Episode 136
Ubuntu Security Podcast
English - November 05, 2021 04:52 - 16 minutes - 11.9 MB - ★★★★★ - 10 ratingsTechnology Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
The road to Ubuntu 22.04 LTS begins so we look at some of its planned
features plus we cover security updates for the Linux kernel, Mailman,
Apport, PHP, Bind and more.
Overview
The road to Ubuntu 22.04 LTS begins so we look at some of its planned
features plus we cover security updates for the Linux kernel, Mailman,
Apport, PHP, Bind and more.
This week in Ubuntu Security Updates
92 unique CVEs addressed
[USN-5114-1] Linux kernel vulnerabilities [01:15]
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
CVE-2021-42008
CVE-2021-40490
CVE-2021-38198
CVE-2020-3702
4.15 + HWE on ESM
Race in ath9k -> could fail to properly encrypt traffic -> info leak
KVM shadow pages perms -> local user DoS
ext4 race in xattr handling - local DoS / priv-esc
6pack driver validation failure -> DoS / code-exec
[USN-5115-1] Linux kernel (OEM) vulnerabilities [02:19]
16 CVEs addressed in Focal (20.04 LTS)
CVE-2021-42008
CVE-2021-40490
CVE-2021-38205
CVE-2021-38204
CVE-2021-38166
CVE-2021-3759
CVE-2021-3753
CVE-2021-3743
CVE-2021-3739
CVE-2021-3732
CVE-2021-37159
CVE-2021-3679
CVE-2021-35477
CVE-2021-34556
CVE-2021-33624
CVE-2020-3702
5.10 OEM
As above plus various BPF hardening fixes against spectre-like attacks,
fixes for security issues in tracing subsystem, overlayfs, btrfs,
Qualcomm IPC router, Xilinx ethernet driver info leak
[USN-5116-1, USN-5116-2] Linux kernel vulnerabilities [02:55]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2021-42008
CVE-2021-40490
CVE-2021-38205
CVE-2021-38198
CVE-2021-3732
CVE-2020-3702
5.4 + KVM + bionic HWE + clouds (AWS, Azure, GCP, GKE, IBM, Oracle + RPi)
Race in ath9k -> could fail to properly encrypt traffic -> info leak
KVM shadow pages perms -> local user DoS
ext4 race in xattr handling - local DoS / priv-esc
6pack driver validation failure -> DoS / code-exec
overlayfs + xilinx
[USN-5117-1] Linux kernel (OEM) vulnerabilities [03:29]
4 CVEs addressed in Focal (20.04 LTS)
CVE-2021-3759
CVE-2021-3753
CVE-2021-3743
CVE-2021-3739
5.13 OEM
btrfs, qualcomm IPC, VT IOCTL handling, memory leak in IPC object
handling
[USN-5120-1] Linux kernel (Azure) vulnerabilities [03:40]
9 CVEs addressed in Focal (20.04 LTS)
CVE-2021-40490
CVE-2021-38207
CVE-2021-38199
CVE-2021-3759
CVE-2021-3612
CVE-2021-22543
CVE-2020-36311
CVE-2020-26541
CVE-2019-19449
5.8 Azure
[USN-5119-1] libcaca vulnerabilities [03:53]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),
Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
text mode graphics handling library
2 buffer overflows -> crash / code exec in handling of TGA images and
when exporting to troff format
[USN-5121-1, USN-5121-2] Mailman vulnerabilities [04:24]
2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), 5 CVEs
addressed in Focal (20.04 LTS)
CVE-2021-42096
CVE-2021-42097
CVE-2020-12137 (20.04 LTS only)
CVE-2020-15011 (20.04 LTS only)
CVE-2020-12108 (20.04 LTS only)
2 different CSRF attacks against mailman - in first, failed to properly
associate CSRF tokens with accounts - could be used to take over
another account
In second, CSRF tokens which are generated are derived from the admin
password - could then allow a remote attacker to use this to help brute
force guess admin pw
In both cases need to already be an existing list member and be logged
in to mount attacks
For focal also included a couple medium priority vulns (don’t affect
older versions):
Possible arbitrary content injection in 2 different ways which allow
content to be provided by an attacker as POST parameters to form
handling scripts which will then be incorporated into the page shown
to a user
So could allow an attacker to say inject a URL to be displayed on a
legitimate mailman admin page instance which an unsuspecting user
may then follow thinking this is trusted etc.
[USN-5122-1, USN-5122-2] Apport vulnerability [05:41]
Affecting Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
Could trick Apport into writing core files into arbitrary directories -
then these could say be interpreted by other root-level applications to
escalate privileges
Changed Apport to write core files to known location
/var/lib/apport/coredump
[USN-5123-1, USN-5123-2] MySQL vulnerabilities [06:25]
43 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal
(20.04 LTS), Hirsute (21.04), Impish (21.10)
CVE-2021-35648
CVE-2021-35647
CVE-2021-35646
CVE-2021-35645
CVE-2021-35644
CVE-2021-35643
CVE-2021-35642
CVE-2021-35641
CVE-2021-35640
CVE-2021-35639
CVE-2021-35638
CVE-2021-35637
CVE-2021-35636
CVE-2021-35635
CVE-2021-35634
CVE-2021-35633
CVE-2021-35632
CVE-2021-35631
CVE-2021-35630
CVE-2021-35628
CVE-2021-35627
CVE-2021-35626
CVE-2021-35625
CVE-2021-35624
CVE-2021-35623
CVE-2021-35622
CVE-2021-35613
CVE-2021-35612
CVE-2021-35610
CVE-2021-35608
CVE-2021-35607
CVE-2021-35604
CVE-2021-35602
CVE-2021-35597
CVE-2021-35596
CVE-2021-35591
CVE-2021-35584
CVE-2021-35577
CVE-2021-35575
CVE-2021-35546
CVE-2021-2481
CVE-2021-2479
CVE-2021-2478
8.0.27 in Ubuntu 20.04 LTS, Ubuntu 21.04 and Ubuntu 21.10
5.7.36 in Ubuntu 18.04 LTS, Ubuntu 16.04 ESM
https://www.oracle.com/security-alerts/cpuoct2021.html
[USN-5124-1] GNU binutils vulnerabilities [06:53]
2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
2 issues in libbfd (binary file descriptor) - can be triggered by crafted
files
UAF in when using hash table impl
cause large memory allocation - crash
[USN-5009-2] libslirp vulnerabilities [07:30]
6 CVEs addressed in Impish (21.10)
CVE-2021-3595
CVE-2021-3594
CVE-2021-3593
CVE-2021-3592
CVE-2020-29130
CVE-2020-29129
[USN-5125-1] PHP vulnerability [07:41]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),
Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
Root code exec in PHP-FPM - uses a privileged root level process and
unpriv child worker processes but child could access shared memory with
parent and cause it to do OOB R/W -> code execution in parent -> priv-esc
[USN-5126-1, USN-5126-2] Bind vulnerability [08:33]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM),
Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
Possible cache poisoning could lead to DoS via excessive entries in the
cache causing slow lookup performance
[USN-5127-1] WebKitGTK vulnerabilities [08:55]
3 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
CVE-2021-42762
CVE-2021-30851
CVE-2021-30846
Usual web engine vulns - plus one in the bubblewrap launcher which allows
a limited sandbox bypass - could trick host processors into believing a
sandboxed process was not and hence could potentially escalate privs
[USN-5128-1] Ceph vulnerabilities [09:35]
5 CVEs addressed in Bionic (18.04 LTS), Hirsute (21.04)
CVE-2021-3531
CVE-2021-3524
CVE-2021-3509
CVE-2021-20288
CVE-2020-27781
Goings on in Ubuntu Security Community
22.04 LTS development cycle begins [09:46]
Will include all the features from the various interim releases since the
last 20.04 LTS plus some more
Since is an LTS, this cycle is mostly to be spent making things as solid
and stable as possible, but a few new features are planned:
nftables supported
firewalling on Linux has 2 components - kernel-space mechanism and
userspace tooling to control that
traditionally kernel supported iptables (aka xtables - ip,ip6,arp,eb -tables)
nftables as introduced into the kernel in 3.13 as a new mechanism to
implement network packet classification and handling - aka firewalling
etc
kernel has 2 mechanisms then - xtables and nftables
userspace then has 2 primary tools for handling these - iptables for
xtables and nftables (nft) for nftables
iptables userspace added a nft backend so existing iptables rules and
users would be switched to that automatically - was already switched to
use nft backend in Ubuntu 21.04
now want to support the nftables userspace package for handling
nftables as a first class system
also look at implementing a nftables backend in ufw so it can drive
nftables directly rather than iptables
Improvements to OVAL data
Improved information around ESM products etc
Improved handling of pivot_root in AppArmor
Upstream issue https://gitlab.com/apparmor/apparmor/-/issues/113
once a pivot_root occurs, AppArmor loses track of the original paths so
if a root level process is granted pivot_root permission, can move
around inside it’s own mount namespace to be able to escape outside the
AppArmor policy
AppArmor needs to track root before and after and allow to specify
policy both pre-and-post
Hiring [14:46]
Security - Product Manager
HOME BASED - EMEA (Europe, Middle East, Africa)
Role includes:
guiding the evolution of security offerings from Canonical and Ubuntu
driving compliance and certification of Ubuntu
engaging with the open source security community
telling the story of Canonical’s work to deliver secure platforms
https://canonical.com/careers/2278145/security-product-manager-remote
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter