Episode 217

Posted on Friday, Feb 2, 2024
For the first episode of 2024 we take a look at the case of a raft of bogus FOSS CVEs reported on full-disclosure as well as AppSec tools in Ubuntu and the EOL announcement for 23.04, plus we cover vulnerabilities in the Linux kernel, Puma, Paramiko and more.

Show Notes

Overview

For the first episode of 2024 we take a look at the case of a raft of bogus FOSS CVEs reported on full-disclosure as well as AppSec tools in Ubuntu and the EOL announcement for 23.04, plus we cover vulnerabilities in the Linux kernel, Puma, Paramiko and more.

This week in Ubuntu Security Updates

81 unique CVEs addressed

[USN-6601-1] Linux kernel vulnerability (01:16)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • UAF in IGMP protocol (allows multiple devices to share the same IPv4 address and hence all receive the same data via multicasting - often used for things like video streaming) - race condition between two different threads in the handling of a timer which could cause the timer to be registered on an object that is then later freed by another thread - when the timer then fires the thread will try and access the object which has now been freed
  • Can be exploited by an unprivileged local user in a user namespace

[USN-6602-1] Linux kernel vulnerabilities (02:23)

[USN-6603-1] Linux kernel (AWS) vulnerabilities

[USN-6604-1] Linux kernel vulnerabilities

[USN-6604-2] Linux kernel (Azure) vulnerabilities

[USN-6605-1] Linux kernel vulnerabilities

[USN-6605-2] Linux kernel (KVM) vulnerabilities

[USN-6606-1] Linux kernel (OEM) vulnerabilities (03:04)

  • 5 CVEs addressed in Jammy (22.04 LTS)
  • perf OOB write
  • 2 very similar UAFs in netfilter - both require CAP_NET_ADMIN to be able to exploit (ie to create a netfilter chain etc) but this can easily be obtained in an unprivileged user namespace -> privesc for unprivileged local user

[USN-6608-1] Linux kernel vulnerabilities

[USN-6609-1] Linux kernel vulnerabilities

[USN-6609-2] Linux kernel (NVIDIA) vulnerabilities

[USN-6607-1] Linux kernel (Azure) vulnerabilities (03:32)

[USN-6596-1] Apache::Session::LDAP vulnerability (03:45)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • Would not check the validity of an X.509 certificate since uses the Net::LDAPS Perl module which by default doesn’t do this and requires applications to explicitly instruct it to do so

[USN-6597-1] Puma vulnerability (04:24)

  • 1 CVEs addressed in Lunar (23.04), Mantic (23.10)
  • HTTP server for Ruby/Rack applications that uses threading for improved performance
  • Vulnerable to a HTTP request smuggling attack since it would fail to properly parse packets with chunked transfer encoding
  • Also failed to set a limit on the size of chunk extensions which could then allow a CPU or network-bandwidth based DoS attack

[USN-6598-1] Paramiko vulnerability (04:58)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • Fix for Terrapin attack disclosed back in December - flaw in SSH protocol itself which allows an attacker who can interpose on the connection to drop the EXT_INFO message which is sent during the handshake to negotiate various protocol extensions in a way that neither the client or server will notice (since they can just send an empty ignored packet with the same sequence number). This can be done quite easily by an attacker since during this stage of the connection there is no encryption in place. End result is the attacker can cause either a loss of integrity (since this won’t be detected by the other party) or potentially to compromise the key exchange itself and hence cause a loss of confidentiality as well

[USN-6599-1] Jinja2 vulnerabilities

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

[USN-6600-1] MariaDB vulnerabilities

[USN-6611-1] Exim vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

[USN-6610-1] Firefox vulnerabilities

[USN-6613-1] Ceph vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

[USN-6612-1] TinyXML vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

[USN-6614-1] amanda vulnerability

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)

[USN-6615-1] MySQL vulnerabilities

[USN-6616-1] OpenLDAP vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

[USN-6587-3] X.Org X Server regression

[USN-6618-1] Pillow vulnerabilities

[USN-6617-1] libde265 vulnerabilities

Goings on in Ubuntu Security Community

Ubuntu 23.04 (Lunar Lobster) EOL (06:48)

  • Released back in April 2023 - like all interim releases, supported for 9 months
  • Reached EOL on 25th January - won’t receive any package updates (security or bug fix) and will be archived to old-releases.ubuntu.com in the coming weeks
  • Urge to upgrade to the currently supported interim release 23.10 ASAP as once it does get archived the process to upgrade becomes harder (since you have to manually update your apt sources to refer to the old-releases server first)
  • 23.10 (Mantic Minotaur) will then be supported for about 5 more months until July this year

Awesome AppSec in Ubuntu (08:22)

  • https://discourse.ubuntu.com/t/awesome-appsec-in-ubuntu/41922/1
  • Andrei has compiled a list of tools available in Ubuntu which can be used by security researchers
  • Includes tools for:
    • Coordinated Vulnerability Disclosure
    • Fuzzing
    • License scanning
    • Reverse engineering
    • Runtime process analysis
    • Security linting
    • Symbolic execution
    • Threat modelling
    • Scanning for vulnerable dependencies
    • Web scanning
    • Runtime application isolation (sandboxing)
  • Whether you are an software engineer looking to make your software more secure or a security researcher trying to find vulns or even a security engineer wanting tools to help with vulnerabililty management, there is likely something in the list for you
  • If you find anything missing, send Andrei a PR as the list is hosted on Github

full-disclosure spammed with zombie CVEs (09:52)

  • full-disclosure mailing list slowly declining in popularity but was once the go-to place to discuss and disclose vulnerabilities
  • In January, saw a large increase in the number of messages posted (75 compared to 15-30 which was the usual number posted for any month in 2023)
  • Meng Ruijie from National University in Singapore posted 36 different CVE reports across a large range of OSS projects, including Redis Raft, TinyDTLS, Mesa, ncurses, vim, GTK and more - and almost all of them were described as NULL pointer dereferences or buffer overflows etc
  • Alan Coppersmith raised this on the oss-security mailing list, since none of these issues had been raised privately with any of these projects but also that most of the CVE descriptions appeared to be quite bogus - e.g. for a CVE in Mesa, where Meng describes them as a NULL pointer deref the associated issue that the CVE points to in the upstream mesa gitlab describes a possible OOB read but where there is no good evidence that this is able to be influenced by the caller and hence there is no evidence that there is a security issue here at all
  • They appear to have been assigned by just looking for either reports in upstream issue trackers that mention possible security issues OR upstream commits that mention words like NULL pointer dereference but without any consideration as to whether these are actual vulnerabilities
    • For example - just because some code may potentially dereference a NULL pointer, if the caller cannot influence that to occur then there is no way to trigger it and so it is not an actual vulnerability
  • Likely almost all of these CVEs will get disputed and so provide no real value - also they waste the time of OSS developers to respond to these reports as well as distros and others to investigate them etc

Get in contact