Overview

A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this
week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif,
Roundcube, the Linux kernel and more.

This week in Ubuntu Security Updates

175 unique CVEs addressed

[USN-6842-1] gdb vulnerabilities (01:10 )

• 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2023-39130
  
  
  • CVE-2023-39129
  
  
  • CVE-2023-39128
  
  
  • CVE-2023-1972
  
  
  • CVE-2022-4285
  
  
  • CVE-2020-16599
  
  
  
  


• a couple of these are inherited from binutils as they share that code -
  parsing of crafted ELF executables -> NULL ptr deref or possible heap based
  buffer overflow -> DoS/RCE


• other stack and heap buffer overflows as well - parsing of crafted ada files
  and crafted debug info files as well -> DoS/RCE

[USN-6845-1] Hibernate vulnerability (02:12 )

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
  
  
  
  • CVE-2020-25638
  
  
  
  


• Object relational-mapping (ORM) library for Java


• SQL injection in the JPA Criteria API implementation - could allow unvalidated
  literals when they are used in the SQL comments of a query when logging is
  enabled - fixed by properly escaping comments in this case

[USN-6846-1] Ansible vulnerabilities (02:46 )

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  
  
  
  • CVE-2023-5764
  
  
  • CVE-2022-3697
  
  
  
  


• Possibly would leak the password into log file when using the AWS EC2 module
  since failed to validate the tower_callback (nowadays is called aap_callback -
  Ansible Automation Platform) parameter appropriately


• Allows to mark variables as unsafe - in that they may come from an external,
  untrusted source - won’t get evaluated/expanded when used to avoid possible
  info leaks etc - various issues where ansible would fail to respect this and
  essentially forget they were tagged as unsafe and end up exposing secrets as a
  result

[USN-6844-1] CUPS vulnerability (04:08 )

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-35235
  
  
  
  


• When starting, cups would arbitrarily chmod the socket specified as the Listen
  parameter to make it world-writable - if this was a symlink, would then make
  the target of the symlink world-readable - in general the cups config file is
  only writable by root so requires some other vuln to be able to exploit it
  where you can get write access to the config file to exploit it OR be able to
  replace the regular cups socket path with a user-controlled symlink - but if
  you can, then you can even change the cups config itself to be world-writable
  and hence modify other parameters like the user and group that cups should run
  as, as well as a crafted FoomaticRIPCommandLine then can run arbitrary commands
  as root

[USN-6849-1] Salt vulnerabilities (06:20 )

• 2 CVEs addressed in Trusty ESM (14.04 ESM)
  
  
  
  • CVE-2020-11652
  
  
  • CVE-2020-11651
  
  
  
  


• Failed to properly validate paths in some methods and also failed to restrict
  access to other methods, allowing them to be used without authentication -
  could then either allow arbitrary directory access or the ability to retrieve
  tokens from the master or run arbitrary commands on minions

[USN-6746-2] Google Guest Agent and Google OS Config Agent vulnerability (06:44 )

• 1 CVEs addressed in Noble (24.04 LTS)
  
  
  
  • CVE-2024-24786
  
  
  
  


• A vuln in the embedded golang protobuf module - when parsing JSON could end up
  in an infinite loop -> DoS

[USN-6850-1] OpenVPN vulnerability (07:04 )

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  
  
  
  • CVE-2022-0547
  
  
  
  


• [USN-5347-1] OpenVPN vulnerability from Episode 155 - possibly gets confused
  when using multiple authentication plugins and deferred authentication

[USN-6847-1] libheif vulnerabilities (07:36 )

• 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2023-49464
  
  
  • CVE-2023-49463
  
  
  • CVE-2023-49462
  
  
  • CVE-2023-49460
  
  
  • CVE-2023-29659
  
  
  • CVE-2023-0996
  
  
  • CVE-2020-23109
  
  
  • CVE-2019-11471
  
  
  
  


• First time to mention libheif on the podcast - High Efficiency Image File
  Format - part of the MPEG-H standard - container format used to store images
  or sequences of images


• Commonly seen due to its use by Apple for images on iPhone


• C++ - usual types of issues
  
  
  
  • UAF, buffer overflows, floating point exception etc
    
    
    
    • most found through fuzzing
    
    
    
    
  
  
  
  

[USN-6848-1] Roundcube vulnerabilities (08:21 )

• 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-37384
  
  
  • CVE-2024-37383
  
  
  • CVE-2023-47272
  
  
  • CVE-2023-5631
  
  
  
  


• webmail front-end for IMAP


• 2 different possible XSS issues due to mishandling of SVG - email containing
  an SVG could embed JS that then gets loaded when the email is viewed


• Also possible XSS through a crafted user preference value - similarly through
  a crafted Content-Type/Content-Disposition header which can be used for
  attachment preview/download

[USN-6819-4] Linux kernel (Oracle) vulnerabilities (09:21 )

• 149 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2024-26631
  
  
  • CVE-2023-52694
  
  
  • CVE-2023-52685
  
  
  • CVE-2023-52682
  
  
  • CVE-2024-35835
  
  
  • CVE-2023-52446
  
  
  • C