Episode 93

Posted on Friday, Oct 23, 2020
This week we cover security updates for NTP, Brotli, Spice, the Linux kernel (including BleedingTooth) and a FreeType vulnerability which is being exploited in-the-wild, plus we talk about the NSAs report into the most exploited vulnerabilities as well as the release of Ubuntu 20.10 Groovy Gorilla.

Show Notes

Overview

This week we cover security updates for NTP, Brotli, Spice, the Linux kernel (including BleedingTooth) and a FreeType vulnerability which is being exploited in-the-wild, plus we talk about the NSAs report into the most exploited vulnerabilities as well as the release of Ubuntu 20.10 Groovy Gorilla.

This week in Ubuntu Security Updates

74 unique CVEs addressed

[USN-4559-1] Samba update [01:04]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Follow up to USN-4510-1 for “ZeroLogon” - that updated changed default to enable secure channel - this one adds support for specifying per-machine insecure netlogon usage plus additional hardening to check for possible attacks from the client-specified challenge if have manually enabled insecure channel in configuration

[USN-4563-1] NTP vulnerability [01:48]

[USN-4568-1] Brotli vulnerability [02:12]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Compression library / tool from Google designed for text compression, especially for web fonts etc
  • Buffer overflow due to an integer overflow when using the one-shot decompression option on attacker controlled data

[USN-4570-1] urllib3 vulnerability [03:00]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Possible CRLF injection if an attacker can control the request method used in a call to urllib3 - can specify additional parameters such as Host and Remainder after an injected CRLF to cause the request to misbehave

[USN-4572-1, USN-4572-2] Spice vulnerability [03:41]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Protocol for doing remote VM access - multiple buffer overflows in decoding of QUIC image compression algorithm - and this affected both the client and server side - DoS, RCE etc

[USN-4576-1] Linux kernel vulnerabilities [04:36]

[USN-4577-1] Linux kernel vulnerabilities

[USN-4578-1] Linux kernel vulnerabilities

[USN-4579-1] Linux kernel vulnerabilities

[USN-4580-1] Linux kernel vulnerability

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)

  • DCCP protocol mishandled reuse of sockets, leading to a UAF - since can be done by a local user could lead to root code execution, priv esc etc - was reported to Canonical and we worked with upstream kernel devs on resolving this etc

[LSN-0072-1] Linux kernel vulnerability

  • 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • DCCP UAF
  • AF_PACKET buffer overflow (Episode 90)
  • Livepatched in the following kernels:
    • Ubuntu 18.04 LTS
      • aws - 72.1
      • generic - 72.1
      • lowlatency - 72.1
      • oem - 72.1
    • Ubuntu 20.04 LTS
      • aws - 72.1
      • aws - 72.2
      • azure - 72.1
      • azure - 72.2
      • gcp - 72.1
      • gcp - 72.2
      • generic - 72.1
      • generic - 72.2
      • lowlatency - 72.1
      • lowlatency - 72.2
    • Ubuntu 16.04 LTS
      • aws - 72.1
      • generic - 72.1
      • lowlatency - 72.1
    • Ubuntu 14.04 ESM
      • generic - 72.1
      • lowlatency - 72.1

[USN-4591-1] Linux kernel vulnerabilities [06:20]

[USN-4592-1] Linux kernel vulnerabilities

  • 3 CVEs addressed in Bionic (18.04 LTS)
  • BleedingTooth vulnerability
  • Announced by Intel, discovered by a security researcher at Google - not much heads up to distros, kernel team worked quickly to respin affected kernels (>= 4.8) over the weekend
  • Originally was mention on twitter that Google were going to publish a blog post with more details but this got held back to give time for distros etc to patch

[USN-4593-1] FreeType vulnerability [07:30]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Integer overflow -> heap buffer overflow
  • Reported by Google to Freetype upstream with the comment that it was being exploited in the wild
  • The patch simply moves a check that was added originally to fix another CVE a few lines higher since it still provided the chance of an integer overflow -> heap buffer overflow
  • Update released for Ubuntu within 16h of the original report to the upstream FreeType developers

[USN-4558-1] libapreq2 vulnerabilities

[USN-4557-1] Tomcat vulnerabilities

[USN-4560-1] Gon gem vulnerability

[USN-4561-1] Rack vulnerabilities

[USN-4562-1] kramdown vulnerability

[USN-4569-1] Yaws vulnerabilities

[USN-4571-1] rack-cors vulnerability

[USN-4564-1] Apache Tika vulnerabilities

[USN-4565-1] OpenConnect vulnerability

[USN-4566-1] Cyrus IMAP Server vulnerabilities

[USN-4567-1] OpenDMARC vulnerability

[USN-4573-1] Vino vulnerabilities

[USN-4574-1] libseccomp-golang vulnerability

[USN-4575-1] dom4j vulnerability

[USN-4581-1] Python vulnerability

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)

[USN-4582-1] Vim vulnerabilities

[USN-4583-1] PHP vulnerabilities

  • 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4589-1] containerd vulnerability

[USN-4589-2] Docker vulnerability

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4585-1] Newsbeuter vulnerabilities

[USN-4584-1] HtmlUnit vulnerability

[USN-4546-2] Firefox regressions

  • Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4590-1] Collabtive vulnerability

[USN-4586-1] PHP ImageMagick vulnerability

[USN-4594-1] Quassel vulnerabilities

[USN-4595-1] Grunt vulnerability

Goings on in Ubuntu Security Community

NSA Report on 25 most exploited CVEs by Chinese State-Sponsored Actors [09:51]

Ubuntu 20.10 Groovy Gorilla Release [13:50]

Get in contact