Episode 204

Posted on Friday, Aug 4, 2023
This week we look at the recent Zenbleed vulnerability affecting some AMD processors, plus we cover security updates for the Linux kernel, a high profile OpenSSH vulnerability and finally Andrei is back with a deep dive into recent academic research around how to safeguard machine learning systems when used across distributed deployments.

Show Notes

Overview

This week we look at the recent Zenbleed vulnerability affecting some AMD processors, plus we cover security updates for the Linux kernel, a high profile OpenSSH vulnerability and finally Andrei is back with a deep dive into recent academic research around how to safeguard machine learning systems when used across distributed deployments.

This fortnight in Ubuntu Security Updates

123 unique CVEs addressed

[USN-6238-1] Samba vulnerabilities [01:15]

  • 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Possible attacker-in-the-middle attack when configured to do SMB2 packet signing (as it was not properly enforced), couple issues in the Spotlight protocol implementation (used to enable MacOS clients to search the Samba share via Finder) - DoS via a possible infinite loop when processing RPC packets which specified 0 elements in an array-like structure, plus info leak where full server-side path of resources would be returned in results

[USN-6237-2] curl regression

[USN-6239-1] ECDSA Util vulnerability [02:13]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Very similar to “Psychic Signatures” vuln in Java (OpenJDK) - [USN-5546-1, USN-5546-2] OpenJDK vulnerabilities from Episode 172 - basically would fail to first check if the provided exponents in the signature were zero - since if they are, then an all-zero signature would be considered as valid - so could easily forge a signature

[USN-6232-1] wkhtmltopdf vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)

[USN-6241-1] OpenStack vulnerability

  • 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)

[USN-6240-1] FRR vulnerability

[USN-6242-1, USN-6242-2] OpenSSH vulnerability [03:08]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Result of an incomplete fix for historical vulnerability CVE-2016-10009 in PKCS#11 module in ssh-agent
  • Vuln is hence very similar to that, ie. if you chose to forward the ssh-agent socket to a remote machine, then the remote machine could cause your local ssh-agent to execute arbitrary code - it does this by causing the PKCS#11 module in ssh-agent to load an attacker controlled library from /usr/lib on your local machine
    • On the surface, it would appear that it would require a malicious library to be on your machine in this privileged location - BUT there are a bunch of seemingly innocuous libraries in say standard Ubuntu that can be abused to cause malicious actions and get arbitrary code execution. This is exactly what Qualys did to demonstrate the impact of this vuln - https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
      • very clever use of various pieces of surprising behaviour from various libraries (such as the ability to make the stack executable or register signal handlers just by dlopen()‘ing a module) - chain these together to then get code execution
    • It does though require you to use ssh-agent forwarding - this is generally discouraged, and instead you should probably use an jump host - this is even mentioned in the man page for ssh
  • Fixed by making module loading more defensive (ie that they contain the expected symbols and if not abort etc)

[USN-6243-1] Graphite-Web vulnerabilities

[USN-6203-2] Django vulnerability

[USN-6129-2] Avahi vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

[USN-6244-1] AMD Microcode vulnerability [05:57]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Zenbleed - Tavis Ormandy (GPZ) discovered new hardware vuln via fuzzing of the ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
  • Only specific to AMD’s Zen2 family of processors and is related to speculative execution - but unlike Spectre etc, speculative execution is not used as the attack primitive - instead for Zenbleed, the processor fails to properly clean up state after speculatively executing a particular vector register instruction - which then allows an attacker thread / process to read this data from the vector register - all comes about because these registers are not like the normal physical registers in the CPU, but instead are shared as a “Register File” - this sharing means that when one instruction gets speculatively executed, but which turns out to not actually be needed, it fails to properly clean up - and then leaks this data via the shared register file which can be read by another process which is executing at the same time
  • Tavis also released a handy PoC - requires the use of specific assembly language intructions and so it is not clear if this could be exploited remotely say via JS running a web-browser - but it definitely can be exploited by local users to spy on all other processes in the system (that use vector registers), including root / VMs etc
    • What kinds of things use these vector registers? Turns out is is many, since glibc implements functions like strlen() using them - and this is a very common operation in all kinds of code
  • So basically anyone with local unprivileged code-access on an affected system could snoop on passwords etc
  • AMD released a microcode update to fix this - but only for server-oriented EPYC line of processors (code named “Rome”) - so in that case all you need to do is install this microcode update and reboot and you are good.
  • But that still leaves a lot of other platforms without an official fix - according to their advisory they will release BIOS firmware updates for other affected processors later in the year
  • You can however set a so-called “chicken bit” in the processor which (as far as I can tell) instructs it to not execute this particular instruction out-of-order (ie not speculatively execute it) - AMD haven’t actually said what this does but that is the assumption. As such, this does have an effect on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
  • Kernel developers have then developed a patch to automatically enable this chicken-bit if the associated microcode update is not present - for Ubuntu we plan to include this fix in the next round of kernel security updates, due on 21st August

