Episode 206

Posted on Friday, Aug 25, 2023
This week we talk about HTTP Content-Length handling, intricacies of group management in container environments and making sure you check your return codes while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call out for input on using open source tools to secure your SDLC.

Show Notes

Overview

This week we talk about HTTP Content-Length handling, intricacies of group management in container environments and making sure you check your return codes while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call out for input on using open source tools to secure your SDLC.

This week in Ubuntu Security Updates

69 unique CVEs addressed

[USN-6294-1, USN-6294-2] HAProxy vulnerability (01:00)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Would forward requests with empty Content-Length headers even when there was content in the request (which violates RFC 9110 - HTTP Semantics) - this RFC explicitly says:

If the message is forwarded by a downstream intermediary, a Content-Length field value that is inconsistent with the received message framing might cause a security failure due to request smuggling or response splitting. As a result, a sender MUST NOT forward a message with a Content-Length header field value that is known to be incorrect.

  • As such, downstream HTTP/1 servers behind HAProxy may interpret the payload in the request as an extra request and hence this can be used for request smuggling as warned by the RFC

[USN-6295-1] Podman vulnerability (02:34)

ubuntu@ubuntu:~$ groups
ubuntu sudo
  • negative group permissions - not used often but allows to say that a certain group of users should not be able to access something - ie. denylisting
  • setgid binary - like a setuid binary - no matter what group that executes the binary, the binary runs as the primary group of the binary
  • so could a user could create a binary, make it set-group for one of their supplemental groups and then drop their primary group, run it and use that to access such a resource that has been denied access to their primary group?
    • no, since on login, primary group gets added to the list of supplemental groups which can’t be modified by a user themself - this has been the standard behaviour in UNIX since 1994 in BSD 4.4 and hence Linux has always worked this way too
  • However, podman is a container manager though and it manages groups within the container - and it failed to do this duplication of the primary group into the supplemental group and so would allow exactly this attack
    • it wasn’t only podman that was affected - also buildah, cri-o and moby (ie. docker.io in Ubuntu)

[USN-6296-1] PostgreSQL vulnerabilities (06:44)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Latest upstream point releases, so contains both security fixes and other bug fixes

[USN-6298-1] ZZIPlib vulnerabilities (07:04)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • Provides the ability to read into a zip archive, as well as the ability to overlay a zip archive with an existing file system
  • Used by applications like mpd, milkytracker and texlive (LaTeX etc)
  • Two different DoS
    • infinite loop -> CPU based DoS
    • memory leak -> resource based DoS
    • both require to parse an attacker provided ZIP archive

[USN-6297-1] Ghostscript vulnerability (07:50)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Buffer overflow when generating a PDF file for a DEVN device - DEVN is an abbreviation for DeviceN which is a type of colour space - ie a way of specifying different colour levels across a set of channels - ie. encoding colour information for a printer etc
  • Needs an attacker to provide a crafted input file though…

[USN-6299-1] poppler vulnerabilities (08:40)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • someone has been fuzzing poppler - in particular the pdftops binary
  • stack overflow and NULL ptr deref when handling crafted input PDFs -> crash -> DoS

[USN-6300-1] Linux kernel vulnerabilities (09:18)

[USN-6301-1] Linux kernel vulnerabilities (10:07)

[USN-6267-3] Firefox regressions (10:44)

[USN-6302-1] Vim vulnerabilities (11:22)

[USN-6303-1, USN-6303-2] ClamAV vulnerability (11:50)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Infinite loop in the HFS+ parser -> DoS of entire ClamAV

[USN-6304-1] Inetutils vulnerabilities (12:14)

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Provides various utilities for different network services - ie. clients / servers for ftp, telnet, and talk
  • NULL ptr deref in telnetd - not super interesting - if running telnetd you probably have bigger problems
  • Failed to check return values of the various setuid()=/=setgid() system calls used in ftpd/rshd/rlogin etc
    • daemon runs as root and uses these calls to drop privileges to the user who is logging in - if these fail, then users session will still be running as root - easy privesc (although not really able to be controlled by the remote attacker to induce this error to occur)

Goings on in Ubuntu Security Community

Brainstorming for a software security workshop (13:53)

Get in contact