Episode 202

Posted on Friday, Jul 7, 2023
We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen, containerd and more.

Show Notes

Overview

We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen, containerd and more.

This week in Ubuntu Security Updates

50 unique CVEs addressed

[USN-6190-1] AccountsService vulnerability (00:47)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Mentioned in passing last week - reported to us by Kevin Backhouse from the Github Security Lab team
  • DBus service that provides APIs to add, delete or modify system accounts - ie create a new user etc
  • Originally developed by GNOME - used by gnome-control-center etc
  • Also allows to configure language / locale settings etc
  • In Ubuntu, we carry a custom patch which is used to synchronise the language and locale from accountsservice to the local users ~/.pam_environment file which is used to configure various per-user session environment variables - this way no matter how you log in to a Ubuntu system, the locale etc that you configured via g-c-c etc gets used
  • Turned out there was a number of cases of UAF due to logic errors in the original patch - so an unprivileged user could trigger this and crash the accounts-daemon which runs as root

[USN-6191-1] Linux kernel regression (02:44)

  • Affecting Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Spurious warning message would be printed via the IPv6 subsystem

[USN-6192-1] Linux kernel vulnerabilities (03:10)

  • 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
  • Off-by-one in the flower network traffic classifier - flow based traffic control filter - allows to define a “flow” by a set of key/value pairs (ie. src MAC address, port number or various other types) - could be leveraged for DoS or potential code execution - PoC posted publicly but even then was stated that it doesn’t even crash the kernel, however gdb can be used to detect the OOB write
  • Mishandling of locking in the io_uring subsystem - local attacker could use this to trigger a deadlock and hence a DoS
  • Possible info leak via stale page table entries - when KPTI was introduced in the wake of Meltdown, to minimise the cost of flushing page table on every entry/exit to/from kernel space, PCIDs are a hardware feature that was introduced in more recent Intel processors to try and minimise this cost by only flushing on exit back to userspace - this is done by issuing the INVLPG instruction - but it was found that on certain hardware platforms this did not actually flush the global TLB contrary to expectation - and so could leak kernel memory back to userspace

[USN-6193-1] Linux kernel vulnerabilities

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • TC flower + INVLPG

[USN-6194-1] Linux kernel (OEM) vulnerabilities (06:04)

[USN-6195-1] Vim vulnerabilities (06:26)

[USN-6196-1] ReportLab vulnerability (06:47)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Python library for producing PDFs - often used to convert HTML to PDF etc
  • Bypass of validation originally put in place for a previous CVE-2019-17626 (see [USN-4273-1] ReportLab vulnerability in Episode 62)
  • That vuln was RCE since reportlab would call the python eval() function directly on value obtained from an XML document
  • To fix that, introduced a complex validation scheme so they could still use eval() without having to remove this functionality - new update disables this by default and instead only allows a much limited subset of colors to be parsed

[USN-6197-1] OpenLDAP vulnerability (08:48)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • NULL pointer deref in certain circumstances if failed to allocate memory during various string handling operations - unlikely to be able to be triggered easily (would first need a memory leak bug or similar…)

[USN-6198-1] GNU Screen vulnerability (09:25)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • screen provides an API to allow the processes under its controlled to be say killed from another session - but would fail to check if the specified PID was actually owned by the calling user - so if screen was setuid, would allow a local user to send a SIGHUP to any other process on the system
  • In Ubuntu screen is not setuid so this was not a real issue

[USN-6199-1] PHP vulnerability (10:35)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • When generating a nonce for use in HTTP Digest during SOAP authentication, wouldn’t actually check the return value from the call to generate random data for the nonce - as such, the nonce would be whatever was previously in the stack memory - so could leak info from the stack, or this could be say all zeros which would defeat the purpose of the nonce

[USN-6200-1] ImageMagick vulnerabilities (11:27)

[USN-6201-1] Firefox vulnerabilities (12:27)

[USN-6202-1] containerd vulnerabilities (13:09)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • DoS when importing an OCI image with a really large manifest or image layout file - would try and read the whole JSON file into memory - could cause containerd to crash by running out of memory - limited to 20MBs

[USN-6203-1] Django vulnerability (13:55)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • ReDoS in EmailValidator and URLValidator classes when parsing really long strings - fixed by rejecting anything longer than some hardcoded constants (2KB for URL, 320 chars for email as per RFC x3696)

Goings on in Ubuntu Security Community

AppArmor 4.0-alpha1 in progress (14:44)

AppArmor kernel fixes for Linux 6.5 (20:42)

Get in contact