Episode 205

Show Notes

Overview

We’re back after unexpectedly going AWOL last week to bring you the latest in Ubuntu Security including the recently announced Downfall and GameOver(lay) vulnerabilities, plus we look at security updates for OpenSSH and GStreamer and we detail plans for using AppArmor to restrict the use of unprivileged user namespaces as an attack vector in future Ubuntu releases.

This week in Ubuntu Security Updates

143 unique CVEs addressed

[USN-6268-1, USN-6269-1] GStreamer Base and Good Plugins vulnerabilities (01:07)

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-37328
  • CVE-2023-37327
• Both CVEs discovered by an independent security researcher and reported via ZDI (ZDI-CAN-20775, ZDI-CAN-20994)
• Used by the built-in Videos app (aka totem) which can play streaming videos (even has a default plugin providing integration with Apple Video Trailers and others) - so could possibly be used for remote exploitation
• Integer overflow -> buffer overflow -> RCE in FLAC audio decoder
• Buffer overflow in PGS subtitle handler - failed to validate length before copying -> heap buffer overflow -> RCE

[USN-6270-1] Vim vulnerabilities (02:49)

• 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-2287
  • CVE-2022-2286
  • CVE-2022-2285
  • CVE-2022-2289
  • CVE-2022-2284
  • CVE-2022-2264
  • CVE-2022-2257
  • CVE-2022-2231
  • CVE-2022-2210
  • CVE-2022-2208
  • CVE-2022-2182
• Latest round of vim vulns - all via the bug bounty program and from just 3 researchers - would be interesting to know what kind of bounties are payed out for these “vulns” since most require the user to run vim with a crafted set of commands against a crafted input file - if you can get someone to do that, you can probably just write arbitrary shell code for them to execute as well…

[USN-6271-1] MaraDNS vulnerabilities (03:55)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-31137
  • CVE-2022-30256

[USN-6272-1] OpenJDK 20 vulnerabilities

• 7 CVEs addressed in Lunar (23.04)
  • CVE-2023-25193
  • CVE-2023-22049
  • CVE-2023-22045
  • CVE-2023-22044
  • CVE-2023-22041
  • CVE-2023-22036
  • CVE-2023-22006
• 20.0.2

[USN-5064-3] GNU cpio vulnerability (04:08)

• 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2021-38185
• [USN-5064-1] GNU cpio vulnerability from Episode 130 - integer overflow -> heap buffer overflow if using untrusted pattern files

[USN-6275-1] Cargo vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-38497

[USN-6273-1] poppler vulnerabilities

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-34872
  • CVE-2022-27337

[USN-6274-1] XMLTooling vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2023-36661

[USN-6276-1] unixODBC vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • CVE-2018-7409

[USN-6267-2] Firefox regressions

• 12 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-4050
  • CVE-2023-4046
  • CVE-2023-4045
  • CVE-2023-4058
  • CVE-2023-4057
  • CVE-2023-4056
  • CVE-2023-4055
  • CVE-2023-4053
  • CVE-2023-4051
  • CVE-2023-4049
  • CVE-2023-4048
  • CVE-2023-4047

[USN-6277-1, USN-6277-2] Dompdf vulnerabilities

• 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-2400
  • CVE-2021-3838
  • CVE-2014-5013
  • CVE-2014-5012
  • CVE-2014-5011

[USN-6278-1, USN-6278-2] .NET vulnerabilities (04:41)

• 3 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-38180
  • CVE-2023-38178
  • CVE-2023-35390

[USN-6279-1] OpenSSH update (04:53)

• Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
• Possible info leak during algorithm negotiation - related to CVE-2020-14145 - which is a low priority vulnerability where it is possible for a person in the middle to determine if a client already has knowledge of the server’s host key. This could be used to then attack clients which do not have this knowledge (since they then will be prompted to accept and trust the host key which is offered on first connection) and offer them an attacker chosen host key to cause them to authenticate to a host controlled by the attacker and therefore intercept their connection etc
• There is a partial mitigation in the form of a client change so that if the client does already have the server’s host key, it will still preserve the original algorithm ordering sent to the server and so not leak this information.
• This is not a complete fix for this issue since it only mitigates some of the use-cases of the original vuln.

[USN-4336-3] GNU binutils vulnerabilities

• 6 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2018-6323
  • CVE-2017-9756
  • CVE-2017-9750
  • CVE-2017-9748
  • CVE-2017-9747
  • CVE-2017-9742

[USN-6243-2] Graphite-Web regression

• 4 CVEs addressed in Bionic ESM (18.04 ESM)
  • CVE-2022-4730
  • CVE-2022-4729
  • CVE-2022-4728
  • CVE-2017-18638

[USN-6281-1] Velocity Engine vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2020-13936

[USN-6282-1] Velocity Tools vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2020-13959

[USN-6283-1] Linux kernel vulnerabilities (07:34)

• 13 CVEs addressed in Lunar (23.04)
  • CVE-2023-35829
  • CVE-2023-35828
  • CVE-2023-35826
  • CVE-2023-35824
  • CVE-2023-35823
  • CVE-2023-3317
  • CVE-2023-3312
  • CVE-2023-3268
  • CVE-2023-32254
  • CVE-2023-32248
  • CVE-2023-3141
  • CVE-2023-2269
  • CVE-2023-2002

[USN-6284-1] Linux kernel vulnerabilities

• 16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2023-33203
  • CVE-2023-3141
  • CVE-2023-3111
  • CVE-2023-30772
  • CVE-2023-28466
  • CVE-2023-2194
  • CVE-2023-2124
  • CVE-2023-1990
  • CVE-2023-1855
  • CVE-2023-1611
  • CVE-2023-0590
  • CVE-2022-4269
  • CVE-2022-27672
  • CVE-2022-1184
  • CVE-2022-0168
  • CVE-2020-36691

[USN-6285-1] Linux kernel (OEM) vulnerabilities (07:50)

• 14 CVEs addressed in Jammy (22.04 LTS)

  • CVE-2023-3863
  • CVE-2023-38432
  • CVE-2023-38430
  • CVE-2023-3776
  • CVE-2023-3611
  • CVE-2023-3610
  • CVE-2023-3609
  • CVE-2023-35001
  • CVE-2023-3390
  • CVE-2023-32629
  • CVE-2023-31248
  • CVE-2023-2898
  • CVE-2023-2640
  • CVE-2022-48502

• 6.1 kernel

• 8 different high priority vulns - most mentioned previously - does include “GameOver(lay)” which we haven’t covered yet - reported by WizResearch and is specific to Ubuntu kernels

• OverlayFS is a union filesystem which allows multiple filesystems to be mounted at the same time, and presents a single unified view of the filesystems. In 2018 we introduced some changes to OverlayFS as SAUCE patches to handle extended attributes in overlayfs. Then in 2020 we backported commits to fix CVE-2021-3493 - in the process this also added support for extended attributes in OverlayFS so now there were two code paths, each using different implementations for extended attributes. One was protected against the vuln in CVE-2021-3493 whilst the other was not.

• This vulnerability is exploiting that same vulnerability in the unprotected implementation.

• In this case, the vulnerability is in the handling of extended attributes in OverlayFS - the vulnerability is that it is possible to create a file with extended attributes which are not visible to the user, and then mount that file in a way which allows the extended attributes to be visible to the user

  • this is done by mounting the file with the nosuid option, and then

  remounting it with suid option. This allows the user to then execute arbitrary code as root. NOTE: requires the user to have the ability to have CAP_SYS_ADMIN but this is easy with unprivileged user namespaces.

• Even more reason to keep pursuing the effort to restrict the use of unprivileged user namespaces in upcoming Ubuntu 23.10

[USN-6286-1] Intel Microcode vulnerabilities (10:59)

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-23908
  • CVE-2022-41804
  • CVE-2022-40982
• Gather data sampling (aka “Downfall”) - another microarchitectural CPU vulnerability - the last one we saw was Zenbleed from Episode 103 in AMD Zen2 CPUs
• This time in Intel hardware (6th to 11th generation) CPUs
• Presented at BlackHat just over 1 week ago - https://www.blackhat.com/us-23/briefings/schedule/#single-instruction-multiple-data-leaks-in-cutting-edge-cpus-aka-downfall-31490
• Similar to Zenbleed in a way, since both are related to the SIMD instruction set (single instruction, multiple data) - these instructions are used to perform the same operation on multiple data elements simultaneously (e.g. adding two vectors of 4 32-bit integers together) which is very useful for things like video encoding/decoding, image processing, etc.
• As the name, Gather data sampling suggests, the fault in this case is in the SIMD Gather instruction which is used to load data into a vector register from a memory location specified by an index vector register. Essentially this allows the efficient loading of data which is scattered across memory into a single register to then perform further operations on, and is useful in many applications. The vulnerability is that under speculative execution, the data which is loaded could be stale and come from an address which is not accessible to the current process, and the data could be used in further operations which could then leak the contents of that inaccessible memory - e.g. stealing cryptographic keys from another process.
• The fix in this case was a microcode update, which stops the CPU from speculatively executing the Gather instruction, and instead waits for the data to be available before executing the instruction. This results in a performance hit, which was measured at up to 50% in a small number of use-cases (whilst in others it is negligible).
• Perhaps the most interesting part of this vulnerability is the timeline - it was reported to Intel on 24th August 2022 yet only fixed publicly on 8th August 2023 - basically meaning it took a year for Intel to fix this issue.
• Associated with the microcode update is a kernel patch - this allows the microcode fix to be reverted at boot by a new kernel command line option: gather_data_sampling=off - this is useful for those who want to avoid the performance hit, and are willing to accept the risk of the vulnerability.
• Ubuntu kernels have not yet been updated with this fix but that should arrive within the next week (ie. week of 21st August)

[USN-6280-1] PyPDF2 vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-36810

[USN-6287-1] Go yaml vulnerabilities

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2022-3064
  • CVE-2021-4235

[USN-4897-2] Pygments vulnerabilities

• 2 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2021-20270
  • CVE-2021-27291
• [USN-4897-1] Pygments vulnerability from Episode 110 - ReDoS

[USN-6288-1] MySQL vulnerabilities

• 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-22058
  • CVE-2023-22057
  • CVE-2023-22056
  • CVE-2023-22054
  • CVE-2023-22053
  • CVE-2023-22048
  • CVE-2023-22046
  • CVE-2023-22038
  • CVE-2023-22033
  • CVE-2023-22008
  • CVE-2023-22005

[USN-6289-1] WebKitGTK vulnerabilities

• 9 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-38611
  • CVE-2023-38600
  • CVE-2023-38599
  • CVE-2023-38597
  • CVE-2023-38595
  • CVE-2023-38594
  • CVE-2023-38592
  • CVE-2023-38572
  • CVE-2023-38133

[USN-6290-1] LibTIFF vulnerabilities

• 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-38289
  • CVE-2023-38288
  • CVE-2023-26965
  • CVE-2023-26966
  • CVE-2023-25433
  • CVE-2023-3618
  • CVE-2023-3316
  • CVE-2023-2908
  • CVE-2023-2731
  • CVE-2022-48281

[USN-6291-1] GStreamer vulnerability

• 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • CVE-2017-5838

[USN-6292-1] Ceph vulnerability

• 1 CVEs addressed in Lunar (23.04)
  • CVE-2022-3650

[USN-6293-1] OpenStack Heat vulnerability

• 1 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2023-1625

Goings on in Ubuntu Security Community

Ubuntu 22.04.3 LTS Released (15:47)

• https://lists.ubuntu.com/archives/ubuntu-announce/2023-August/000294.html

Ubuntu 22.10 (Kinetic Kudu) End of Life (16:32)

• https://lists.ubuntu.com/archives/ubuntu-announce/2023-July/000293.html

Unprivileged user namespace restrictions via AppArmor in Ubuntu (17:00)

• https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter