Episode 201
Posted on Friday, Jun 30, 2023
This week we look at the top 25 most dangerous vulnerability types, as well as
the announcement of the program for LSS EU, and we cover security updates for
Bind, the Linux kernel, CUPS, etcd and more.
Show Notes
Overview
This week we look at the top 25 most dangerous vulnerability types, as well as the announcement of the program for LSS EU, and we cover security updates for Bind, the Linux kernel, CUPS, etcd and more.
This week in Ubuntu Security Updates
36 unique CVEs addressed
[USN-6183-1] Bind vulnerabilities (00:53)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Two DoS issues - when bind was configured as a recursive resolver, possible to cause the configured cache size to be exceeded by a remote attacker by performing queries in a particular manner (as this would then evade the normal cache cleaning algorithm) - DoS due to excessive memory usage -> OOM killer etc
- The other was due to a recursive algorithm that could be triggered in a pathological way when particular configuration options were used - eventually would exhaust the available stack space -> killed by stack protections -> DoS
[USN-6185-1] Linux kernel vulnerabilities (01:52)
- 8 CVEs addressed in Focal (20.04 LTS)
- 5.4 - IBM, GCP, GKEOP, raspi2, Azure, AWS, Bluefield, KVM, Oracle
- type confusion in real-time scheduler -> DoS
- few different UAF in various USB device drivers (and even PCMCIA) - could all be triggered by a local attacker with physical access
- UAF in HFS+ file-system + Xen 9P file-system protocol impl
[USN-6187-1] Linux kernel (IBM) vulnerabilities (02:49)
- 9 CVEs addressed in Kinetic (22.10)
- 5.19 IBM
- All of the above plus a possible deadlock in the network traffic control subsystem that could be triggered by a local attacker -> DoS
[USN-6186-1] Linux kernel vulnerabilities (03:06)
- 20 CVEs addressed in Lunar (23.04)
- All interesting CVEs discussed previously - [USN-6130-1] Linux kernel vulnerabilities in Episode 198
- netfilter race condition able to be triggered by a local attacker -> UAF -> DoS/RCE
- OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
- KVM mishandling of control registers for nested guest VMs
- OOB write in network queuing scheduler - able to be triggered though an unprivileged user namespace (again)
[USN-6184-1] CUPS vulnerability (03:55)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- UAF since would log details of a connection after closing the connection (and
hence freeing the memory associated with the connection) - since was in the
logging code, would only happen if the log level was set to
warnor higher - could then either cause a crash (SEGV etc) or could potentially end up logging sensitive info if that was then present in that memory location
[USN-6188-1] OpenSSL vulnerability (04:43)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- [USN-6119-1] OpenSSL vulnerabilities from Episode 197
- CPU-based DoS when parsing crafted ASN.1 object identifiers
[USN-6161-2] .NET regression (05:02)
- 5 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- [USN-6161-1] .NET vulnerabilities from Episode 199
- New upstream point release to address a regression in the previous release - would fail to import PKCS12 blobs where the private keys were protected by a null password (apparently this was non-deterministic which sounds like it was due to an uninitialised local variable…?)
[USN-6189-1] etcd vulnerability (05:55)
- 1 CVEs addressed in Kinetic (22.10), Lunar (23.04)
- Leaked credentials into the debug log which could then be accessed by a remote attacker via the debug API endpoint
Goings on in Ubuntu Security Community
MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses published (06:20)
| Rank | ID | Name | Score | CVEs in KEV |
|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 63.72 | 70 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.54 | 4 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 34.27 | 6 |
| 4 | CWE-416 | Use After Free | 16.71 | 44 |
| 5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 15.65 | 23 |
| 6 | CWE-20 | Improper Input Validation | 15.50 | 35 |
| 7 | CWE-125 | Out-of-bounds Read | 14.60 | 2 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.11 | 16 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.73 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 10.41 | 5 |
| 11 | CWE-862 | Missing Authorization | 6.90 | 0 |
| 12 | CWE-476 | NULL Pointer Dereference | 6.59 | 0 |
| 13 | CWE-287 | Improper Authentication | 6.39 | 10 |
| 14 | CWE-190 | Integer Overflow or Wraparound | 5.89 | 4 |
| 15 | CWE-502 | Deserialization of Untrusted Data | 5.56 | 14 |
| 16 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 4.95 | 4 |
| 17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.75 | 7 |
| 18 | CWE-798 | Use of Hard-coded Credentials | 4.57 | 2 |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.56 | 16 |
| 20 | CWE-306 | Missing Authentication for Critical Function | 3.78 | 8 |
| 21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.53 | 8 |
| 22 | CWE-269 | Improper Privilege Management | 3.31 | 5 |
| 23 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.30 | 6 |
| 24 | CWE-863 | Incorrect Authorization | 3.16 | 0 |
| 25 | CWE-276 | Incorrect Default Permissions | 3.16 | 0 |
- https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html
- MITRE (operates the US Homeland Security Systems Engineering and Development Institute) released the 2023 CWE Top 25 Most Dangerous Software Weaknesses
- Calculated by analysing the previous 2 years worth of public vulnerability data from NVD for their various root-causes and ranking those
- Also incorporates updates weakness data for the CVEs that form CISA’s (US Cybersecurity & Infrastructure Security Agency) known exploited vulnerabilities catalog (KEV)
- root-causes - CWE - common weakness enumeration - list of software and hardware weakness types
- Looked at CVEs published in 2021 and 2022 and used those where the CWEs could be mapped to the simplified collection of 130 weakness types which are the most common set
- Each CVE published by NVD has associated CWEs that identify the root-case for the vulnerability - these are generally chosen by the CNA who assigns the CVE (as they are most familiar with the product and vulnerability in question) or by an NVD analyst - multiple CWEs can be assigned for a CVE since they can often be part of chain
- Score was calculated as the frequency of the CWE compared to other CWEs in the
dataset, multiplied by the average CVSS score for all CVEs that had the CWE
- Have spoken in the past about perceived inaccuracies in CVSS scores and how they are not necessarily a good fit for determining the risk of a given CVE - but in this case, using them as the basis for this calculation is perhaps not awful as they are the only real objective measure of the potential severity of a CVE - and this is a noisy measure anyway
- Looking at the top 10, OOB writes come in way at the top with a score of 63.7,
then XSS (45.5), SQLi (34.3) after which follows a long tail of CWEs with
scores in the teens - UAF (16.7), OS Command Injection (15.6), Improper Input
Validation (15.5), OOB Read (14.6), Path Traversal (14.11), CSRF (11.73) and
finally Unrestricted Upload of File with Dangerous Type (10.4)
- Interesting to see the top 3 have a much higher score (all over 34) where as the rest are half this - below 16
- They also quote the number of CVEs that featured in the KEV list (known exploited vulns) - OOB W (70) yet XSS (4) + SQLi (6) - so just because there are more of a given type of vuln, doesn’t mean that they get exploited more - e.g. OOB reads are #7 yet only 2 in the list of KEV, and CSRF #9 yet none in the KEV list
- What does this mean for Ubuntu Security? Ultimately it is interesting and seems to back up our more traditional approach to CVE priority assignment compared to trying to use CVSS as a priority (again this is a severity score but doesn’t really indicate risk, which is what our traditional priority score is based on) - but perhaps is more interesting from an industry point of view - memory corruption vulns (OOB Writes) still most prevalent and impactful - static / dynamic analysis still very important to try and find these - but ultimately the move to memory safe languages (Rust, Go etc) is where we will finally see a shift away from this dominance
- Even then, will still be security bugs (XSS + SQLi, OS Command Injection, Improper Input Validation, Path Traveral, CSRF etc)
Linux Security Summit EU Schedule Published (17:16)
- https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/
- 20-21 September - in Bilbao Spain alongside the Open Source Summit
- Still chance to get Early Bird Registration (closes 6th July)
- BPF, exploit detection, estimating security risk of a given OSS project, OP-TEE (ARM Trust-Zone) usage, novel project using CHERI hardware architecture to protect security sensitive parts of the kernel, using TPM for per-process secret storage, secure boot, LSM Updates + LandLock and some more