as a the bootstrap supervisor - the other in row security properties which could allow to bypass policies and get read/write contrary to security policy.

[USN-6105-1] ca-certificates update (01:32)

• Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
• Updates to the latest upstream 2.60 release from Mozilla, adds a bunch of new CAs plus removes some that had either expired or that were now not used anymore

[USN-6106-1] calamares-settings-ubuntu vulnerability (02:08)

• Affecting Jammy (22.04 LTS)
• When installing Lubuntu, it would allow to create the first user with an empty password. Lubuntu uses it’s own installer called Calamares - so this issue only affects Lubuntu, not regular Ubuntu or other Ubuntu flavors.

[USN-6100-1] HTML::StripScripts vulnerability (02:58)

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2023-24038
• REDoS when parsing HTML with “certain style attributes”

[USN-6108-1] Jhead vulnerabilities (03:18)

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2022-41751
  • CVE-2021-34055
• [USN-6098-1] Jhead vulnerabilities in last week’s episode
• Code-exec - place OS commands into a JPEG filename and then using jhead to rotate the file
• Buffer overflow when writing Exif data

[USN-6110-1] Jhead vulnerabilities

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2021-28277
  • CVE-2021-28275
  • CVE-2021-3496
• Stack buffer overflow, heap buffer overflow and OOB read - DoS / code exec

[USN-6113-1] Jhead vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2018-6612
• Heap buffer OOB read -> DoS

[USN-6054-2] Django vulnerability (04:17)

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2023-31047
• [USN-6054-1] Django vulnerability in Episode 194

[USN-6109-1, USN-6118-1] Linux kernel (Raspberry Pi + Oracle) vulnerabilities (04:29)

• 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2023-1118
  • CVE-2023-32269
  • CVE-2023-2162
  • CVE-2023-1513
  • CVE-2023-1078
  • CVE-2023-1075
  • CVE-2023-0459
  • CVE-2022-3707
• 5.4 raspi + oracle on both 20.04 + 18.04
• Most issues covered on previous episodes

[USN-6122-1] Linux kernel (OEM) vulnerabilities (04:49)

• 2 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-2612
  • CVE-2023-32233
• 6.1 OEM 22.04 LTS
• Race condition in netfilter able to be triggered by a local user -> UAF
  • requires CAP_NET_ADMIN but can get this in an unprivileged user namespace ∴ can be triggered OOTB by an unpriv user on Ubuntu
  • PoC was published for this last week - caused a bunch of folks to get anxious but since can be mitigated by disabling unprivileged user namespaces perhaps it was not worth all the hype? Also kernel updates take a while to prepare and test etc so it is not easy to just drop everything and crank a new kernel - so in general this would only occur for remotely exploitable issues

[USN-6123-1] Linux kernel (OEM) vulnerabilities (06:48)

• 5 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-26606
  • CVE-2023-2612
  • CVE-2023-1670
  • CVE-2023-30456
  • CVE-2023-32233
• 6.0 OEM
• Netfilter issue above, plus mishandling of control registers in nested KVM VMs - could allow an guest VM to crash the VM host

[USN-6124-1] Linux kernel (OEM) vulnerabilities (07:10)

• 6 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-2612
  • CVE-2023-1670
  • CVE-2022-4139
  • CVE-2022-3586
  • CVE-2023-30456
  • CVE-2023-32233
• 5.17 OEM
• Mostly same issues as above

[USN-6097-1] Linux PTP vulnerability (07:20)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-3570
• Precision time protocol implementation - allows to synchronise time between servers to sub-microsecond accuracy - more accurate than NTP - uses a leader/follower architecture - leader would be synchronised with high accuracy via say a GPS then distributes this to other machines via PTP
• Failed to check length of received packet properly (but only for forwarded packets) - results in a OOB R/W - so could either be an info leak or possible RCE

[USN-6005-2] Sudo vulnerabilities (08:49)

• 2 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-28487
  • CVE-2023-28486
• [USN-6005-1] Sudo vulnerabilities in Episode 193

[USN-6111-1] Flask vulnerability (09:02)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-30861
• Possibly sends a response intended for one client to a different client due to mishandling of the Vary:Cookie header - requires the use of a caching proxy and other conditions though so may not be a widespread issue

[USN-6112-1] Perl vulnerability (09:35)

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
  • CVE-2023-31484
• Failed to properly validate TLS certs when using CPAN with <:Tiny> to download modules over HTTPS - failed to set ssl_Verify - parameter to <:Tiny>
• Seems the upstream HTTP::Tiny dev’s thinks it would be discriminatory to enable SSL verification by default as that would make applications etc that use self-signed certs or community-driven CAs like CAcert.org fail - but this seems pretty outdated since with Let’s Encrypt etc nowadays there is easy access to trusted certs for anyone - and so this just does a disservice to all applications that use <:Tiny> making them potentially insecure out-of-the-box
• Won’t be surprised to see other similar vulns in the future as a result of this foot-gun

