Episode 206

Show Notes

Overview

This week we talk about HTTP Content-Length handling, intricacies of group management in container environments and making sure you check your return codes while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call out for input on using open source tools to secure your SDLC.

This week in Ubuntu Security Updates

69 unique CVEs addressed

[USN-6294-1, USN-6294-2] HAProxy vulnerability (01:00)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-40225
• Would forward requests with empty Content-Length headers even when there was content in the request (which violates RFC 9110 - HTTP Semantics) - this RFC explicitly says:

If the message is forwarded by a downstream intermediary, a Content-Length field value that is inconsistent with the received message framing might cause a security failure due to request smuggling or response splitting. As a result, a sender MUST NOT forward a message with a Content-Length header field value that is known to be incorrect.

• As such, downstream HTTP/1 servers behind HAProxy may interpret the payload in the request as an extra request and hence this can be used for request smuggling as warned by the RFC

[USN-6295-1] Podman vulnerability (02:34)

• 1 CVEs addressed in Jammy (22.04 LTS)
  • CVE-2022-2989
• https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
• interaction between supplemental groups, negative group permissions and setgid binaries
• supplemental groups - each user generally has a group specific to their user (so-called primary group for that user), but can also belong to other supplemental groups:

ubuntu@ubuntu:~$ groups
ubuntu sudo

• negative group permissions - not used often but allows to say that a certain group of users should not be able to access something - ie. denylisting
• setgid binary - like a setuid binary - no matter what group that executes the binary, the binary runs as the primary group of the binary
• so could a user could create a binary, make it set-group for one of their supplemental groups and then drop their primary group, run it and use that to access such a resource that has been denied access to their primary group?
  • no, since on login, primary group gets added to the list of supplemental groups which can’t be modified by a user themself - this has been the standard behaviour in UNIX since 1994 in BSD 4.4 and hence Linux has always worked this way too
• However, podman is a container manager though and it manages groups within the container - and it failed to do this duplication of the primary group into the supplemental group and so would allow exactly this attack
  • it wasn’t only podman that was affected - also buildah, cri-o and moby (ie. docker.io in Ubuntu)

[USN-6296-1] PostgreSQL vulnerabilities (06:44)

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-39418
  • CVE-2023-39417
• Latest upstream point releases, so contains both security fixes and other bug fixes

[USN-6298-1] ZZIPlib vulnerabilities (07:04)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2020-18442
  • CVE-2018-7727
• Provides the ability to read into a zip archive, as well as the ability to overlay a zip archive with an existing file system
• Used by applications like mpd, milkytracker and texlive (LaTeX etc)
• Two different DoS
  • infinite loop -> CPU based DoS
  • memory leak -> resource based DoS
  • both require to parse an attacker provided ZIP archive

[USN-6297-1] Ghostscript vulnerability (07:50)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-38559
• Buffer overflow when generating a PDF file for a DEVN device - DEVN is an abbreviation for DeviceN which is a type of colour space - ie a way of specifying different colour levels across a set of channels - ie. encoding colour information for a printer etc
• Needs an attacker to provide a crafted input file though…

[USN-6299-1] poppler vulnerabilities (08:40)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2020-36024
  • CVE-2020-36023
• someone has been fuzzing poppler - in particular the pdftops binary
• stack overflow and NULL ptr deref when handling crafted input PDFs -> crash -> DoS

[USN-6300-1] Linux kernel vulnerabilities (09:18)

• 24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-35829
  • CVE-2023-35828
  • CVE-2023-35824
  • CVE-2023-35823
  • CVE-2023-33288
  • CVE-2023-33203
  • CVE-2023-3268
  • CVE-2023-32248
  • CVE-2023-3141
  • CVE-2023-30772
  • CVE-2023-28466
  • CVE-2023-23004
  • CVE-2023-2269
  • CVE-2023-2235
  • CVE-2023-2194
  • CVE-2023-2163
  • CVE-2023-2124
  • CVE-2023-2002
  • CVE-2023-1990
  • CVE-2023-1855
  • CVE-2023-1611
  • CVE-2023-0597
  • CVE-2022-48502
  • CVE-2022-4269
• 5.15 GA, AWS, GCP, IBM, Intel-IoTG, KVM, Low latency, NVIDIA, Raspi etc
• Have mentioned some of these previously - issues across various drivers and subsystems
  • Lots of UAFs, a few OOB / NULL ptr deref, memory leak (DoS), OOB read / write as well

[USN-6301-1] Linux kernel vulnerabilities (10:07)

• 16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2023-33203
  • CVE-2023-3141
  • CVE-2023-3111
  • CVE-2023-30772
  • CVE-2023-28466
  • CVE-2023-2194
  • CVE-2023-2124
  • CVE-2023-1990
  • CVE-2023-1855
  • CVE-2023-1611
  • CVE-2023-0590
  • CVE-2022-4269
  • CVE-2022-27672
  • CVE-2022-1184
  • CVE-2022-0168
  • CVE-2020-36691
• 5.4 Xilinx ZynqMP on 20.04 (Hi Portia!)
  • HWE / OEM etc on 18.04 ESM
• Very similar sorts of issues as above

[USN-6267-3] Firefox regressions (10:44)

• 12 CVEs addressed in Focal (20.04 LTS)
  • CVE-2023-4050
  • CVE-2023-4046
  • CVE-2023-4045
  • CVE-2023-4058
  • CVE-2023-4057
  • CVE-2023-4056
  • CVE-2023-4055
  • CVE-2023-4053
  • CVE-2023-4051
  • CVE-2023-4049
  • CVE-2023-4048
  • CVE-2023-4047
• Second lot of regressions in the upstream 116 release - now at 116.0.3
  • often these regressions are for Windows users etc but this time we have one for Linux - in particular screensharing on Wayland was broken since would fail to properly negotiate framerate in webrtc with Pipewire

[USN-6302-1] Vim vulnerabilities (11:22)

• 15 CVEs addressed in Trusty ESM (14.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-3153
  • CVE-2022-3099
  • CVE-2022-3037
  • CVE-2022-3016
  • CVE-2022-2874
  • CVE-2022-2816
  • CVE-2022-2598
  • CVE-2022-3134
  • CVE-2022-2982
  • CVE-2022-2889
  • CVE-2022-2862
  • CVE-2022-2819
  • CVE-2022-2817
  • CVE-2022-2580
  • CVE-2022-2522
• More vim - is now the 8th most mentioned package in this podcast (only behind Linux kernel, Firefox, Thunderbird, PHP, MySQL, WebkitGTK)

[USN-6303-1, USN-6303-2] ClamAV vulnerability (11:50)

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-20197
• Infinite loop in the HFS+ parser -> DoS of entire ClamAV

[USN-6304-1] Inetutils vulnerabilities (12:14)

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-40303
  • CVE-2022-39028
• Provides various utilities for different network services - ie. clients / servers for ftp, telnet, and talk
• NULL ptr deref in telnetd - not super interesting - if running telnetd you probably have bigger problems
• Failed to check return values of the various setuid()=/=setgid() system calls used in ftpd/rshd/rlogin etc
  • daemon runs as root and uses these calls to drop privileges to the user who is logging in - if these fail, then users session will still be running as root - easy privesc (although not really able to be controlled by the remote attacker to induce this error to occur)

Goings on in Ubuntu Security Community

Brainstorming for a software security workshop (13:53)

• https://discourse.ubuntu.com/t/brainstorming-for-a-software-security-workshop/37991/1

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter