Episode 229

Posted on Friday, May 31, 2024
As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.

Show Notes

Overview

As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.

This week in Ubuntu Security Updates

152 unique CVEs addressed

[USN-6783-1] VLC vulnerabilities (00:54)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • integer underflow and a heap buffer overflow -> RCE

[USN-6663-3] OpenSSL update (01:40)

  • Affecting Noble (24.04 LTS)
  • [USN-6663-1] OpenSSL update from Episode 220 - hardening improvement to return deterministic random bytes instead of an error when an incorrect padding length is detected during PKCS#1 v1.5 RSA to avoid this being used for possible Bleichenbacher timing attacks

[USN-6673-3] python-cryptography vulnerability (02:32)

[USN-6736-2] klibc vulnerabilities (02:43)

[USN-6784-1] cJSON vulnerabilities (02:58)

  • 3 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • 2 different researchers fuzzing cJSON APIs
    • all different NULL ptr deref - requires particular / “incorrect” or possible misuse use of the APIs (like passing in purposefully corrupted values) so unlikely to be an issue in practice

[USN-6785-1] GNOME Remote Desktop vulnerability (03:52)

  • 1 CVEs addressed in Noble (24.04 LTS)
  • Discovered by a member of the SUSE security team when reviewing g-r-d
  • Exposed various DBus services that were able to be called by any unprivileged user which would then return the SSL private key used to encrypt the connection - so could allow a local user to possibly spy on the sessions of other users remotely connected to the system

[USN-6786-1] Netatalk vulnerabilities (04:45)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Apple file sharing implementation for Linux
  • If the same path was shared via both AFP and SMB then a remote attacker could combine various operations through both file-systems (like creating a crafted symlink, which would then be followed during a second operation where a file is renamed) to allow them to overwrite arbirary files and hence achieve arbitrary code execution on the host

[USN-6788-1] WebKitGTK vulnerabilities (05:48)

  • 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Possible pointer authentication bypass - used on arm64 in particular - demonstrated at Pwn2Own earlier this year by Manfred Paul - $60k

[USN-6789-1] LibreOffice vulnerability (06:28)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Unchecked script execution triggered when clicking on a graphic - allows to run arbitrary scripts without the usual prompt

[USN-6790-1] amavisd-new vulnerability (07:09)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • MTA / AV interface - often used in conjunction with Postfix, not just for AV but also can be used to do DKIM verification and integration with spamassassin etc
  • Misinterpreted MIME message boundaries in emails, allowing email parts to possibly bypass usual checks

[USN-6791-1] Unbound vulnerability (07:46)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • DNSBomb attack announced recently at IEEE S&P - affecting multiple different DNS implementations including BIND, Unbound, PowerDNS, Knot, DNSMasq and others
  • Unbound itself was not necessarily vulnerable to such an attack specifically, but could be used to generate such an attack against others - in particular Unbound had the highest amplification factor of ~22k times - next highest was DNSMasq at ~3k times
  • Fix involves introducing a number of timeout parameters for various operations and discarding operations if they take longer than this to avoid the ability to “store up” responses to be released at a later time

[USN-6793-1] Git vulnerabilities (09:31)

[USN-6792-1] Flask-Security vulnerability

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)

[USN-6794-1] FRR vulnerabilities

[USN-6777-4] Linux kernel (HWE) vulnerabilities (09:40)

[USN-6795-1] Linux kernel (Intel IoTG) vulnerabilities (10:00)

[USN-6779-2] Firefox regressions (10:30)

[USN-6787-1] Jinja2 vulnerability (10:48)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Incorrect handling of various HTML attributes - attacker could then possibly inject arbitrary HTML attrs/values and hence inject JS code to peform XSS attacks etc

[USN-6797-1] Intel Microcode vulnerabilities (11:22)

  • 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Latest release from upstream - mitigates against various hardware vulns
    • A couple issues in SGX/TDX on different Intel Xeon processors:
      • Invalid restrictions -> local root -> super-privesc
      • Invalid input on TDX -> local root -> super-privesc
      • Invalid SGX base key calculation -> info leak
    • Transient execution attacks to read privileged information
    • DoS through bus lock mishandling or through invalid instruction sequences

Get in contact