Ubuntu Security Podcast artwork

Episode 110

Ubuntu Security Podcast

English - April 01, 2021 01:08 - 13 minutes - 10.5 MB - ★★★★★ - 10 ratings
Technology Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Episode 109
Next Episode: Episode 111

This week we look at 2 years of 14.04 ESM, a kernel Livepatch issue,
DNS-over-HTTPS for Google Chrome plus security updates for ldb, OpenSSL,
Squid, curl and more.

Overview

This week we look at 2 years of 14.04 ESM, a kernel Livepatch issue,
DNS-over-HTTPS for Google Chrome plus security updates for ldb, OpenSSL,
Squid, curl and more.


This week in Ubuntu Security Updates

38 unique CVEs addressed


[USN-4888-1, USN-4888-2] ldb vulnerabilities [01:06]

2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-27840
CVE-2021-20277

In the ldb package but was reported by Samba - libldb provides an
LDAP-like database - is used internally by Samba etc - and whilst the
Samba package contains a copy of ldb internally we don’t compile this in
Ubuntu, instead we link it against the ldb package in the repo so we only
have to patch a CVE in one place
Heap buffer overflow when parsing a DN string with lots of trailing
whitespace - allows to place a single NUL byte at a chosen offset before
an allocated buffer
Heap buffer overflow when parsing an LDAP attribute string with multiple
consecutive leading spaces - memmove() to a location beyond the end of
the buffer
Crash -> DoS, can’t rule out RCE due to nature of heap buffer overflows

[USN-4889-1] Linux kernel vulnerabilities [02:49]

3 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2021-27364
CVE-2021-27363
CVE-2021-27365

iSCSI issues discussed in Episode 109 (most interesting was various heap
buffer overflows that could possibly be used for codeexec)

[USN-4890-1] Linux kernel vulnerabilities [03:09]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2020-27170
CVE-2020-27171

BPF speculative execution issues also discussed in Episode 109

[USN-4891-1] OpenSSL vulnerability [03:26]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-3449

NULL ptr deref when processing signature algorithms - could allow a
remote client to crash a server during renegotiation

[USN-3685-2] Ruby regression

9 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2018-8777
CVE-2018-1000074
CVE-2017-17742
CVE-2017-10784
CVE-2017-14064
CVE-2017-0902
CVE-2017-0901
CVE-2017-0898
CVE-2017-0903

[USN-4893-1] Firefox vulnerabilities [03:47]

8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-23986
CVE-2021-23985
CVE-2021-23984
CVE-2021-23988
CVE-2021-23987
CVE-2021-23983
CVE-2021-23982
CVE-2021-23981

87.0 - various web issues (malicious website -> XSS, DoS, RCE etc) plus
some specific fixes for issues which could allow extensions to either
spoof website pop-ups or to read the response of various cross-origin
requests, plus a silent enabling of the DevTools remote debugging feature
(so a local attacker could modify the browser config to turn this on
without any hint to the user, and then a remote attacker could use this
to snoop on the browser session)

[USN-4894-1] WebKitGTK vulnerabilities [04:49]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-1870
CVE-2021-1801
CVE-2021-1799
CVE-2021-1789
CVE-2021-1765
CVE-2020-29623
CVE-2020-27918

Usual web issues - malicious website -> XSS, DoS, RCE etc

[USN-4895-1] Squid vulnerabilities [05:19]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-25097
CVE-2020-15049

2 different HTTP request smuggling attack issues - one could result in
possible cache poisoning and the other in the ability to bypass security
controls and access forbidden services

[USN-4896-1] lxml vulnerability [05:39]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-28957

Mishandled HTML attributes which could allow a remote attacker to perform
XSS - depends on how lxml is used in application context

[USN-4897-1] Pygments vulnerability [06:03]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-27291

Another pygments vuln (Episode 109) - this one due to the use of regex in
various lexers, these have exponential or cubic complexity so could allow
an attacker to DoS via CPU

[USN-4898-1] curl vulnerabilities [06:38]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2021-22890
CVE-2021-22876

Failed to strip credentials from referrer headers - could then be leaked
Incorrect handling of session tickets when using an HTTPS proxy -
attacker who controlled the proxy could cause curl to bypass cert checks
and intercept comms as a result - only affected later Ubuntu releases
(20.04 LTS, 20.10)

Goings on in Ubuntu Security Community
Livepatch incident for CVE-2020-29372 [07:26]

https://ubuntu.com/blog/livepatch-2021-03-24-incident-investigation-report

Summary of 14.04 ESM so far [09:39]

https://ubuntu.com/blog/what-lies-after-lts-two-years-of-ubuntu-14-04-in-esm

DoH coming for Google Chrome on Linux [11:01]

https://www.bleepingcomputer.com/news/security/google-chrome-for-linux-is-getting-dns-over-https-but-theres-a-catch
Targeting chrome 91 but perhaps more likely 92 (89 is current stable
release, new release every 6 weeks)
Needs to parse /etc/nsswitch.conf - uses the hosts: entry and expects
‘files dns’ - should hopefully also support mdns4_minimal so that then
this would work with Ubuntu OOTB (since on 20.04 we use these 3 resolvers
by default)

Get in contact

[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter

Twitter Mentions