Episode 212

Posted on Friday, Oct 27, 2023
With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

Show Notes

Overview

With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-6437-1] VIPS vulnerabilities (00:35)

[USN-6435-1] OpenSSL vulnerabilities (01:26)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CPU-based DoS via an execssively large DH modulus (p parameter) value (over 10,000 bits)
  • OpenSSL by default will try and validate if the modulus over 10,000 bits and raise an error - but before the error is raised it would still check other aspects of the supplied key / parameters which in turn could use the p value and hence take an excessive amount of time - fixed by checking this earlier and erroring out in that case
  • Then was found that the q parameter could also be abused in the same way - since the size of this has to be less than p was fixed by just checking it against this

[USN-6450-1] OpenSSL vulnerabilities

  • 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • Two CPU-based DoS issues above plus
    • Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
      • The API for this was only “recently” introduced (3.x) - and in general not a lot of applications will be affected
    • Issue specific to the AES-SIV (mode of AES that provides deterministic nonce-less key wrapping - used for key wrapping when transporting cryptographic keys; as well as nonce-based authenticated encryption that is resistant to nonce reuse)
      • AES-SIV allows to perform authentication of data - and to do this the relevant OpenSSL API’s should be called with an input buffer length of 0 and a NULL ptr for the output buffer - BUT if the associated data to be authenticated was empty, in this case, OpenSSL would return success without doing any authentication
      • In practice this is unlikely to be an issue since it doesn’t not affect non-empty data authentication which is the vast majority of use-cases

[USN-6165-2] GLib vulnerabilities (07:57)

[USN-6374-2] Mutt vulnerabilities (05:08)

[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)

  • 2 CVEs addressed in Mantic (23.10)
  • HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of requests and immediately cancelling them many times over and over - exploited in the wild recently, achieving the largest DoS attack bandwidths seen - requires HTTP/2 implementations to essentially do heuristics over time to track allocated streams against connections and block the connection when too many are made or similar
    • Fix for Kestrel web server in .NET

[USN-6362-2] .Net regressions

[USN-6199-2] PHP vulnerability (06:31)

[USN-6403-2] libvpx vulnerabilities (06:39)

  • 2 CVEs addressed in Bionic ESM (18.04 ESM)
  • WebM VP8/VP9 video en/decoder
  • Heap buffer overflow -> DoS/RCE
  • OOB read -> DoS

[USN-6408-2] libXpm vulnerabilities (07:00)

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Infinite recursion -> stack exhaustion -> crash -> DoS
  • Integer overflow -> heap buffer overflow -> RCE/DoS
  • Two different OOB reads -> crash -> DoS

[USN-6448-1] Sofia-SIP vulnerability (09:01)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • SIP user agent - integer overflows and resulting heap buffer overflows due to missing length checks in the STUN message parser -> RCE
  • Also fixed a OOB read as well -> DoS

[USN-6422-2] Ring vulnerabilities (09:17)

[USN-6449-1] FFmpeg vulnerabilities (09:58)

[USN-6447-1] AOM vulnerabilities (11:32)

[USN-6288-2] MySQL vulnerability (12:40)

[USN-6451-1] ncurses vulnerability (12:47)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Heap buffer overflow via crafted terminfo file - found by fuzzing infotocap
    • terminfo files are usually trusted content so unlikely to be an issue in practice

[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)

[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)

[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)

[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)

[USN-6442-1] Linux kernel (BlueField) vulnerabilities

[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)

[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)

[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities

[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community

Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)

  • Ubuntu Summit
    • https://events.canonical.com/event/31/
    • Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS maintainers who want to be proactive about security and protecting their users
    • Tobias Heider will be presenting with Hector Martin on Asahi Linux and in particular Ubuntu Asahi - community project to bring the Asahi Linux work to Ubuntu (also was a great shout-out from Joe Ressington on the most recent Late Night Linux plus a good write-up on omgubuntu)

Goodbye and good luck to David Lane (21:31)

  • Led the snap store reviewers work - much more streamlined process for folks interacting on the snapcraft forum
  • Great manager + engineer and a great friend
  • See you at b-sides cbr in 2024

Get in contact