Episode 223
Posted on Friday, Mar 22, 2024
This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2Own
Vancouver 2024, plus news of malicious themes in the KDE Store and we cover
security updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash and
more.
Show Notes
Overview
This week we bring you a sneak peak of how Ubuntu 23.10 fared at Pwn2Own Vancouver 2024, plus news of malicious themes in the KDE Store and we cover security updates for the Linux kernel, X.Org X Server, TeX Live, Expat, Bash and more.
This week in Ubuntu Security Updates
61 unique CVEs addressed
[USN-6681-3] Linux kernel vulnerabilities (00:54)
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 - IBM, Oracle
- UAF due to a race-condition in netfilter - underflow a reference counter -> UAF
[USN-6686-2] Linux kernel vulnerabilities (01:42)
- 9 CVEs addressed in Jammy (22.04 LTS)
- 5.15 - Raspi, Lowlatency
[USN-6699-1] Linux kernel vulnerabilities (01:52)
- 3 CVEs addressed in Trusty ESM (14.04 ESM)
- 3.13 - generic, lowlatency, server, virtual
- KVM mishandling of control registers for nested guest VMs
- UAF in Quick Fair Queuing network packet scheduler
- Local privesc, reported to Google’s kCTF
[USN-6700-1] Linux kernel vulnerabilities (02:40)
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 - generic, kvm, lowlatency, virtual, aws (14.04 only)
- UAF in nftables - also originally reported to kCTF
[USN-6701-1] Linux kernel vulnerabilities
- 12 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- 4.15 - oracle, kvm, aws, generic, lowlatency
- UAF in nftables from above and UAF in AppleTalk network driver - [USN-6648-1] Linux kernel vulnerabilities from Episode 220
[USN-6680-3] Linux kernel (AWS) vulnerabilities
- 7 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
- 6.5 - aws
[USN-6681-4] Linux kernel (AWS) vulnerabilities
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 - aws
- UAF in netfilter discussed earlier
[USN-6686-3] Linux kernel (Oracle) vulnerabilities
- 9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 - oracle
[USN-6702-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 - iot, ibm, bluefield, gkeop, kvm, oracle, gcp, generic, lowlatency, oem
- Second netfilter UAF above
[USN-6587-5] X.Org X Server vulnerabilities (03:34)
- 7 CVEs addressed in Trusty ESM (14.04 ESM)
- Previous updates for X now available in 14.04 ESM
- Most issues either OOB R/W - impact is then can crash X Server or potentially get code execution - nowadays X runs unprivileged but in 14.04 still runs as root so these vulns are more severe in the older releases
[USN-6673-2] python-cryptography vulnerability (04:21)
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- [USN-6673-1] python-cryptography vulnerabilities from Episode 220
[USN-6695-1] TeX Live vulnerabilities (04:28)
- 3 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Heap buffer overflow via a crafted TTF file
- LuaTeX specific issue - allowed a document to make arbitrary network requests since it didn’t disable access to the underlying lua socket library
- Misused sprint() resulting in a buffer overflow in the axohelp - helper program for the LaTeX axodraw2 package when used with pdflatex
[USN-6694-1] Expat vulnerabilities (05:24)
- 2 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10)
- C library for parsing xml
- used by many other applications like gdb, dbus, audacity, git, python, polkit, squid and more
- CPU/memory-based DoS since would do many full reparsings of a document in some cases
- XML Entity Expansion attack
- billion laughs attack / XML bomb - 10 entities which each comprise 10 of the previous entity with the document containing a single instance of the largest entity - 1 billion copies of the original entity
[USN-6696-1] OpenJDK 8 vulnerabilities (06:40)
- 6 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- [USN-6660-1, USN-6661-1] OpenJDK 11 & 17 vulnerabilities from Episode 220
[USN-6697-1] Bash vulnerability (07:01)
- 1 CVEs addressed in Jammy (22.04 LTS)
- Heap buffer overflow on a valid parameter transformation - can then unexpectedly lead to possible code execution
[USN-6698-1] Vim vulnerability (07:30)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- stack buffer overflow when parsing a crafted command file - ie. the user has to load a crafted file to be sourced by vim
[USN-6703-1] Firefox vulnerabilities (07:48)
- 11 CVEs addressed in Focal (20.04 LTS)
- 124.0
Goings on in Ubuntu Security Community
Summary of Pwn2Own Vancouver 2024 results against Ubuntu 23.10 (08:05)
- https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results
- The DEVCORE Team was able to execute their LPE attack against Ubuntu Linux. However, the bug they used was previously known. They still earn $10,000 and 1 Master of Pwn points.
- Kyle Zeng from ASU SEFCOM used an ever tricky race condition to escalate privileges on Ubuntu Linux desktop. This earns him him $20,000 and 20 Master of Pwn points.
- https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results
- STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu desktop. However, they used a bug that was previously reported. They still earn $5,000 and 1 Master of Pwn point.
- The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a bug that was previously know to escalate privileges on Ubuntu desktop. He still wins $5,000 and 1 Master of Pwn point.
Reports of malicious themes in KDE Store (10:27)
- https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/
- https://floss.social/@kde/112128243960545659
- https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/