Ubuntu Security Podcast artwork

Episode 164

Ubuntu Security Podcast

English - June 17, 2022 09:47 - 11 minutes - 8.22 MB - ★★★★★ - 10 ratings
Technology Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Episode 163
Next Episode: Episode 165

More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we
cover security vulnerabilities and updates for ca-certificates, Varnish
Cache, FFmpeg, Firefox, PHP and more.

Overview

More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we
cover security vulnerabilities and updates for ca-certificates, Varnish
Cache, FFmpeg, Firefox, PHP and more.


This week in Ubuntu Security Updates

64 unique CVEs addressed


[USN-5473-1] ca-certificates update [00:41]

Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
Updates to the latest 2.50 version of the Mozilla CA bundle - in
particular this removes a bunch of expired certs plus an old (but still
valid) GeoTrust certificate and others - also adds some new CA certs from
GlobalTrust, Certum, GlobalSign too

[USN-5396-2] Ghostscript vulnerability [01:30]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2019-25059

Episode 158

[USN-5474-1] Varnish Cache vulnerabilities [01:41]

4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-23959
CVE-2021-36740
CVE-2020-11653
CVE-2019-20637

Thanks to Luís Infante da Câmara for preparing, testing and providing the
debdiff’s for these updates

Possible HTTP/1 and HTTP/2 request smuggling attacks
DoS via triggering an assertion failure
Pointer of one client reused on the next if both share the same
connection - can expose info from the old client to the new one

[USN-5472-1] FFmpeg vulnerabilities [02:30]

35 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2021-38291
CVE-2020-22025
CVE-2022-1475
CVE-2021-38171
CVE-2021-38114
CVE-2020-35965
CVE-2020-22037
CVE-2020-22035
CVE-2020-22030
CVE-2020-22029
CVE-2020-22027
CVE-2020-22033
CVE-2020-22021
CVE-2020-22019
CVE-2020-22042
CVE-2020-22036
CVE-2020-22034
CVE-2020-22032
CVE-2020-22031
CVE-2020-22028
CVE-2020-22026
CVE-2022-22025
CVE-2020-22023
CVE-2020-22022
CVE-2020-22020
CVE-2020-22017
CVE-2020-22016
CVE-2020-22015
CVE-2020-21697
CVE-2020-21688
CVE-2020-21041
CVE-2020-20450
CVE-2020-20453
CVE-2020-20446
CVE-2020-20445

Thanks to Luís Infante da Câmara for preparing, testing and providing the
debdiff’s for these updates
Updates ffmpeg to latest upstream bug-fix releases

4.4.2 for 21.10, 22.04 LTS
4.2.7 for 20.04 LTS
3.4.11 for 18.04 LTS

[USN-5475-1] Firefox vulnerabilities [03:04]

12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)

CVE-2022-31748
CVE-2022-31747
CVE-2022-31745
CVE-2022-31744
CVE-2022-31743
CVE-2022-31742
CVE-2022-31741
CVE-2022-31740
CVE-2022-31738
CVE-2022-31737
CVE-2022-31736
CVE-2022-1919

101.0.1
Usual mix of web browser / framework issues fixed - specially crafted
website -> could exploit to cause DoS, info leak, spoof the browser UI,
conduct XSS attacks, bypass content security policy (CSP) restrictions,
or execute arbitrary code

[USN-5476-1] Liblouis vulnerabilities [03:54]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-31783
CVE-2022-26981

Braille translation library + utils
Buffer overflow -> crash -> DoS
OOB write -> crash -> DoS / RCE

[USN-5359-2] rsync vulnerability [04:27]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2018-25032

Episode 156 (zlib memory corruption issue when compressing input data)

[USN-5477-1] ncurses vulnerabilities [04:54]

6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

CVE-2022-29458
CVE-2021-39537
CVE-2019-17595
CVE-2019-17594
CVE-2018-19211
CVE-2017-16879

Various memory corruption vulns fixed - requires to process crafted input
files (e.g. termcap - but this is usually trusted so hence negligible
rating for most of these CVEs)

[USN-5478-1] util-linux vulnerability [05:28]

1 CVEs addressed in Xenial ESM (16.04 ESM)

CVE-2016-5011

Memory leak in libblkid when parsing crafted MSDOS partition table

[USN-5479-1] PHP vulnerabilities [05:40]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)

CVE-2022-31626
CVE-2022-31625

both issues in handling of crafted inputs into database drivers - 1 for
postgres and 1 for mysql

uninitialised var in pg driver -> UAF in certain error scenario -> RCE
buffer overflow in password handler for mysqlnd (native driver) - rogue
MySQL server could trigger this to get RCE

Goings on in Ubuntu Security Community
News on latest Intel security issues [06:33]

Hertzbleed & MMIO stale data both disclosed this week
Hertzbleed - interesting new crypto side-channel attack demonstrated
against SIKE (Supersingular Isogeny Key Encapsulation - post-quantum key
encapsulation mechanism)

Turns a frequency side-channel into a timing side-channel such that
code which was previously assumed to be constant time can still leak
information about the key, allowing it to be recovered by mounting a
chosen cipher-text attack from a client, observing the timing response
of the server and then inferring the secret key as a result
Acknowledged by both Intel and AMD but likely all modern processors
which employ dynamic voltage and frequency scaling are affected
Intel have released guidance for how to harden crypto implementations
against this attack
No changes/fixes for this in kernel/microcode/toolchain etc - instead
will be up to individual libraries to assess if they may be affected
and then refactor accordindly

MMIO stale-data

Vulns in memory mapped I/O - generally only applicable to
virtualisation when untrusted guest have access to MMIO

not transient execution attacks themselves but since these vulns
allow stale data to persist, can then be inferred by a TEA (think
Spectre etc)

consists of a series of different issues for various microarchitectural
buffers / registers where stale data is left after being copied /
moved - then can be sampled via a TEA to infer the value
different processor models have different microarchitectural buffers so
some may or may not be affected
3 separate vulns (CVEs) identified based on the microarchitectural
buffer affected and the technique used to read from it
Fixes required in both kernel and intel-microcode packages

Kernels will have already been released by the time you hear this
Microcode is currently being released via the -updates pocket of the
archive - will then publish to -security once fully phased to all
users

Likely early on Monday next week

More details in next week’s episode

Get in contact

[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter

Twitter Mentions