Episode 227

Show Notes

Overview

Ubuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-6749-1] FreeRDP vulnerabilities (00:45)

7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
Bunch of issues all reported by researcher from Kaspersky - usual sorts of issues in this package - written in C etc
OOB reads, heap buffer overflow, integer overflow / underflow -> OOB write

[USN-6752-1] FreeRDP vulnerabilities (01:41)

4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
Not long after those - more CVEs announced
OOB read, NULL ptr deref and memory exhaustion

[USN-6751-1] Zabbix vulnerabilities (02:54)

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2022-35230
- CVE-2022-35229
First time Zabbix has featured in the podcast!
Fixes 2 reflected XSS issues - in newer versions both require the attacker to be able to specify the user’s specific CSRF token - but in older versions only there was only a session ID which is easier to guess

[USN-6753-1] CryptoJS vulnerability (03:38)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-46233
Insecure default config - uses older parameters for the implementation of PBKDF2 - SHA1 with a single iteration - makes any passwords protected via PBKDF2 in crypto-js easier to brute-force from the hashed value - instead updated to use SHA256 with 250,000 rounds

[USN-6754-1] nghttp2 vulnerabilities (04:32)

4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 - all DoS attacks)
HTTP/2 continuation frames - no proper limit on the amount of these frames which can be sent in a single stream - attacker can send many to cause a DoS on the server either through CPU by lots of processing or memory by storing all these headers in memory

[USN-6755-1] GNU cpio vulnerabilities (05:42)

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- CVE-2023-7207
Path traversal vuln - possible to write outside of the target directory
Specific to Debian/Ubuntu etc since reverted part of the fix for historic CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the archive - since it broke the use of the --no-absolute-filenames CLI argument
Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu since focal
Now use more correct fix from upstream (April 2023)

[USN-6756-1] less vulnerability (07:10)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- CVE-2024-32487
Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
Similar issue - this time in the use of LESSOPEN environment variable - failed to properly quote newlines embedded in a filename - could then allow for arbitrary code execution if ran less on some untrusted file
LESSOPEN is automatically set in Debian/Ubuntu via lesspipe - allows to run less on say a gz compressed log file or even on a tar.gz tarball to list the files etc

[USN-6757-1] PHP vulnerabilities (08:41)

3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the same network/site could set a cookie via HTTP with one name, which then gets used by sessions using HTTPS and when using a different cookie name - is a problem since certain cookie names (like __Host- and __Secure-) have specific meanings which in general should be allowed to be specified by the network but only by the browser itself - so can be used to bypass usual restrictions (apparently this issue was reported upstream by the original reported of the 2022 vuln but it got ignored by upstream till now…)
password_verify() function would sometimes return true for wrong passwords - ie if the actual password started with a NUL byte and the specified a password was the empty string would verify as true (unlikely to be an issue in practice)
Heap buffer overflow due to a large PHP_CLI_SERVER_WORKERS env var value - integer overflow -> wraparound -> allocate small amount of memory for a large number of values -> buffer overflow (low priority since would need to be able to set this env var first)

[USN-6761-1] Anope vulnerability (11:15)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- CVE-2024-30187
Failed to deny ability to reset the password of a suspended account and hence gain access again

[USN-6758-1] JSON5 vulnerability (11:37)

1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2022-46175
NodeJS module for the JSON5 format - “JSON for humans” - much more similar to yaml, does away with a lot of the usual quotes etc
Protoype pollution vuln - when parsing would fail to restrict use of the __proto__ key and hence would allow the ability to set arbitrary keys etc within the returned object -> RCE

[LSN-0103-1] Linux kernel vulnerability (12:46)

7 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)

Kernel type	22.04	20.04	18.04
aws	103.3	103.3	—
aws-5.15	—	103.3	—
aws-5.4	—	—	103.3
aws-6.5	103.1	—	—
azure	103.3	103.3	—
azure-5.4	—	—	103.3
azure-6.5	103.1	—	—
gcp	103.3	103.3	—
gcp-5.15	—	103.3	—
gcp-5.4	—	—	103.3
gcp-6.5	103.1	—	—
generic-5.15	—	103.3	—
generic-5.4	—	103.3	103.3
gke	103.3	103.3	—
hwe-6.5	103.1	—	—
ibm	103.3	—	—
ibm-5.15	—	103.3	—
linux	103.3	—	—
lowlatency-5.15	—	103.3	—
lowlatency-5.4	—	103.3	103.3

canonical-livepatch status

[USN-6760-1] Gerbv vulnerability (13:01)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- CVE-2023-4508
Vuln found by the Ubuntu Security team - David and (former member) Andrei - Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of testing with ASan enabled - crafted filename -> crash

[USN-6759-1] FreeRDP vulnerabilities (13:41)

5 CVEs addressed in Noble (24.04 LTS)

[USN-6737-2] GNU C Library vulnerability

1 CVEs addressed in Noble (24.04 LTS)
- CVE-2024-2961

[USN-6729-3] Apache HTTP Server vulnerabilities

3 CVEs addressed in Noble (24.04 LTS)

[USN-6718-3] curl vulnerabilities

2 CVEs addressed in Noble (24.04 LTS)
- CVE-2024-2398
- CVE-2024-2004

[USN-6733-2] GnuTLS vulnerabilities

2 CVEs addressed in Noble (24.04 LTS)
- CVE-2024-28835
- CVE-2024-28834

[USN-6734-2] libvirt vulnerabilities

2 CVEs addressed in Noble (24.04 LTS)
- CVE-2024-2494
- CVE-2024-1441

[USN-6744-3] Pillow vulnerability

1 CVEs addressed in Noble (24.04 LTS)
- CVE-2024-28219

Goings on in Ubuntu Security Community

Ubuntu 24.04 LTS (Noble Numbat) released (14:27)

https://ubuntu.com/blog/canonical-releases-ubuntu-24-04-noble-numbat
https://ubuntu.com/blog/ubuntu-desktop-24-04-noble-numbat-deep-dive
https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
Up to 12 years of support via Ubuntu Pro + Legacy Support Add-on
New security features / improvements:
- Unprivileged user namespace restrictions
- Binary hardening
- AppArmor 4
- Disabling of old TLS versions
- Upstream Kernel Security Features
  - Intel shadow stack support
  - Secure virtualisation with AMD SEV-SNP and Intel TDX
  - Strict compile-time bounds checking