Episode 231

Posted on Friday, Jun 28, 2024
A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif, Roundcube, the Linux kernel and more.

Show Notes

Overview

A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif, Roundcube, the Linux kernel and more.

This week in Ubuntu Security Updates

175 unique CVEs addressed

[USN-6842-1] gdb vulnerabilities (01:10)

  • 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • a couple of these are inherited from binutils as they share that code - parsing of crafted ELF executables -> NULL ptr deref or possible heap based buffer overflow -> DoS/RCE
  • other stack and heap buffer overflows as well - parsing of crafted ada files and crafted debug info files as well -> DoS/RCE

[USN-6845-1] Hibernate vulnerability (02:12)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  • Object relational-mapping (ORM) library for Java
  • SQL injection in the JPA Criteria API implementation - could allow unvalidated literals when they are used in the SQL comments of a query when logging is enabled - fixed by properly escaping comments in this case

[USN-6846-1] Ansible vulnerabilities (02:46)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Possibly would leak the password into log file when using the AWS EC2 module since failed to validate the tower_callback (nowadays is called aap_callback - Ansible Automation Platform) parameter appropriately
  • Allows to mark variables as unsafe - in that they may come from an external, untrusted source - won’t get evaluated/expanded when used to avoid possible info leaks etc - various issues where ansible would fail to respect this and essentially forget they were tagged as unsafe and end up exposing secrets as a result

[USN-6844-1] CUPS vulnerability (04:08)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • When starting, cups would arbitrarily chmod the socket specified as the Listen parameter to make it world-writable - if this was a symlink, would then make the target of the symlink world-readable - in general the cups config file is only writable by root so requires some other vuln to be able to exploit it where you can get write access to the config file to exploit it OR be able to replace the regular cups socket path with a user-controlled symlink - but if you can, then you can even change the cups config itself to be world-writable and hence modify other parameters like the user and group that cups should run as, as well as a crafted FoomaticRIPCommandLine then can run arbitrary commands as root

[USN-6849-1] Salt vulnerabilities (06:20)

  • 2 CVEs addressed in Trusty ESM (14.04 ESM)
  • Failed to properly validate paths in some methods and also failed to restrict access to other methods, allowing them to be used without authentication - could then either allow arbitrary directory access or the ability to retrieve tokens from the master or run arbitrary commands on minions

[USN-6746-2] Google Guest Agent and Google OS Config Agent vulnerability (06:44)

  • 1 CVEs addressed in Noble (24.04 LTS)
  • A vuln in the embedded golang protobuf module - when parsing JSON could end up in an infinite loop -> DoS

[USN-6850-1] OpenVPN vulnerability (07:04)

[USN-6847-1] libheif vulnerabilities (07:36)

  • 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • First time to mention libheif on the podcast - High Efficiency Image File Format - part of the MPEG-H standard - container format used to store images or sequences of images
  • Commonly seen due to its use by Apple for images on iPhone
  • C++ - usual types of issues
    • UAF, buffer overflows, floating point exception etc
      • most found through fuzzing

[USN-6848-1] Roundcube vulnerabilities (08:21)

  • 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • webmail front-end for IMAP
  • 2 different possible XSS issues due to mishandling of SVG - email containing an SVG could embed JS that then gets loaded when the email is viewed
  • Also possible XSS through a crafted user preference value - similarly through a crafted Content-Type/Content-Disposition header which can be used for attachment preview/download

[USN-6819-4] Linux kernel (Oracle) vulnerabilities (09:21)

Goings on in Ubuntu Security Community

Discussion of CISA KEV

  • US Gov Cybersecurity & Infrastructure Security Agency
    • “America’s Cyber Defense Agency”
    • National Coordinator for Critical Infrastructure Security and Resilience
  • Publish various guidance for organisations around topics of cybersecurity
  • Also maintain the KEV - Known Exploitable Vulnerabilities Catalog
    • “authoritative source of vulnerabilities that have been exploited in the wild”
    • Mandates for federal civilian agencies in the US to remediate KEV vulns within various timeframes
    • Also recommend that anyone else monitors this list and immediately addresses these vulns as part of the vuln remediation plan
    • List of vilns that are causing immediate harm based on observed adversarial activity
    • Various requirements to be listed in the KEV:
      • CVE ID assigned
      • Evidence it has been or is being actively exploited
        • reliable evidence that execution of malicious code was performed on a system by an unauthorised actor
        • also includes both attempted and successful exploitation (e.g. includes honeypots as well as real systems)
      • Clear remediation guidelines
        • An update is available and should be applied OR
        • Vulnerable component should be removed from networks etc if it is EOL and cannot be updated
    • available as CSV or JSON
    • Currently lists 1126 CVEs including:
      • Accellion File Transfer Appliances
      • Adobe Reader, Flash Player
      • Apache HTTP Server, Struts (Solarwinds), Log4j
      • Huge number of Apple iOS etc (WebKit and more)
      • Atlassian Confluence
      • Citrix Gateways
      • Exim
      • Fortinet
      • Gitlab
      • Google Chromium
      • ImageMagick
      • Microsoft Windows and Exchange
      • Mozilla Firefox
      • Ivanti Pulse Connect Security
      • SaltStack
      • VMWare
      • WordPress
    • Oldest CVEs are 2 against Windows from 2002 and 2004
    • Newest include 26 2024 CVEs - various Chromium, Windows, Android Pixel, Ivanti and more
      • interestingly includes ARM Mali GPU Driver CVE-2024-4610 - this affects the Bifrost and Valhall drivers - in Ubuntu we only ship the related Midgard driver back in bionic and focal so not affected by this one
    • but as you may have noticed, lots that we potentially are affected by
      • Apache HTTP Server, Exim, Firefox, Thunderbird - plus OpenJDK, GNU C Library, Bash, Roundcube (mentioned earlier but not this particular vuln), WinRAR (unrar), not to mention a number against the Linux kernel
        • all for Linux kernel are privesc - most against either netfilter or various other systems like perf, AF_PACKET, tty, ptrace, futex and others
  • For Ubuntu, not surprisingly, we prioritise these vulnerabilities in our patching process

Get in contact