Episode 199

Posted on Friday, Jun 16, 2023
For our 199th episode Andrei looks at Fuzzing Configurations of Program Options plus we discuss Google’s findings on the io_uring kernel subsystem and we look at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib and more.

Show Notes

Overview

For our 199th episode Andrei looks at Fuzzing Configurations of Program Options plus we discuss Google’s findings on the io_uring kernel subsystem and we look at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib and more.

This week in Ubuntu Security Updates

53 unique CVEs addressed

[USN-6145-1] Sysstat vulnerabilities (00:55)

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • system performance tools - integer overflow leading to possible buffer overflow - original fix was incomplete so a second CVE was issued

[USN-6146-1] Netatalk vulnerabilities (01:22)

  • 9 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Implementation of the Apple Filing Protocol - allows a Ubuntu server to share files with macOS clients - similar to Samba for Windows
  • Lots of different buffer overflows - some / most disclosed via ZDI
  • Almost all due to missing length checks on the input data - some OOB write, others OOB read - sadly there is no AppArmor profile for netatalk but it would be interesting to try and create one

[USN-6147-1] SpiderMonkey vulnerability (02:21)

  • 1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Latest release of mozjs-102.12.0 (Mozilla’s SpiderMonkey JS engine)
  • Used by gnome-shell etc
  • Upstream mozilla describes this issue as ‘memory safety bugs’

[USN-6149-1] Linux kernel vulnerabilities (02:52)

[USN-6150-1, USN-6162-1] Linux kernel vulnerabilities (03:55)

[USN-6151-1] Linux kernel (Xilinx ZynqMP) vulnerabilities (04:13)

[USN-6152-1] Linux kernel (GKE) regression (04:21)

  • Affecting Focal (20.04 LTS), Jammy (22.04 LTS)
  • 5.15 - NFS cache issue causing a severe degradation in performance under certain conditions

[USN-6153-1] Jupyter Core vulnerability (04:42)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Executed untrusted files from current working directory - possible RCE - would unconditionally prepend the current working dir to the search path

[USN-6154-1] Vim vulnerabilities (04:58)

  • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Moar vim CVEs
  • Seems we talk about vim every month or so lately
  • Only a few CVEs per year until 2021 - then 20, 113 for 2022, so far only 15 for 2023 - is this the sign that the rate of vim CVEs are decreasing?
Figure 1: Vulnerabilities by year in vim from https://www.cvedetails.com/product/14270/VIM-VIM.html?vendor_id=8218

Figure 1: Vulnerabilities by year in vim from https://www.cvedetails.com/product/14270/VIM-VIM.html?vendor_id=8218

[USN-6155-1] Requests vulnerability (05:56)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Python requests library - leaked Proxy-Authorization headers to the destination server when redirected by a HTTPS endpoint

[USN-6156-1] SSSD vulnerability (06:11)

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Failed to sanitise certificate attributes before issuing an LDAP search - ie. a certificate may contain parenthesis in say the Subject DN field - this would then be used directly in the query and would be interpreted as parameters in the LDAP query - could then allow a malicious client to provide a crafted certificate which performs arbitrary LDAP queries etc - such that when used in conjunction with FreeIPA they could elevate their privileges

[USN-6148-1] SNI Proxy vulnerability (06:54)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Buffer overflow when handling a crafted HTTP packet that specifies an IPv6 address longer than the maximum possible - since parses it into a fixed size buffer

[USN-6157-1] GlusterFS vulnerability

  • 1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Stack buffer overread - generally protected by stack protector on Ubuntu - crash -> DoS

[USN-6143-2] Firefox regressions (07:25)

[USN-6158-1] Node Fetch vulnerability (07:45)

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • If redirected to another site, would leak the cookie of the originating site to the other - violation of same origin policy

[USN-6159-1] Tornado vulnerability (07:59)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Lunar (23.04)
  • Open redirect - allows an attacker to craft a URL to a site that when visited will redirect the user to a different arbitrary site - can then be used to phish the user

[USN-6160-1] GNU binutils vulnerability (08:27)

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Heap based buffer overflow when reading certain debugging information - could then possibly get code execution - requires the user to run objdump or similar on an attacker controlled binary - in general binutils is expected to only be run on trusted inputs - so if you are using objdump etc for reverse engineering arbitrary binaries, should do this in an isolated environment - VM

[USN-6161-1] .NET vulnerabilities (09:02)

[USN-6164-1] c-ares vulnerabilities (09:24)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • library for async DNS lookups - used by apt-cacher-ng, frr, wireshark, sssd and more
  • Buffer underflow when looking up crafted IPv6 addresses - appears to be able to be tricked into writing infront of an allocated buffer - memory corruption -> DoS / RCE
  • DoS via an attacker forging a zero length UDP packet in response to a query - then cause the resolver to shutdown the “connection” as it sees a 0 byte read - however that code path assumes the transport protocol is TCP - this is not a valid assumption for UDP as UDP is connectionless

[USN-6165-1] GLib vulnerabilities (11:07)

[USN-6166-1] libcap2 vulnerabilities (11:35)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • DoS via a memory leak through thread creation plus an integer overflow when handling really large strings

Goings on in Ubuntu Security Community

Google disables io_uring in ChromeOS and their production servers (12:00)

  • https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
  • Google runs kCTF as part of the vuln rewards program, offering a bug-bounty / monetary rewards for researchers who find exploitable bugs in Google Kubernetes Engine (GKE) or the underlying Linux kernel
  • Has paid out $1.8m USD - 60% of submissions exploited io_uring - with around $1m USD rewarded for io_uring submissions alone - and io_uring was used in all submissions which bypassed their mitigations
    • followed by net and then fs subsystems
    • clearly is a target rich environment
  • As such, disabled io_uring in ChromeOS (was originally enabled back in November 2022 to increase performance of their arcvm which is used to run Android apps on ChromeOS) but then now disabled 4 months later in Feb this year
  • Use seccomp-bpf to block access to io_uring to Android applications and in the future will also use SELinux to restrict access even further to only select system processes
  • Will likely disable it also on GKE AutoPilot - where Google manages the config of your GKE Kubernetes cluster
  • And have disabled io_uring on their production servers
  • Essentially due to the newness of io_uring and ongoing development of features for it, it presents too much of a risk for use by untrusted applications etc

Andrei discusses Fuzzing Configurations of Program Options (15:06)

Get in contact