[LSN-0096-1] Linux kernel vulnerability [11:47]

  • 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • OOB write in netfilter -> crash / code-exec - plus a UAF in netfilter as well - both require CAP_NET_ADMIN to exploit - but can get this in an unprivileged user namespace -> privesc
  • Plus a bunch of vulns covered in previous episodes
    • OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
    • KVM mishandling of control registers for nested guest VMs
    • OOB write in network queuing scheduler - also able to be triggered though an unprivileged user namespace
Kernel type 22.04 20.04 18.04 16.04 14.04
aws 96.2 96.2
aws-hwe 96.2
azure 96.3 96.2 96.2
azure-5.4 96.2
gcp 96.3 96.2 96.2
gcp-4.15 96.2
gcp-5.15 96.3
gcp-5.4 96.2
generic-4.15 96.2 96.2
generic-4.4 96.2 96.2
generic-5.15 96.3
generic-5.4 96.2 96.2
gke 96.3 96.2
gke-5.15 96.3
gke-5.4 96.2
gkeop 96.2
gkeop-5.4 96.2
ibm 96.3 96.2
ibm-5.4 96.2
linux 96.3
lowlatency-4.15 96.2 96.2
lowlatency-4.4 96.2 96.2
lowlatency-5.15 96.3
lowlatency-5.4 96.2 96.2

[USN-6246-1] Linux kernel vulnerabilities

[USN-6247-1] Linux kernel (OEM) vulnerabilities

[USN-6248-1] Linux kernel (OEM) vulnerabilities

[USN-6249-1] Linux kernel (OEM) vulnerabilities

[USN-6250-1] Linux kernel vulnerabilities

[USN-6251-1] Linux kernel vulnerabilities

[USN-6252-1] Linux kernel vulnerabilities

[USN-6254-1] Linux kernel vulnerabilities

[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities

[USN-6256-1] Linux kernel (IoT) vulnerabilities

[USN-6260-1] Linux kernel vulnerabilities

[USN-6261-1] Linux kernel (IoT) vulnerabilities

[USN-6245-1] Trove vulnerabilities

  • Affecting Jammy (22.04 LTS)

[USN-5807-3] libXpm vulnerability

[USN-6253-1] libvirt vulnerability

[USN-6257-1] Open VM Tools vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)

[USN-6258-1] LLVM Toolchain vulnerabilities

[USN-5193-3] X.Org X Server vulnerabilities

[USN-6259-1] Open-iSCSI vulnerabilities

[USN-6262-1] Wireshark vulnerabilities

[USN-6265-1] RabbitMQ vulnerability

[USN-6264-1] WebKitGTK vulnerabilities

[USN-6263-1] OpenJDK vulnerabilities

[USN-6266-1] librsvg vulnerability [13:55]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Directory traversal vuln - arbitrary file read by using a specially crafted include element that specifies say <xi:include href=”.?../../../../../../../../../../etc/passwd”/> - simple PoC provided by the upstream reporter

[USN-6267-1] Firefox vulnerabilities [14:47]

Goings on in Ubuntu Security Community

Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]

Get in contact