Episode 121
Ubuntu Security Podcast
English - June 25, 2021 03:06 - 14 minutes - 12 MB - ★★★★★ - 10 ratingsTechnology Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Ubuntu One opens up two-factor authentication for all, plus we cover
security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.
Overview
Ubuntu One opens up two-factor authentication for all, plus we cover
security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.
This week in Ubuntu Security Updates
73 unique CVEs addressed
[USN-4989-2] BlueZ vulnerabilities [00:57]
2 CVEs addressed in Xenial ESM (16.04 ESM)
Episode 120 - bluetooth spec issue around pairing takeover plus a
possible double-free in gattool that is likely quite hard to exploit due
to time window race between the two free() calls
[USN-4990-1] Nettle vulnerabilities [01:27]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Low level crypto library used by lots of packages - chrony, dnsmasq,
lighttpd, qemu, squid, supertuxkart
Last covered just a few weeks ago in Episode 112 - is someone taking a
closer look at this library?
Bleichenbacher type side-channel base on a padding oracle attack in
endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a
process on the same physical core as the victim - but could then allow
the plaintext to be extracted
RSA algo possible crash which is able to be triggered on decryption of
manipulated ciphertext
Changes required for both of these are too intrusive to backport for the
older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu
release if you are using nettle on these older releases and are concerned
about possible attacks
[USN-4991-1] libxml2 vulnerabilities [03:08]
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-3541
CVE-2021-3537
CVE-2021-3518
CVE-2021-3516
CVE-2021-3517
CVE-2020-24977
CVE-2019-20388
CVE-2017-8872
Crafted XML could possibly trigger crash -> DoS or RCE
[USN-4992-1] GRUB 2 vulnerabilities [03:33]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20233
CVE-2021-20225
CVE-2020-27779
CVE-2020-27749
CVE-2020-25632
CVE-2020-14372
Episode 106 - BootHole 2021 updates published to the security pocket
Vulns included the ability to load ACPI tables, UAF in rmmod, buffer
overflow in command-line parser, cutmem command boot locking bypass, heap
buffer overflow in option parser and menu rendering OOB write -> RCE —>@@
all could lead to a bypass of secure boot protections
Includes one grub - ie. same grub efi binary used across all recent
Ubuntu releases
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
[USN-4993-1] Dovecot vulnerabilities [05:13]
2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
STARTTLS plaintext command injection vuln via SMTP, plus if a local
attacker could write files to the disk, they could supply their own keys
to validate their own supplied JSON Web Token and hence login as any
other user and then access their emails if using OAUTH2
[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-30641
CVE-2021-26691
CVE-2021-26690
CVE-2020-35452
CVE-2020-13950
Various DoS issues where under certain configurations an attacker could
issue particular requests and trigger various crashes in Apache
[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]
5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-3605
CVE-2021-3598
CVE-2021-26260
CVE-2021-23215
CVE-2021-20296
Usual mix of issues for a library which is written in memory unsafe
language and handling complex image formats etc
Courtesy of OSS-Fuzz
[USN-4995-1] Thunderbird vulnerabilities [06:48]
20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
CVE-2021-29957
CVE-2021-29956
CVE-2021-29949
CVE-2021-29948
CVE-2021-24002
CVE-2021-23995
CVE-2021-23993
CVE-2021-23992
CVE-2021-23991
CVE-2021-23984
CVE-2021-29967
CVE-2021-29946
CVE-2021-29945
CVE-2021-23999
CVE-2021-23998
CVE-2021-23994
CVE-2021-23987
CVE-2021-23982
CVE-2021-23981
CVE-2021-23961
78.11.0 - usual mix of untrusted content/web framework issues inherited
from Firefox, plus fixes for OpenPGP key handling, message signature
TOCTTOU-type condition due to writing out signatures to disk that then
could be replaced before being verified, UX issue in display of inline
signed/encrypted messages with additional unprotected parts
[USN-4997-1] Linux kernel vulnerabilities [08:22]
17 CVEs addressed in Hirsute (21.04)
CVE-2021-3543
CVE-2021-3506
CVE-2021-33034
CVE-2021-32399
CVE-2021-31829
CVE-2021-31440
CVE-2021-23134
CVE-2021-23133
CVE-2020-26147
CVE-2020-26145
CVE-2020-26141
CVE-2020-26139
CVE-2020-24588
CVE-2020-24587
CVE-2020-24586
CVE-2021-33200
CVE-2021-3609
5.11
Basically the same set of fixes for all kernels, including a couple quite
interesting ones:
eBPF verifier bypass provides OOB write primitive, could allow a local
attacker to perform code execution in the kernel -> privesc
Race condition in CAN BCM networking protocol -> various UAFs -> code
execution as well
Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP
race condition -> UAF etc
[USN-4999-1] Linux kernel vulnerabilities [09:51]
17 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-31829
CVE-2021-31440
CVE-2021-29155
CVE-2021-23133
CVE-2020-26147
CVE-2020-26145
CVE-2020-26141
CVE-2020-26139
CVE-2020-25673
CVE-2020-25672
CVE-2020-25671
CVE-2020-25670
CVE-2020-24588
CVE-2020-24587
CVE-2020-24586
CVE-2021-33200
CVE-2021-3609
5.8 (groovy, focal hwe)
[USN-5000-1] Linux kernel vulnerabilities [10:08]
15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-3506
CVE-2021-33034
CVE-2021-32399
CVE-2021-31829
CVE-2021-23134
CVE-2021-23133
CVE-2020-26147
CVE-2020-26145
CVE-2020-26141
CVE-2020-26139
CVE-2020-24588
CVE-2020-24587
CVE-2020-24586
CVE-2021-33200
CVE-2021-3609
5.4 (focal, bionic hwe)
[USN-5001-1] Linux kernel (OEM) vulnerabilities
15 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3543
CVE-2021-3506
CVE-2021-33034
CVE-2021-32399
CVE-2021-31440
CVE-2021-23134
CVE-2021-23133
CVE-2020-26147
CVE-2020-26145
CVE-2020-26141
CVE-2020-26139
CVE-2020-24588
CVE-2020-24587
CVE-2020-24586
CVE-2021-3609
5.10
[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]
1 CVEs addressed in Bionic (18.04 LTS)
5.3
CAN BCM
[USN-5003-1] Linux kernel vulnerabilities [10:35]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-23133
CVE-2021-3600
CVE-2021-3609
4.15 (bionic, xenial esm hwe, trusty esm azure)
CAN BCM and eBPF verifier OOB write
Goings on in Ubuntu Security Community
2FA coming to Ubuntu One [11:04]
https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one
Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums,
publishers on the Snap Store etc
Allows to use a phone / desktop TOTP app as second factor, or Yubikey
TOTP etc
Has actually been supported since 2014 but only available to a beta
testing group plus for all Canonical employees, due to challenges in
account recovery
Since Ubuntu One purposefully doesn’t store any real identifying
information (name, email, username) we can’t easily verify account
holders if they lose the 2FA device
The intent is to be robust even in the event that a users email address
is compromised
Now have a comprehensive code recovery experience including printable
backup codes and mechanisms in place to encourage users to exercise
backup codes so that users can feel confident in using these if they need
to (ie where did I put my backup codes again..?)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter