Show Notes
Overview
This week we talk about HTTP Content-Length handling, intricacies of group
management in container environments and making sure you check your return codes
while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call
out for input on using open source tools to secure your SDLC.
This week in Ubuntu Security Updates
69 unique CVEs addressed
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Would forward requests with empty
Content-Length
headers even when there was
content in the request (which violates
RFC 9110 - HTTP Semantics) - this
RFC explicitly says:
If the message is forwarded by a downstream intermediary, a Content-Length
field value that is inconsistent with the received message framing might cause
a security failure due to request smuggling or response splitting. As a result,
a sender MUST NOT forward a message with a Content-Length header field value
that is known to be incorrect.
- As such, downstream HTTP/1 servers behind HAProxy may interpret the payload in
the request as an extra request and hence this can be used for request
smuggling as warned by the RFC
[USN-6295-1] Podman vulnerability (02:34)
ubuntu@ubuntu:~$ groups
ubuntu sudo
- negative group permissions - not used often but allows to say that a certain
group of users should not be able to access something - ie. denylisting
- setgid binary - like a setuid binary - no matter what group that executes the
binary, the binary runs as the primary group of the binary
- so could a user could create a binary, make it set-group for one of their
supplemental groups and then drop their primary group, run it and use that to
access such a resource that has been denied access to their primary group?
- no, since on login, primary group gets added to the list of supplemental
groups which can’t be modified by a user themself - this has been the
standard behaviour in UNIX since 1994 in BSD 4.4 and hence Linux has always
worked this way too
- However, podman is a container manager though and it manages groups within the
container - and it failed to do this duplication of the primary group into the
supplemental group and so would allow exactly this attack
- it wasn’t only podman that was affected - also buildah, cri-o and moby
(ie. docker.io in Ubuntu)
[USN-6296-1] PostgreSQL vulnerabilities (06:44)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Latest upstream point releases, so contains both security fixes and other bug
fixes
[USN-6298-1] ZZIPlib vulnerabilities (07:04)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Provides the ability to read into a zip archive, as well as the ability to
overlay a zip archive with an existing file system
- Used by applications like mpd, milkytracker and texlive (LaTeX etc)
- Two different DoS
- infinite loop -> CPU based DoS
- memory leak -> resource based DoS
- both require to parse an attacker provided ZIP archive
[USN-6297-1] Ghostscript vulnerability (07:50)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Buffer overflow when generating a PDF file for a DEVN device - DEVN is an
abbreviation for DeviceN which is a type of colour space - ie a way of
specifying different colour levels across a set of channels - ie. encoding
colour information for a printer etc
- Needs an attacker to provide a crafted input file though…
[USN-6299-1] poppler vulnerabilities (08:40)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- someone has been fuzzing poppler - in particular the
pdftops
binary
- stack overflow and NULL ptr deref when handling crafted input PDFs -> crash -> DoS
[USN-6300-1] Linux kernel vulnerabilities (09:18)
- 24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 GA, AWS, GCP, IBM, Intel-IoTG, KVM, Low latency, NVIDIA, Raspi etc
- Have mentioned some of these previously - issues across various drivers and subsystems
- Lots of UAFs, a few OOB / NULL ptr deref, memory leak (DoS), OOB read /
write as well
[USN-6301-1] Linux kernel vulnerabilities (10:07)
- 16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 Xilinx ZynqMP on 20.04 (Hi Portia!)
- HWE / OEM etc on 18.04 ESM
- Very similar sorts of issues as above
[USN-6267-3] Firefox regressions (10:44)
- 12 CVEs addressed in Focal (20.04 LTS)
- Second lot of regressions in the upstream 116 release - now at 116.0.3
- often these regressions are for Windows users etc but this time we have one
for Linux - in particular screensharing on Wayland was broken since would
fail to properly negotiate framerate in webrtc with Pipewire
[USN-6302-1] Vim vulnerabilities (11:22)
- 15 CVEs addressed in Trusty ESM (14.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- More vim - is now the 8th most mentioned package in this podcast (only behind
Linux kernel, Firefox, Thunderbird, PHP, MySQL, WebkitGTK)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Infinite loop in the HFS+ parser -> DoS of entire ClamAV
[USN-6304-1] Inetutils vulnerabilities (12:14)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Provides various utilities for different network services - ie. clients /
servers for ftp, telnet, and talk
- NULL ptr deref in telnetd - not super interesting - if running telnetd you
probably have bigger problems
- Failed to check return values of the various
setuid()=/=setgid()
system calls
used in ftpd/rshd/rlogin etc
- daemon runs as root and uses these calls to drop privileges to the user who
is logging in - if these fail, then users session will still be running as
root - easy privesc (although not really able to be controlled by the remote
attacker to induce this error to occur)
Brainstorming for a software security workshop (13:53)