Show Notes
Overview
This week we investigate the mystery of failing GPG signatures for the 16.04 ISO
images, plus we look at security updates for CUPS, Avahi, the Linux kernel, FRR,
Go and more.
This week in Ubuntu Security Updates
58 unique CVEs addressed
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Heap buffer overflow when printing debug messages - apparently requires
cupsd.conf
to have LogLevel
as debug
which is not usually the case
[USN-6129-1] Avahi vulnerability (01:39)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- DoS -> if called with an unknown service name, would result in a NULL pointer
dereference and crash - found via dfuzzer - a fuzzer for D-Bus services
[USN-6130-1] Linux kernel vulnerabilities (02:23)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- 4.15 GA for 18.04 ESM (generic, virtual, lowlatency, KVM, AWS, Snapdragon, Azure, GCP, Oracle)
- HWE + GCP, Azure, GKE, AWS etc for 16.04 ESM
- Azure for 14.04 ESM
- race condition -> UAF -> privesc in netfilter
- KVM mishandling of control registers for nested guest VMs
- OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver -
requires an attacker to create a malicious USB device and insert that into
your machine to be able to trigger (shout out to USBGuard)
- OOB write in network queuing scheduler - able to be triggered though an
unprivileged user namespace (again)
[USN-6127-1] Linux kernel vulnerabilities (04:41)
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- 5.15
- 22.10 GA (virtual, raspi, generic, aws, lowlatency, ibm, azure, gcp, oracle, kvm, aws)
- 22.04 HWE (ditto)
- 20.04 HWE (ditto + OEMs)
- Same as above plus a race condition in shiftfs -> kernel deadlock -> DoS
[USN-6135-1] Linux kernel (Azure CVM) vulnerabilities (05:06)
- 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 Azure FDE (22.04, 20.04)
[USN-6131-1] Linux kernel vulnerabilities (05:18)
- 5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 GA 20.04, HWE 18.04
[USN-6132-1] Linux kernel vulnerabilities (05:30)
- 13 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 (20.04 bluefield, 18.04 AWS)
[USN-6133-1] Linux kernel (Intel IoTG) vulnerabilities (05:42)
- 12 CVEs addressed in Jammy (22.04 LTS)
- 5.15 Intel IoTG
[USN-6134-1] Linux kernel (Intel IoTG) vulnerabilities
- 24 CVEs addressed in Focal (20.04 LTS)
- 5.15 Intel IoTG as well
[USN-6112-2] Perl vulnerability (05:54)
[USN-6136-1] FRR vulnerabilities (06:19)
- 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Implements BGP, OSPF, RIP, IS-IS, PIM and more - successor to Quagga
- Two issues in BGP handling - both OOB reads due to failing to use the right
lengths when reading packet structures, implemented in C
[USN-6137-1] LibRaw vulnerabilities (06:43)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Heap buffer overflow and stack buffer overflow (mitigated by stack protector
etc)
[USN-6138-1] libssh vulnerabilities (07:01)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- NULL ptr deref during re-keying - already authenticated user could trigger a DoS
- Possible for a client to avoid having its signature fully verified IF during
the verification process there is insufficient memory - fails, leaves in error
state that then falls though to an OK state
[USN-6139-1] Python vulnerability (07:37)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- [USN-5960-1] Python vulnerability from Episode 191 - original upstream fix was
incomplete
[USN-6140-1] Go vulnerabilities (07:57)
- 8 CVEs addressed in Kinetic (22.10), Lunar (23.04)
- Various content injection issues in JS, CSS and HTML template handling due to
failing to properly parse various delimiting elements (like backtick
`
for JS
etc)
- Also two DoS since could trigger a panic due to mishandling of memory
[USN-6141-1] xfce4-settings vulnerability (08:31)
- 1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- MIME helper failed to properly parse input - is called via
xdg-open
- so could
call xdg-open
with crafted input that would then get passed through to
whatever application (like say the browser / file manager etc) and hence could
run these other applications with arbitrary arguments - e.g. could embed a
link in a PDF and when the user clicks this can then get say the browser to be
launched with arbitrary arguments
- e.g. could set the
--remote-allow-origins
flag to specify an attacker
controlled domain which is then allowed to connect to the local debugging port
and hence execute arbitrary JS on any other domain - steal creds etc
[USN-6142-1] nghttp2 vulnerability (10:16)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- C library for HTTP/2
- Overly large
SETTINGS
frames would cause a CPU-based DoS - mitigated by
setting a max limit for these frame types and rejecting if too large
[USN-6143-1] Firefox vulnerabilities (10:50)
- 4 CVEs addressed in Focal (20.04 LTS)
- 114.0 release
[USN-6144-1] LibreOffice vulnerabilities (10:59)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Array index underflow in handling of crafted formulas in Calc - memory corruption -> RCE
- Failed to prompt user before loading a document into an IFrame - document can then contain other elements like JS etc that get executed
[USN-6028-2] libxml2 vulnerabilities (11:35)
- 3 CVEs addressed in Lunar (23.04)
- 2 different NULL ptr deref, possible double free
- DoS / RCE via crafted XML documents
Recent report of invalid GPG signatures on 16.04 ISOs (12:04)
- https://discourse.ubuntu.com/t/is-ubuntu-vulnerable-to-fake-keys/21997/4
- User reported that the SHA256SUMS file for 16.04 ISOs on
old-releases.ubuntu.com failed to validate
- Sounds scary - has the server been hacked and the ISOs (and hence SHA256SUMS
file) been tampered with?
- We don’t sign the ISOs directly - instead (like
apt
) we take a hash of the ISO
file and then sign the file containing that list of hashes - for performance
- So in this case, it would appear that the
SHA256SUMS
file has been modified
and so does not validate properly
- One other thing to note, this report was made in a follow-up comment to an
older thread where someone mentioned that they are able to upload arbitrary
keys to the ubuntu keyserver that mimic the archive / CD image signing keys
etc - this is the nature of key servers - anyone can upload any key with any
arbitrary identifiers - but since keys are generated from randomness, it is
theoretically impossible to generate a key with the same underlying
cryptographic fingerprint (even if it has the same name / email address
associated with it)
- Always important to make sure you use the right keys - as identified by their
fingerprint - these are listed on the wiki
https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
- These keys are also contained on all Ubuntu installs within the
/usr/share/keyrings/ubuntu-archive-keyring.gpg
file from the ubuntu-keyring
package
- Able to easily verify this behaviour locally:
wget -q https://old-releases.ubuntu.com/releases/xenial/SHA256SUMS{,.gpg}
gpg --verify --no-default-keyring --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --verbose SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg: using DSA key 46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg: using RSA key D94AA3F0EFE21092
gpg: using pgp trust model
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
- So far so scary - it really does look like the
SHA256SUMS
file was modified
- But if we look closer, we can see GPG says the signature was made on 28th
February 2019 - this corresponds with the 16.04.6 point release - yet the most
recent point release was 16.04.7 from 13th August 2020 for BootHole (Alex and
Joe take an in-depth and behind-the-scenes look at BootHole / GRUB from
Episode 84) - so it appears that perhaps the various signature files were
not regenerated when the 16.04.7 point release was made (yet the various SUMS
files were)
- Marc went asking around,
vorlon
from Foundations confirmed this was the case
- Simply had to run the script to resign this and push it to the server - now
all is good as can be seen below
gpg: Signature made Fri 09 Jun 2023 00:38:30 ACST
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: using pgp trust model
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
- Thanks to the anonymous user in the Ubuntu Discourse for bringing this to our
attention