This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Similar to Ubuntu Security Podcast
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
A podcast about web design and development.
…
continue reading
1
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Jerry Bell and Andrew Kalat
5k
200
Defensive Security is a weekly information security podcast which reviews recent high profile cyber security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
…
continue reading
Join us for a special hang stream!
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
Hanselminutes is Fresh Air for Developers. A weekly commute-time podcast that promotes fresh technology and fresh voices. Talk and Tech for Developers, Life-long Learners, and Technologists.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
))
Episode 202
Manage episode 370479251 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Overview
We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen, containerd and more.
This week in Ubuntu Security Updates
50 unique CVEs addressed
[USN-6190-1] AccountsService vulnerability (00:47)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Mentioned in passing last week - reported to us by Kevin Backhouse from the Github Security Lab team
- DBus service that provides APIs to add, delete or modify system accounts - ie create a new user etc
- Originally developed by GNOME - used by gnome-control-center etc
- Also allows to configure language / locale settings etc
- In Ubuntu, we carry a custom patch which is used to synchronise the language and locale from accountsservice to the local users
~/.pam_environmentfile which is used to configure various per-user session environment variables - this way no matter how you log in to a Ubuntu system, the locale etc that you configured via g-c-c etc gets used - Turned out there was a number of cases of UAF due to logic errors in the original patch - so an unprivileged user could trigger this and crash the accounts-daemon which runs as root
[USN-6191-1] Linux kernel regression (02:44)
- Affecting Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Spurious warning message would be printed via the IPv6 subsystem
[USN-6192-1] Linux kernel vulnerabilities (03:10)
- 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- Off-by-one in the flower network traffic classifier - flow based traffic control filter - allows to define a “flow” by a set of key/value pairs (ie. src MAC address, port number or various other types) - could be leveraged for DoS or potential code execution - PoC posted publicly but even then was stated that it doesn’t even crash the kernel, however gdb can be used to detect the OOB write
- Mishandling of locking in the
io_uringsubsystem - local attacker could use this to trigger a deadlock and hence a DoS - Possible info leak via stale page table entries - when KPTI was introduced in the wake of Meltdown, to minimise the cost of flushing page table on every entry/exit to/from kernel space, PCIDs are a hardware feature that was introduced in more recent Intel processors to try and minimise this cost by only flushing on exit back to userspace - this is done by issuing the
INVLPGinstruction - but it was found that on certain hardware platforms this did not actually flush the global TLB contrary to expectation - and so could leak kernel memory back to userspace
[USN-6193-1] Linux kernel vulnerabilities
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- TC flower + INVLPG
[USN-6194-1] Linux kernel (OEM) vulnerabilities (06:04)
- 3 CVEs addressed in Jammy (22.04 LTS)
io_uringand TC flower plus OOB read in InfiniBand RDMA driver - DoS / info leak
[USN-6195-1] Vim vulnerabilities (06:26)
- 6 CVEs addressed in Jammy (22.04 LTS)
- More vim fuzzing results - OOB read, UAF, heap buffer overflow, NULL pointer dereference etc.
[USN-6196-1] ReportLab vulnerability (06:47)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Python library for producing PDFs - often used to convert HTML to PDF etc
- Bypass of validation originally put in place for a previous CVE-2019-17626 (see [USN-4273-1] ReportLab vulnerability in Episode 62)
- That vuln was RCE since reportlab would call the python
eval()function directly on value obtained from an XML document - To fix that, introduced a complex validation scheme so they could still use
eval()without having to remove this functionality - new update disables this by default and instead only allows a much limited subset of colors to be parsed
[USN-6197-1] OpenLDAP vulnerability (08:48)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- NULL pointer deref in certain circumstances if failed to allocate memory during various string handling operations - unlikely to be able to be triggered easily (would first need a memory leak bug or similar…)
[USN-6198-1] GNU Screen vulnerability (09:25)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- screen provides an API to allow the processes under its controlled to be say killed from another session - but would fail to check if the specified PID was actually owned by the calling user - so if screen was setuid, would allow a local user to send a SIGHUP to any other process on the system
- In Ubuntu screen is not setuid so this was not a real issue
[USN-6199-1] PHP vulnerability (10:35)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- When generating a nonce for use in HTTP Digest during SOAP authentication, wouldn’t actually check the return value from the call to generate random data for the nonce - as such, the nonce would be whatever was previously in the stack memory - so could leak info from the stack, or this could be say all zeros which would defeat the purpose of the nonce
[USN-6200-1] ImageMagick vulnerabilities (11:27)
- 20 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Time for another frequent mention in the podcast - ImageMagick (seems to come up every 10 episodes or so)
- Huge range of CVEs fixed across the various releases with some dating back to 2020
- OOB read, stack bufffer overflow, NULL ptr deref, lots of heap buffer overflows
- Since 20.04, ImageMagick is now in universe, so for 20.04 LTS this update is available via Ubuntu Pro
[USN-6201-1] Firefox vulnerabilities (12:27)
- 13 CVEs addressed in Focal (20.04 LTS)
- 115.0
- Usual web browser issues (DoS, domain bypass, RCE etc) - but also bypass of cookie storage protections, possible spoofing attack via fullscreen notifications and others
[USN-6202-1] containerd vulnerabilities (13:09)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- DoS when importing an OCI image with a really large manifest or image layout file - would try and read the whole JSON file into memory - could cause containerd to crash by running out of memory - limited to 20MBs
[USN-6203-1] Django vulnerability (13:55)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- ReDoS in EmailValidator and URLValidator classes when parsing really long strings - fixed by rejecting anything longer than some hardcoded constants (2KB for URL, 320 chars for email as per RFC x3696)
Goings on in Ubuntu Security Community
AppArmor 4.0-alpha1 in progress (14:44)
- https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-alpha1
- “Bridge” between 3.0 style policy and new 4.0 policy
- New profile flags
- unconfined, debug
- New mediation types
- Minor changes
- Ability to filter the output of aa-status
- Inclusion of a new utility called aa-load which can load pre-compiled / cached binary policies without the use of
apparmor_parser - Ability to run and compile policies as an unprivileged user (still need to be root to actually load the policy into the kernel)
AppArmor kernel fixes for Linux 6.5 (20:42)
Get in contact
248 episodes
Share
Manage episode 370479251 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://ppacc.player.fm/legal.
Overview
We take a sneak peek at the upcoming AppArmor 4.0 release, plus we cover vulnerabilities in AccountsService, the Linux Kernel, ReportLab, GNU Screen, containerd and more.
This week in Ubuntu Security Updates
50 unique CVEs addressed
[USN-6190-1] AccountsService vulnerability (00:47)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Mentioned in passing last week - reported to us by Kevin Backhouse from the Github Security Lab team
- DBus service that provides APIs to add, delete or modify system accounts - ie create a new user etc
- Originally developed by GNOME - used by gnome-control-center etc
- Also allows to configure language / locale settings etc
- In Ubuntu, we carry a custom patch which is used to synchronise the language and locale from accountsservice to the local users
~/.pam_environmentfile which is used to configure various per-user session environment variables - this way no matter how you log in to a Ubuntu system, the locale etc that you configured via g-c-c etc gets used - Turned out there was a number of cases of UAF due to logic errors in the original patch - so an unprivileged user could trigger this and crash the accounts-daemon which runs as root
[USN-6191-1] Linux kernel regression (02:44)
- Affecting Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Spurious warning message would be printed via the IPv6 subsystem
[USN-6192-1] Linux kernel vulnerabilities (03:10)
- 2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- Off-by-one in the flower network traffic classifier - flow based traffic control filter - allows to define a “flow” by a set of key/value pairs (ie. src MAC address, port number or various other types) - could be leveraged for DoS or potential code execution - PoC posted publicly but even then was stated that it doesn’t even crash the kernel, however gdb can be used to detect the OOB write
- Mishandling of locking in the
io_uringsubsystem - local attacker could use this to trigger a deadlock and hence a DoS - Possible info leak via stale page table entries - when KPTI was introduced in the wake of Meltdown, to minimise the cost of flushing page table on every entry/exit to/from kernel space, PCIDs are a hardware feature that was introduced in more recent Intel processors to try and minimise this cost by only flushing on exit back to userspace - this is done by issuing the
INVLPGinstruction - but it was found that on certain hardware platforms this did not actually flush the global TLB contrary to expectation - and so could leak kernel memory back to userspace
[USN-6193-1] Linux kernel vulnerabilities
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- TC flower + INVLPG
[USN-6194-1] Linux kernel (OEM) vulnerabilities (06:04)
- 3 CVEs addressed in Jammy (22.04 LTS)
io_uringand TC flower plus OOB read in InfiniBand RDMA driver - DoS / info leak
[USN-6195-1] Vim vulnerabilities (06:26)
- 6 CVEs addressed in Jammy (22.04 LTS)
- More vim fuzzing results - OOB read, UAF, heap buffer overflow, NULL pointer dereference etc.
[USN-6196-1] ReportLab vulnerability (06:47)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Python library for producing PDFs - often used to convert HTML to PDF etc
- Bypass of validation originally put in place for a previous CVE-2019-17626 (see [USN-4273-1] ReportLab vulnerability in Episode 62)
- That vuln was RCE since reportlab would call the python
eval()function directly on value obtained from an XML document - To fix that, introduced a complex validation scheme so they could still use
eval()without having to remove this functionality - new update disables this by default and instead only allows a much limited subset of colors to be parsed
[USN-6197-1] OpenLDAP vulnerability (08:48)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- NULL pointer deref in certain circumstances if failed to allocate memory during various string handling operations - unlikely to be able to be triggered easily (would first need a memory leak bug or similar…)
[USN-6198-1] GNU Screen vulnerability (09:25)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- screen provides an API to allow the processes under its controlled to be say killed from another session - but would fail to check if the specified PID was actually owned by the calling user - so if screen was setuid, would allow a local user to send a SIGHUP to any other process on the system
- In Ubuntu screen is not setuid so this was not a real issue
[USN-6199-1] PHP vulnerability (10:35)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- When generating a nonce for use in HTTP Digest during SOAP authentication, wouldn’t actually check the return value from the call to generate random data for the nonce - as such, the nonce would be whatever was previously in the stack memory - so could leak info from the stack, or this could be say all zeros which would defeat the purpose of the nonce
[USN-6200-1] ImageMagick vulnerabilities (11:27)
- 20 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- Time for another frequent mention in the podcast - ImageMagick (seems to come up every 10 episodes or so)
- Huge range of CVEs fixed across the various releases with some dating back to 2020
- OOB read, stack bufffer overflow, NULL ptr deref, lots of heap buffer overflows
- Since 20.04, ImageMagick is now in universe, so for 20.04 LTS this update is available via Ubuntu Pro
[USN-6201-1] Firefox vulnerabilities (12:27)
- 13 CVEs addressed in Focal (20.04 LTS)
- 115.0
- Usual web browser issues (DoS, domain bypass, RCE etc) - but also bypass of cookie storage protections, possible spoofing attack via fullscreen notifications and others
[USN-6202-1] containerd vulnerabilities (13:09)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- DoS when importing an OCI image with a really large manifest or image layout file - would try and read the whole JSON file into memory - could cause containerd to crash by running out of memory - limited to 20MBs
[USN-6203-1] Django vulnerability (13:55)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- ReDoS in EmailValidator and URLValidator classes when parsing really long strings - fixed by rejecting anything longer than some hardcoded constants (2KB for URL, 320 chars for email as per RFC x3696)
Goings on in Ubuntu Security Community
AppArmor 4.0-alpha1 in progress (14:44)
- https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-alpha1
- “Bridge” between 3.0 style policy and new 4.0 policy
- New profile flags
- unconfined, debug
- New mediation types
- Minor changes
- Ability to filter the output of aa-status
- Inclusion of a new utility called aa-load which can load pre-compiled / cached binary policies without the use of
apparmor_parser - Ability to run and compile policies as an unprivileged user (still need to be root to actually load the policy into the kernel)
AppArmor kernel fixes for Linux 6.5 (20:42)
Get in contact
248 episodes
All episodes
×
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Similar to Ubuntu Security Podcast
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Welcome to the Security Weekly Podcast Network, your all-in-one source for the latest in cybersecurity! This feed features a diverse lineup of shows, including Application Security Weekly, Business Security Weekly, Paul's Security Weekly, Enterprise Security Weekly, and Security Weekly News. Whether you're a cybersecurity professional, business leader, or tech enthusiast, we cover all angles of the cybersecurity landscape. Tune in for in-depth panel discussions, expert guest interviews, and ...
…
continue reading
A podcast about web design and development.
…
continue reading
1
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
Jerry Bell and Andrew Kalat
5k200
Defensive Security is a weekly information security podcast which reviews recent high profile cyber security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
…
continue reading
Join us for a special hang stream!
…
continue reading
On The Bike Shed, hosts Joël Quenneville and Stephanie Minn discuss development experiences and challenges at thoughtbot with Ruby, Rails, JavaScript, and whatever else is drawing their attention, admiration, or ire this week.
…
continue reading
Hanselminutes is Fresh Air for Developers. A weekly commute-time podcast that promotes fresh technology and fresh voices. Talk and Tech for Developers, Life-long Learners, and Technologists.
…
continue reading
Africa-focused technology, digital and innovation ecosystem insight and commentary.
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