[USN-6114-1] nth-check vulnerability (11:32)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2021-3803
• Node.js module for parsing and compiling CSS nth-checks (used in CSS 3 nth-child() and nth-last-of-type() functions) - can pass it a string and it will compile that to an optimised function for calling by other code
• REDoS

[USN-6116-1] hawk vulnerability (12:11)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2022-29167
• Node.js HTTP Holder-of-key authentication scheme - a HTTP authentication scheme that is similar to the regular HTTP Digest scheme - developed by Mozilla
• REDoS

[USN-6115-1] TeX Live vulnerability (12:47)

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-32700
• Shell command execution in luatex if run against an untrusted document since could access the io stream used by the underlying lua engine and inject contents into it which would then be executed

[USN-6119-1] OpenSSL vulnerabilities (13:20)

• 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-1255
  • CVE-2023-2650
• CPU-based DoS when processing crafted ASN.1 object identifiers - requires to have an object ID which itself is tens to hundreds of KBs - OpenSSL 3 has a limit of 100KB on the peer cert chain which limits the ability to craft such long IDs and have them be processed by OpenSSL
• An aarch64 specific issue - AES-XTS decryption algorithm would possibly read past the end of the input buffer -> OOB read -> possible DoS but only if the ciphertext is a certain size relative to the block size

[USN-6120-1] SpiderMonkey vulnerabilities (14:25)

• 9 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-32215
  • CVE-2023-32211
  • CVE-2023-29550
  • CVE-2023-29548
  • CVE-2023-29536
  • CVE-2023-29535
  • CVE-2023-25751
  • CVE-2023-25739
  • CVE-2023-25735
• mozjs 102.11 release - JS engine shipped in Firefox so has a lot of overlap with CVEs in firefox etc.
• thanks to the Jeremy Bicha on the Ubuntu Desktop team for preparing these updates

[USN-6121-1] Nanopb vulnerabilities (14:45)

• 2 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-21401
  • CVE-2020-26243
• Implementation of Protocol Buffers but with small code size - designed for embedded systems etc
• Memory leak on parsing of crafted messages plus an invalid free() or realloc() on crafted messages - both only really an issue if parsing untrusted content

[USN-6117-1] Apache Batik vulnerabilities (15:16)

• 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • CVE-2022-42890
  • CVE-2022-41704
  • CVE-2022-40146
  • CVE-2022-38648
  • CVE-2022-38398
  • CVE-2020-11987
  • CVE-2019-17566
• Java SVG library
• 4 different XSRF issues
• 1 SSRF issue on handling of URLs in Jar’s - could allow to access local files on the server
• 2 different issues that could allow untrusted Java code embedded in an SVG to be executed

[USN-6125-1] snapd vulnerability (15:48)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-1523
• Very similar to a recent issue (CVE-2023-28100) in flatpak - seccomp sandbox failed to block the TIOCLINUX ioctl() request - could allow a snap to inject contents into the controlling terminal when run on a virtual console - this would then be executed when the snap finished running -> code exec outside the snap sandbox
• Now simply blocks TIOCLINUX as it already did for TIOCSTI in the past
• Very similar to historic TIOCSTI CVEs such as CVE-2016-9016 in firejail, CVE-2016-10124 in lxc, CVE-2017-5226 in bubblewrap, CVE-2019-10063 in flatpak

[USN-6126-1] libvirt vulnerabilities (17:44)

• 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • CVE-2023-2700
  • CVE-2022-0897
• race condition within the nwfilter driver - allows a local unprivileged user to race against the driver and corrupt the list of network filters and trigger a crash in the libvirt daemon
• memory leak when reading SR-IOV PCI device capabilities

Goings on in Ubuntu Security Community

Ubuntu 18.04 has now entered ESM (18:21)

• https://www.omgubuntu.co.uk/2023/05/ubuntu-18-04-general-support-ends-enable-esm-to-stay-protected

OpenPrinting tutorial on handling security bugs via GitHub (19:40)

• https://openprinting.github.io/OpenPrinting-News-May-2023/#handling-reported-security-bugs-with-github
• Last week we talked about a vulnerability in the cups-filter package
• Discusses the difficulty in handling security issues in open source projects, where all the development is usually done in the open, how do you privately report and collaborate on a security issue?
• GitHub offers the ability to report security vulnerabilities privately
• Not enabled by default since it requires some configuration on the part of the maintainer to configure the templates etc that get sent out - also needs the organisation that owns the repo to enable this as well
  • GitHub offer some great guidance on the best ways to do this
• Usual workflow is to submit a report privately and then can create a temporary private fork in which to develop the fix
• Read Till’s blog post as that contains a great walk-through on how to enable this

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter