Episode 201

Posted on Friday, Jun 30, 2023
This week we look at the top 25 most dangerous vulnerability types, as well as the announcement of the program for LSS EU, and we cover security updates for Bind, the Linux kernel, CUPS, etcd and more.

Show Notes


This week we look at the top 25 most dangerous vulnerability types, as well as the announcement of the program for LSS EU, and we cover security updates for Bind, the Linux kernel, CUPS, etcd and more.

This week in Ubuntu Security Updates

36 unique CVEs addressed

[USN-6183-1] Bind vulnerabilities (00:53)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Two DoS issues - when bind was configured as a recursive resolver, possible to cause the configured cache size to be exceeded by a remote attacker by performing queries in a particular manner (as this would then evade the normal cache cleaning algorithm) - DoS due to excessive memory usage -> OOM killer etc
  • The other was due to a recursive algorithm that could be triggered in a pathological way when particular configuration options were used - eventually would exhaust the available stack space -> killed by stack protections -> DoS

[USN-6185-1] Linux kernel vulnerabilities (01:52)

[USN-6187-1] Linux kernel (IBM) vulnerabilities (02:49)

[USN-6186-1] Linux kernel vulnerabilities (03:06)

[USN-6184-1] CUPS vulnerability (03:55)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • UAF since would log details of a connection after closing the connection (and hence freeing the memory associated with the connection) - since was in the logging code, would only happen if the log level was set to warn or higher - could then either cause a crash (SEGV etc) or could potentially end up logging sensitive info if that was then present in that memory location

[USN-6188-1] OpenSSL vulnerability (04:43)

[USN-6161-2] .NET regression (05:02)

[USN-6189-1] etcd vulnerability (05:55)

  • 1 CVEs addressed in Kinetic (22.10), Lunar (23.04)
  • Leaked credentials into the debug log which could then be accessed by a remote attacker via the debug API endpoint

Goings on in Ubuntu Security Community

MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses published (06:20)

Rank ID Name Score CVEs in KEV
1 CWE-787 Out-of-bounds Write 63.72 70
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.54 4
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 34.27 6
4 CWE-416 Use After Free 16.71 44
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 15.65 23
6 CWE-20 Improper Input Validation 15.50 35
7 CWE-125 Out-of-bounds Read 14.60 2
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.11 16
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.73 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.41 5
11 CWE-862 Missing Authorization 6.90 0
12 CWE-476 NULL Pointer Dereference 6.59 0
13 CWE-287 Improper Authentication 6.39 10
14 CWE-190 Integer Overflow or Wraparound 5.89 4
15 CWE-502 Deserialization of Untrusted Data 5.56 14
16 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 4.95 4
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.75 7
18 CWE-798 Use of Hard-coded Credentials 4.57 2
19 CWE-918 Server-Side Request Forgery (SSRF) 4.56 16
20 CWE-306 Missing Authentication for Critical Function 3.78 8
21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.53 8
22 CWE-269 Improper Privilege Management 3.31 5
23 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.30 6
24 CWE-863 Incorrect Authorization 3.16 0
25 CWE-276 Incorrect Default Permissions 3.16 0
  • https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html
  • MITRE (operates the US Homeland Security Systems Engineering and Development Institute) released the 2023 CWE Top 25 Most Dangerous Software Weaknesses
  • Calculated by analysing the previous 2 years worth of public vulnerability data from NVD for their various root-causes and ranking those
  • Also incorporates updates weakness data for the CVEs that form CISA’s (US Cybersecurity & Infrastructure Security Agency) known exploited vulnerabilities catalog (KEV)
  • root-causes - CWE - common weakness enumeration - list of software and hardware weakness types
  • Looked at CVEs published in 2021 and 2022 and used those where the CWEs could be mapped to the simplified collection of 130 weakness types which are the most common set
  • Each CVE published by NVD has associated CWEs that identify the root-case for the vulnerability - these are generally chosen by the CNA who assigns the CVE (as they are most familiar with the product and vulnerability in question) or by an NVD analyst - multiple CWEs can be assigned for a CVE since they can often be part of chain
  • Score was calculated as the frequency of the CWE compared to other CWEs in the dataset, multiplied by the average CVSS score for all CVEs that had the CWE
    • Have spoken in the past about perceived inaccuracies in CVSS scores and how they are not necessarily a good fit for determining the risk of a given CVE - but in this case, using them as the basis for this calculation is perhaps not awful as they are the only real objective measure of the potential severity of a CVE - and this is a noisy measure anyway
  • Looking at the top 10, OOB writes come in way at the top with a score of 63.7, then XSS (45.5), SQLi (34.3) after which follows a long tail of CWEs with scores in the teens - UAF (16.7), OS Command Injection (15.6), Improper Input Validation (15.5), OOB Read (14.6), Path Traversal (14.11), CSRF (11.73) and finally Unrestricted Upload of File with Dangerous Type (10.4)
    • Interesting to see the top 3 have a much higher score (all over 34) where as the rest are half this - below 16
  • They also quote the number of CVEs that featured in the KEV list (known exploited vulns) - OOB W (70) yet XSS (4) + SQLi (6) - so just because there are more of a given type of vuln, doesn’t mean that they get exploited more - e.g. OOB reads are #7 yet only 2 in the list of KEV, and CSRF #9 yet none in the KEV list
  • What does this mean for Ubuntu Security? Ultimately it is interesting and seems to back up our more traditional approach to CVE priority assignment compared to trying to use CVSS as a priority (again this is a severity score but doesn’t really indicate risk, which is what our traditional priority score is based on) - but perhaps is more interesting from an industry point of view - memory corruption vulns (OOB Writes) still most prevalent and impactful - static / dynamic analysis still very important to try and find these - but ultimately the move to memory safe languages (Rust, Go etc) is where we will finally see a shift away from this dominance
  • Even then, will still be security bugs (XSS + SQLi, OS Command Injection, Improper Input Validation, Path Traveral, CSRF etc)

Linux Security Summit EU Schedule Published (17:16)

  • https://events.linuxfoundation.org/linux-security-summit-europe/program/schedule/
  • 20-21 September - in Bilbao Spain alongside the Open Source Summit
  • Still chance to get Early Bird Registration (closes 6th July)
  • BPF, exploit detection, estimating security risk of a given OSS project, OP-TEE (ARM Trust-Zone) usage, novel project using CHERI hardware architecture to protect security sensitive parts of the kernel, using TPM for per-process secret storage, secure boot, LSM Updates + LandLock and some more

Get in contact