Overview

This week we deep-dive into one of the best vulnerabilities we’ve seen in a long
time regreSSHion - an unauthenticated, remote, root code-execution vulnerability
in OpenSSH. Plus we cover updates for Plasma Workspace, Ruby, Netplan,
FontForge, OpenVPN and a whole lot more.

This week in Ubuntu Security Updates

39 unique CVEs addressed

[USN-6843-1] Plasma Workspace vulnerability (01:23 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-36041
  
  
  
  


• KDE Session Manager - used for restoring previously running applications at next boot


• Provides ability to clients to connect to it via Inter-Client Exchange (ICE)
  protocol - protocol within X for allowing X clients to interact with
  one-another


• Since X supports remote clients, is important to authenticate connections - in
  this case KDE SM would authenticate to ensure the connection was coming from
  the local machine - but this could then allow any local user to connect to
  another users SM and hence use the session management features to set some
  arbitrary application to be run when the session is restored - as that other
  user

[USN-6852-1, USN-6852-2] Wget vulnerability (02:42 )

• 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-38428
  
  
  
  


• mishandled semicolons in userinfo of a URL - this is the user@host:port
  combination - so would possibly then use a different hostname than the one the
  user expected

[USN-6853-1] Ruby vulnerability (03:12 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-27280
  
  
  
  


• Provides methods ungetbyte()/ungetc() to push-back characters on an IO
  stream - would possibly read beyond the end of the buffer - OOB read

[USN-6851-1] Netplan vulnerabilities (03:37 )

• 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2022-4968
  
  
  
  


• Two different issues
  
  
  
  • When configuring a Wireguard interface, would write the wireguard private
    key into the netplan interface configuration - but would then leave this
    with world-readable permissions
  
  
  • This can either be specified as the filename to the private key OR the
    private key itself - so if had chosen to specify the actual private key,
    this is now world-readable to any other user
    
    
    
    • Fixed to use restrictive permissions on the generated configuration files
      and to fixup any existing ones as well
    
    
    
    
  
  
  • Failed to escape control characters in various backend files - a malicious
    application that is able to create a netplan configuration could then abuse
    this to get code execution as netplan
  
  
  
  

[USN-6851-2] Netplan regression

• Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)


• Failed to properly do the permissions fixup on already existing files

[USN-6854-1] OpenSSL vulnerability (05:10 )

• 1 CVEs addressed in Jammy (22.04 LTS)
  
  
  
  • CVE-2022-40735
  
  
  
  


• Related to a historical vulnerability - https://dheatattack.gitlab.io/ - CVE-2002-20001


• DoS against Diffie-Hellman key exchange protocol - during key negotiation a
  client can trigger expensive CPU calculations -> CPU-based DoS

[USN-6856-1] FontForge vulnerabilities (05:50 )

• 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2024-25082
  
  
  • CVE-2024-25081
  
  
  
  


• Uses various external utilities to do things like decompress archive files etc


• However, would do this via the system() system-call - which spawns a shell -
  so if a filename contained any shell metacharacters, could then just easily
  get arbitrary code execution


• Changed to use the utility functions from glib that do not spawn a shell and
  instead just exec() the expected command directly

[USN-6857-1] Squid vulnerabilities (06:48 )

• 6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  
  
  
  • CVE-2024-25617
  
  
  • CVE-2023-50269
  
  
  • CVE-2023-49286
  
  
  • CVE-2023-49285
  
  
  • CVE-2022-41318
  
  
  • CVE-2021-28651
  
  
  
  

[USN-6566-2] SQLite vulnerability

• 1 CVEs addressed in Bionic ESM (18.04 ESM)
  
  
  
  • CVE-2023-7104
  
  
  
  

[USN-5615-3] SQLite vulnerability

• 3 CVEs addressed in Trusty ESM (14.04 ESM)
  
  
  
  • CVE-2021-20223
  
  
  • CVE-2020-35527
  
  
  • CVE-2020-35525
  
  
  
  

[USN-6855-1] libcdio vulnerability (06:58 )

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-36600
  
  
  
  


• ISO file parser - used strcpy() instead of strncpy() so could be made to quite
  easily achieve buffer overflow and hence possible code-execution

[USN-6858-1] eSpeak NG vulnerabilities (07:33 )

• 5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  
  
  
  • CVE-2023-49994
  
  
  • CVE-2023-49993
  
  
  • CVE-2023-49992
  
  
  • CVE-2023-49991
  
  
  • CVE-2023-49990
  
  
  
  


• speech synthesiser - pass file to it and it will read it aloud


• various buffer overflows when parsing different formats - found by a researcher via fuzzing

[USN-6844-2] CUPS regression (07:51 )

• Affecting Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)


• [USN-6844-1] CUPS vulnerability from Episode 231

[USN-6860-1] OpenVPN vulnerabilities (07:57 )

• 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  
  
  
  • CVE-2024-5594
  
  
  • <a href="https://ubuntu.com/security/CV