Episode 209
Posted on Friday, Sep 15, 2023
Andrei is back this week with a deep dive into recent research around CVSS
scoring inconsistencies, plus we look at a recent Ubuntu blog post on the
internals of package updates and the repositories, and we cover security updates
in Apache Shiro, GRUB2, CUPS, RedCloth, curl and more.
Show Notes
Overview
Andrei is back this week with a deep dive into recent research around CVSS scoring inconsistencies, plus we look at a recent Ubuntu blog post on the internals of package updates and the repositories, and we cover security updates in Apache Shiro, GRUB2, CUPS, RedCloth, curl and more.
This week in Ubuntu Security Updates
77 unique CVEs addressed
[USN-6346-1] Linux kernel (Raspberry Pi) vulnerabilities (00:55)
- 5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 raspi + HWE on 18.04
- Covered previously in [USN-6315-1] Linux kernel vulnerabilities from Episode 207
[USN-6347-1] Linux kernel (Azure CVM) vulnerabilities
- 24 CVEs addressed in Focal (20.04 LTS)
- CVE-2023-35829
- CVE-2023-35828
- CVE-2023-35824
- CVE-2023-35823
- CVE-2023-33288
- CVE-2023-33203
- CVE-2023-3268
- CVE-2023-32248
- CVE-2023-3141
- CVE-2023-30772
- CVE-2023-28466
- CVE-2023-23004
- CVE-2023-2269
- CVE-2023-2235
- CVE-2023-2194
- CVE-2023-2163
- CVE-2023-2124
- CVE-2023-2002
- CVE-2023-1990
- CVE-2023-1855
- CVE-2023-1611
- CVE-2023-0597
- CVE-2022-48502
- CVE-2022-4269
- Microsoft Azure CVM cloud systems - 5.15
[USN-6348-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 Raspi on 22.04 / Intel-IoTG on 20.04
[USN-6349-1] Linux kernel (Azure) vulnerabilities
- 9 CVEs addressed in Focal (20.04 LTS)
- 5.4 Azure
[USN-6350-1, USN-6351-1, USN-6339-2, USN-6339-3] Linux kernel vulnerabilities
- 8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15
- Oracle, AWS, GKE, Raspi, Azure on 22.04
- IBM, Oracle, AWS, GKE, Azure on 20.04
[USN-6340-2] Linux kernel vulnerabilities
- 9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 Xilinx ZyncMP, GKEOP, Raspi on 20.04; Raspi, GCP, Azure on 18.04 (Ubuntu Pro)
[USN-6342-2] Linux kernel (Azure) vulnerabilities
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- 4.15 Azure on all
[USN-6338-2] Linux kernel vulnerabilities
- 11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- 6.2
- Starfive, IBM, Oracle, GCP on 23.04
- GCP on 22.04
[USN-6357-1] Linux kernel (IBM) vulnerabilities
- 14 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 IBM on 20.04 / 18.04
[USN-6345-1] SoX vulnerability (02:42)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Floating point exception via crafted content -> crash -> DoS
[USN-6352-1] Apache Shiro vulnerabilities (03:03)
- 2 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Two different authentication bypasses for crafted HTTP requests - not great to have in a component whose purpose is to to authentication, authorisation, cryptopraphy and session management
[USN-6353-1] PLIB vulnerability (03:25)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Portable games library - aims to work across a range of HW and OSes - used by torcs and flightgear
- Integer overflow -> buffer overflow on crafted TGA file
[USN-6354-1] Python vulnerability (03:54)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- XML eXternal Entity when parsing XML plist files - fix was to reject entity declarations in plist files - this is consistent with the behaviour in Apple’s plutil tool as well
[USN-6355-1] GRUB2 vulnerabilities (04:14)
- 10 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Various grub vulns - see [USN-4992-1] GRUB 2 vulnerabilities from Episode 121 for the previous lot - these updates were published back in February to the -updates pocket and have now been synced to -security
- various OOB R/W via crafted images (Daniel Axtens), integer overflow when parsing crafted IP packets -> buffer overflow, OOB write via crafted HTTP header, UAF in chainloader and more
[USN-6356-1] OpenDMARC vulnerabilities (05:08)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Open Source implementation of the DMARC specification
- Possible to inject authentication results via a crafted domain
- 1-byte heap buffer overflow of a NUL-byte - likely just crash -> DoS
[USN-6164-2] c-ares vulnerabilities (05:39)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6164-1] c-ares vulnerabilities from Episode 199
[USN-6237-3] curl vulnerabilities (05:50)
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6237-1] curl vulnerabilities from Episode 203
[USN-6359-1] file vulnerability (06:01)
- 1 CVEs addressed in Jammy (22.04 LTS)
- stack-based buffer over-read -> crash, DoS
[USN-6360-1] FLAC vulnerability (06:18)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- buffer overflow -> RCE / crash
[USN-6361-1] CUPS vulnerability (06:27)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Default configuration failed to require authentication for the
CUPS-Get-Documentoperation - could allow other users to fetch print documents without authentication
[USN-6362-1] .NET vulnerability (06:46)
- 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- DoS in X509 certs handling
[USN-6358-1] RedCloth vulnerability (06:52)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- ReDoS via crafted HTML payload - upstream maintainer hasn’t responded to the original report or to the PR with the proposed fix - one of the rare occasions where we deploy a fix that is not blessed by upstream - also demonstrates though that we try and maintain the software in Ubuntu even when upstream stops supporting it (whether officially or not)
[USN-6363-1] curl vulnerability (08:03)
- 1 CVEs addressed in Lunar (23.04)
- Provides an API to access headers from past HTTP responses - so stores headers in memory, but failed to limit how large this could be - so if a malicious server provided a response with a very large header then could DoS the application using libcurl - limited to 300KB total per response - which is similar to how Chrome behaves
Goings on in Ubuntu Security Community
Part 4 of Andrei’s deep dive into cybersecurity research ()
“Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities” - to appear in IEEE Symposium on Security & Privacy (aka S&P) in 2024
- Tries to answer the questions “Are CVSS evaluations consistent?” and “Which factors influence CVSS assessments?”
- https://arxiv.org/abs/2308.15259
- https://www.first.org/cvss/specification-document
- https://www.first.org/cvss/user-guide
- https://www.first.org/cvss/examples
- https://www.first.org/cvss/examples#OpenSSL-Heartbleed-Vulnerability-CVE-2014-0160
- https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
- https://ubuntu.com/blog/securing-open-source-through-cve-prioritisation
Ubuntu updates, releases and repositories explained (22:18)
- https://ubuntu.com/blog/ubuntu-updates-releases-and-repositories-explained
- by Aaron Whitehouse - Senior Public Cloud Enablement Director at Canonical, leads the team that drives Canonical’s joint initiatives with the major public clouds