Episode 102

Episode 102

Update: 2021-02-05
Share

Description

Overview


This week we discuss the recent high profile vulnerability found in
libcrypt 1.9.0, plus we look at updates for the Linux kernel, XStream,
Django, Apport and more.


This week in Ubuntu Security Updates


66 unique CVEs addressed


[USN-4705-2] Sudo vulnerability [00:48 ]



[USN-4708-1] Linux kernel vulnerabilities



[USN-4709-1] Linux kernel vulnerabilities



[USN-4710-1] Linux kernel vulnerability



[USN-4711-1] Linux kernel vulnerabilities



[USN-4712-1] Linux kernel regression



  • Affecting Focal (20.04 LTS), Groovy (20.10)


[USN-4713-1] Linux kernel vulnerability [01:31 ]



  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • XCOPY requests in the LIO SCSI target would not properly check
    permissions of the requester and so could allow an attacker to access
    backing stores to which they did not have permission. If using iSCSI,
    this could then be exploited over the network to access other LUNs
    etc. Also affected tcmu-runner which is the userspace daemon for handling
    requests in userspace and can be used for HA setups etc.


[USN-4707-1] TCMU vulnerability [02:23 ]



  • 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)


  • Separate CVE was assigned but is the same issue as for the kernel above


[LSN-0074-1] Linux kernel vulnerability [02:40 ]



[USN-4706-1] Ceph vulnerabilities [02:55 ]



[USN-4714-1] XStream vulnerabilities [03:02 ]



  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)


  • Java library to serialise objects to/from XML

  • Possible RCE by manipulating the processed input stream to inject shell
    commands

  • Similarly could obtain arbitrary file deletion (depending on the rights
    of the process which is using XStream)


[USN-4715-1, USN-4715-2] Django vulnerability [03:58 ]



  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • Directory traversal via archives with absolute paths of relative paths
    with dot components - this is used with startapp or startproject via the
    –template argument so can be exploited if using an attacker controlled
    archive to bootstrap a new django app etc


[USN-4716-1] MySQL vulnerabilities [05:00 ]



[USN-4717-1] Firefox vulnerabilities [05:32 ]



[USN-4467-2] QEMU vulnerabilities [05:52 ]



[USN-4718-1] fastd vulnerability [06:12 ]



  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Groovy (20.10)


  • DoS in popular VPN daemon for embedded systems etc


[USN-4719-1] ca-certificates update [06:28 ]



  • Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

  • Updated to the latest 2.46 version of the Mozilla certificate authority
    bundle


[USN-4720-1] Apport vulnerabilities [06:46 ]



  • 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)


  • 3 vulns all discovered by Itai Greenhut and reported to us via Launchpad

  • When a process crashes, Apport reads various files under /proc to obtain
    info about the crashed process to prepare a crash report

  • If an attacker could control the values in the files they could then
    cause Apport to misbehave and fail to drop privileges or possibly get
    code execution - in this case, they found that Apport failed to properly
    handle malformed contents in these files - fixed to parse them more
    strictly


Goings on in Ubuntu Security Community


libgcrypt 1.9.0 0-day [08:32 ]



  • https://bugs.chromium.org/p/project-zero/issues/detail?id=2145

  • Discovered by Tavis Ormandy from GPZ - heap buffer overflow, allows to
    overwrite a structure on the heap which contains the buffer, followed by
    a function pointer - so can relatively easily get code execution by
    overwriting the function pointer to an attacker controlled function
    (which could be in the initial buffer itself)

  • Ubuntu not affected since this only exists in 1.9.0 which was released on
    19th January this year and even current devel release of Ubuntu 21.04
    only contains 1.8.7

  • So is an interesting thought experiment - if you run the most latest
    release of anything, you get both the newest patches automatically BUT
    you also get the 0-days since any unknown, unpatched vulns introduced in
    new code will be present. However, if you run older releases, they won’t
    have this newer code so won’t have 0-days but may have N-days if you
    aren’t patching. Worst case is to run old software and never update it
    since it has vulns that are unpatched and which have more time to have
    been discovered and more time for exploits to have been developed
    against it. Whereas if you run the latest code, there is less chance an
    exploit exists for any new vulns / 0-days it may contain but it clearly
    could have 0-days… Also if you are constantly upgrading to the latest
    version that is a lot of churn and introduces the chance for feature
    regressions and other breakage etc. So the best option then is to run a
    known stable version and apply patches on top just for security
    vulnerabilities - this is exactly the approach we take for Ubuntu :)


Get in contact


Comments 
In Channel
Episode 114

Episode 114

2021-05-0612:44

Episode 113

Episode 113

2021-04-3016:28

Episode 112

Episode 112

2021-04-1614:37

Episode 111

Episode 111

2021-04-0812:10

Episode 110

Episode 110

2021-04-0113:57

Episode 109

Episode 109

2021-03-2608:16

Episode 108

Episode 108

2021-03-1911:48

Episode 107

Episode 107

2021-03-1212:04

Episode 106

Episode 106

2021-03-0414:00

Episode 105

Episode 105

2021-02-2517:03

Episode 104

Episode 104

2021-02-1914:18

Episode 103

Episode 103

2021-02-1213:14

Episode 102

Episode 102

2021-02-0512:26

Episode 101

Episode 101

2021-01-2827:25

Episode 100

Episode 100

2020-12-1117:46

Episode 99

Episode 99

2020-12-0418:35

Episode 98

Episode 98

2020-11-2713:54

Episode 97

Episode 97

2020-11-2115:11

Episode 96

Episode 96

2020-11-1307:41

Episode 95

Episode 95

2020-11-0610:26

loading
Download from Google Play
Download from App Store
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Episode 102

Episode 102

Ubuntu Security Team