Episode 216

Show Notes

Overview

For the final episode of 2023 we discuss creating PoCs for vulns in tar and the looming EOL for Ubuntu 23.04, plus we look into security updates for curl, BlueZ, Netatalk, GNOME Settings and a heap more.

This week in Ubuntu Security Updates

57 unique CVEs addressed

[USN-6535-1] curl vulnerabilities (00:54)

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-46219
  • CVE-2023-46218
• Mishandled cookies from domains with mixed case - allowing an attacker to create so called “super cookies” that would then get passed back to more domains that what is normally allowed - ie a site can set a cookie which is then sent to different / unrelated sites. Depends on a feature called the Public Suffix List which is a community initiative (led by Mozilla) to provide an accurate list of domain name suffixes - ie. .com / .org but also .co.uk etc - since there is no good algorithmic way of determining the highest level at which a domain may be registered for a particular TLD as each registrar is different
  • so could set a cookie with domain=co.UK with a URL of say curl.co.uk and this would then get sent to every other .co.uk domain contrary to the expectations of the PSL which lists .co.uk as a PSL domain

[USN-6463-2] Open VM Tools vulnerabilities (02:56)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CVE-2023-34059
  • CVE-2023-34058
• SAML token signature bypass - allows an attacker who already has Guest Operation Privileges within a guest VM to elevate their privileges if the VM has been assigned a more privileged Guest Alias
• File descriptor hijack vulnerability within the vmware-user-suid wrapper - a local user with non-root privileges that is able to hijack the /dev/uinput file descriptor may be able to simulate user inputs

[USN-6538-1] PostgreSQL vulnerabilities (03:48)

• 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-5870
  • CVE-2023-5869
  • CVE-2023-5868
• Upgrades to the latest upstream point releases - includes both security and bug fixes etc
  • 15.5 (23.10, 23.04)
  • 14.10 (22.04 LTS)
  • 12.17 (20.04 LTS)

[USN-6539-1] python-cryptography vulnerabilities (04:14)

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-49083
  • CVE-2023-23931
• NULL pointer dereference / segfault on loading of crafted PKCS7 certificates

[USN-6540-1] BlueZ vulnerability (04:57)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-45866
• Whilst bluetooth discoverable, possible for an attacker to pair a HID device and inject keystrokes etc without any intervention
• Fixed by enabling the existing configuration ClassicBondedOnly=true - this may break some legacy input devices like PS3 controller - in which case, should edit /etc/bluetooth/input.conf and set this back to false but then beware that you may be vulnerable to attack from anyone within bluetooth range when your machines is discoverable - ie. bluetooth settings panel is open

[USN-6541-1] GNU C Library vulnerabilities (06:30)

• 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-5156
  • CVE-2023-4813
  • CVE-2023-4806
• Previous fix for CVE-2023-4806 was not sufficient - UAF in getaddrinfo() - possible to still trigger

[USN-6522-2] FreeRDP vulnerabilities (07:00)

• 3 CVEs addressed in Bionic ESM (18.04 ESM)
  • CVE-2023-39356
  • CVE-2023-39352
  • CVE-2022-41877
• [USN-6522-1] FreeRDP vulnerabilities from Episode 215

[USN-6542-1] TinyXML vulnerability (07:08)

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2021-42260
• Infinite loop able to be triggered by a crafted XML document - CPU-based DoS

[USN-6543-1] GNU Tar vulnerability (07:18)

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)

  • CVE-2023-39804

• Stack buffer overflow on parsing a tar archive with an extremely large extended attribute name/value - PAX archive format allows to store extended attributes - on the kernel’s VFS layer these are limited to 255 bytes for the name and 64kB for the value - but in a tar these can be basically arbitrary

• When processing the archive, tar would allocate space for these on the stack - BUT the stack is limited to a maximum size of 8MB normally - so if can specify an xattr name of more than 8MB can overflow the entire stack memory region - then into guard pages or even beyond, triggering a segfault or at worst a heap corruption and hence possible RCE -> but in Ubuntu we have enabled stack clash protection since 19.10 - which turns this into a DoS only

  • Reminiscent of the original Stack Clash “System Down” vulnerability in systemd

  $ hardening-check $(which tar)
  /usr/bin/tar:
   Position Independent Executable: yes
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: yes
   Stack clash protection: yes
   Control flow integrity: yes
  

• Speaking from experience, it is not easy to create such an archive - either through a real xattr on disk or through specifying one on the command-line (since you can specify arbitrary attributes be stored for files when adding them to an archive but then you hit the maximum limit of command-line arguments) BUT it is possible - in my case I did this though using sed to replace the contents of a xattr name in an existing archive with a crafted one and then doing a bunch of other hacks to fixup all the metadata of the tar archive to match - helpfully, all these attributes in the archive are stored as NUL-terminated strings, so can simply used sed to fix them all up assuming you can calculate the correct values

• Fixed by instead allocating these on the heap which does not have the same arbitrary limitation as the stack

[USN-6500-2] Squid vulnerabilities (11:35)

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CVE-2023-46847
  • CVE-2023-46728
• [USN-6500-1] Squid vulnerabilities from Episode 214

[USN-6544-1] GNU binutils vulnerabilities (11:44)

• 5 CVEs addressed in Trusty ESM (14.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2022-35205
  • CVE-2021-46174
  • CVE-2020-19726
  • CVE-2022-4285
  • CVE-2022-38533
• Didn’t do bounds checking properly in various places - leading to heap buffer overflows / OOB reads etc in various things like objdump etc

[USN-6545-1] WebKitGTK vulnerabilities (12:08)

• 2 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-42917
  • CVE-2023-42916
• Both issues that come from upstream webkit
  • OOB read -> info leak
  • Memory corruption that Apple said was being exploited in the wild against various versions of iOS

[USN-6546-1] LibreOffice vulnerabilities (12:45)

• 2 CVEs addressed in Lunar (23.04), Mantic (23.10)
  • CVE-2023-6186
  • CVE-2023-6185
• Uses gstreamer to play embedded videos (presumably in presentations etc) - to do this, creates a gstreamer pipeline including the filename of the video itself - this was not adequetely escaped, so could allow arbitrary code execution if it contained shell meta characters etc
• Link targets allow arbitrary script execution - similar to historic CVE-2023-2255 from [USN-6144-1] LibreOffice vulnerabilities in Episode 198

[USN-6547-1] Python vulnerability (13:46)

• 1 CVEs addressed in Lunar (23.04)
  • CVE-2023-41105
• Issue specific to Python 3.11 where if a path contained an embedded NUL byte and was passed to os.path.normpath() it would get truncated at the NUL byte - fixed to remove this behaviour

[USN-6550-1] PostfixAdmin vulnerabilities (14:19)

• 3 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-28447
  • CVE-2022-31129
  • CVE-2022-29221
• Issues in various embedded modules - Smarty and Moment.js - allowing possible arbitrary code execution, XSS or DoS

[USN-6551-1] Ghostscript vulnerability (14:37)

• 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-46751
• UAF on file object on error path

[USN-6552-1] Netatalk vulnerability (14:43)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • CVE-2023-42464
• Apple Filing Protocol (AFP) service - similar to SMB for Windows - allows a Ubuntu machine to share files with MacOS
• Also implements support for Spotlight to search - using tracker as the indexer, metadata store and search engine under-the-hood
• Parser for spotlight RPC packets failed to properly do type checking, resulting in a type confusion bug and possible RCE via memory corruption - similar to CVE-2023-34967 for Samba since the code in netatalk originated from that code from Samba ([USN-6238-1] Samba vulnerabilities from Episode 204)

[USN-6554-1] GNOME Settings vulnerability (15:57)

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • CVE-2023-5616
• GNOME settings allows the ability to turn on / off remote SSH access from the sharing panel within the main settings application in Ubuntu
• Since moving to socket activated SSHd in 22.10, GNOME Settings was never updated in Ubuntu to support this as well
• Would mean that it would always show the machine was not accessible / sharing via SSH even when it was (since it would only check the status of the ssh.service, not ssh.socket)
• Ubuntu specific issue - fixed by extending GNOME settings to check both the service and the socket (since it is still a legitimate configuration to use the service over the socket in recent Ubuntu releases)
• Also backported to older releases since it is also a supported configuration there to use socket activation (although the sysadmin has to set this up themselves)

[USN-6553-1] Pydantic vulnerability (17:49)

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2021-29510
• Python data validation library
• CPU-based DoS since if passed the value of “infinity” to the validator to be parsed as a date/datetime, would result in an infinite loop

[USN-6536-1] Linux kernel vulnerabilities (18:10)

• 6 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-5158
  • CVE-2023-45898
  • CVE-2023-42754
  • CVE-2023-39189

[USN-6537-1] Linux kernel (GCP) vulnerabilities

• 11 CVEs addressed in Mantic (23.10)
  • CVE-2023-5717
  • CVE-2023-5633
  • CVE-2023-5345
  • CVE-2023-5178
  • CVE-2023-5158
  • CVE-2023-5090
  • CVE-2023-45898
  • CVE-2023-42754
  • CVE-2023-4244
  • CVE-2023-39189
  • CVE-2023-31085

[USN-6548-1] Linux kernel vulnerabilities

• 10 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2023-6176
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-42754
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-37453
  • CVE-2023-3006

[USN-6549-1] Linux kernel vulnerabilities

• 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-5158
  • CVE-2023-42754
  • CVE-2023-39198
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-3773
  • CVE-2023-37453

[USN-6534-2] Linux kernel vulnerabilities

• 12 CVEs addressed in Lunar (23.04)
  • CVE-2023-6039
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-5158
  • CVE-2023-42754
  • CVE-2023-39198
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-3773
  • CVE-2023-37453

[USN-6549-2] Linux kernel (GKE) vulnerabilities

• 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-5158
  • CVE-2023-42754
  • CVE-2023-39198
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-3773
  • CVE-2023-37453

[USN-6548-2] Linux kernel vulnerabilities

• 10 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • CVE-2023-6176
  • CVE-2023-5717
  • CVE-2023-5178
  • CVE-2023-42754
  • CVE-2023-39194
  • CVE-2023-39193
  • CVE-2023-39192
  • CVE-2023-39189
  • CVE-2023-37453
  • CVE-2023-3006

Goings on in Ubuntu Security Community

Ubuntu 23.04 (Lunar Lobster) approaching EOL (18:48)

• https://lists.ubuntu.com/archives/ubuntu-security-announce/2023-December/007974.html
• Interim releases receive 9 months of support
• Lunar reaches EOL on 25th January
• Good opportunity over the holiday break to upgrade to 23.10 (Mantic)
  • https://help.ubuntu.com/community/ManticUpgrades

Ubuntu Security team (and rest of Canonical) on break till early January 2024 (19:33)

• Various members of the team will be checking in each day to look for any serious issues
• Not planning any new security update releases during this time unless something major happens (we are still wincing from Log4Shell - Log4Shell explodes the internet from Episode 142 in late December 2022)
• As usual, contact us via the normal means if something is particularly urgent and someone should respond

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntusecurity@fosstodon.org, @ubuntu_sec on twitter