به منظور ارائه بهترین تجربه ممکن ، این سایت از کوکی ها استفاده می کند. برای کسب اطلاعات بیشتر خط مشی رازداری و شرایط خدمات ما را بررسی کنید. متوجه شدم

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

مردم عاشق ما هستند!

بررسی های کاربران

"عاشق قابلیت آفلاین شدم"
"از این طریق می توانید از اشتراک های پادکستتان استفاده کنید. همچنین راهی فوق العاده ست برای کشف پادکست های جدید"

Ubuntu Security Podcast « »
Episode 204

28:11
 
پخش
پخش کردن
اشتراک گذاری
 

MP3خانه قسمت
Manage episode 373264959 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Overview

This week we look at the recent Zenbleed vulnerability affecting some AMD processors, plus we cover security updates for the Linux kernel, a high profile OpenSSH vulnerability and finally Andrei is back with a deep dive into recent academic research around how to safeguard machine learning systems when used across distributed deployments.

This fortnight in Ubuntu Security Updates

123 unique CVEs addressed

[USN-6238-1] Samba vulnerabilities [01:15]

  • 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Possible attacker-in-the-middle attack when configured to do SMB2 packet signing (as it was not properly enforced), couple issues in the Spotlight protocol implementation (used to enable MacOS clients to search the Samba share via Finder) - DoS via a possible infinite loop when processing RPC packets which specified 0 elements in an array-like structure, plus info leak where full server-side path of resources would be returned in results

[USN-6237-2] curl regression

[USN-6239-1] ECDSA Util vulnerability [02:13]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Very similar to “Psychic Signatures” vuln in Java (OpenJDK) - [USN-5546-1, USN-5546-2] OpenJDK vulnerabilities from Episode 172 - basically would fail to first check if the provided exponents in the signature were zero - since if they are, then an all-zero signature would be considered as valid - so could easily forge a signature

[USN-6232-1] wkhtmltopdf vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)

[USN-6241-1] OpenStack vulnerability

  • 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)

[USN-6240-1] FRR vulnerability

[USN-6242-1, USN-6242-2] OpenSSH vulnerability [03:08]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Result of an incomplete fix for historical vulnerability CVE-2016-10009 in PKCS#11 module in ssh-agent
  • Vuln is hence very similar to that, ie. if you chose to forward the ssh-agent socket to a remote machine, then the remote machine could cause your local ssh-agent to execute arbitrary code - it does this by causing the PKCS#11 module in ssh-agent to load an attacker controlled library from /usr/lib on your local machine
    • On the surface, it would appear that it would require a malicious library to be on your machine in this privileged location - BUT there are a bunch of seemingly innocuous libraries in say standard Ubuntu that can be abused to cause malicious actions and get arbitrary code execution. This is exactly what Qualys did to demonstrate the impact of this vuln - https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
      • very clever use of various pieces of surprising behaviour from various libraries (such as the ability to make the stack executable or register signal handlers just by dlopen()‘ing a module) - chain these together to then get code execution
    • It does though require you to use ssh-agent forwarding - this is generally discouraged, and instead you should probably use an jump host - this is even mentioned in the man page for ssh
  • Fixed by making module loading more defensive (ie that they contain the expected symbols and if not abort etc)

[USN-6243-1] Graphite-Web vulnerabilities

[USN-6203-2] Django vulnerability

[USN-6129-2] Avahi vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

[USN-6244-1] AMD Microcode vulnerability [05:57]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Zenbleed - Tavis Ormandy (GPZ) discovered new hardware vuln via fuzzing of the ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
  • Only specific to AMD’s Zen2 family of processors and is related to speculative execution - but unlike Spectre etc, speculative execution is not used as the attack primitive - instead for Zenbleed, the processor fails to properly clean up state after speculatively executing a particular vector register instruction - which then allows an attacker thread / process to read this data from the vector register - all comes about because these registers are not like the normal physical registers in the CPU, but instead are shared as a “Register File” - this sharing means that when one instruction gets speculatively executed, but which turns out to not actually be needed, it fails to properly clean up - and then leaks this data via the shared register file which can be read by another process which is executing at the same time
  • Tavis also released a handy PoC - requires the use of specific assembly language intructions and so it is not clear if this could be exploited remotely say via JS running a web-browser - but it definitely can be exploited by local users to spy on all other processes in the system (that use vector registers), including root / VMs etc
    • What kinds of things use these vector registers? Turns out is is many, since glibc implements functions like strlen() using them - and this is a very common operation in all kinds of code
  • So basically anyone with local unprivileged code-access on an affected system could snoop on passwords etc
  • AMD released a microcode update to fix this - but only for server-oriented EPYC line of processors (code named “Rome”) - so in that case all you need to do is install this microcode update and reboot and you are good.
  • But that still leaves a lot of other platforms without an official fix - according to their advisory they will release BIOS firmware updates for other affected processors later in the year
  • You can however set a so-called “chicken bit” in the processor which (as far as I can tell) instructs it to not execute this particular instruction out-of-order (ie not speculatively execute it) - AMD haven’t actually said what this does but that is the assumption. As such, this does have an effect on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
  • Kernel developers have then developed a patch to automatically enable this chicken-bit if the associated microcode update is not present - for Ubuntu we plan to include this fix in the next round of kernel security updates, due on 21st August

[LSN-0096-1] Linux kernel vulnerability [11:47]

  • 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • OOB write in netfilter -> crash / code-exec - plus a UAF in netfilter as well - both require CAP_NET_ADMIN to exploit - but can get this in an unprivileged user namespace -> privesc
  • Plus a bunch of vulns covered in previous episodes
    • OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
    • KVM mishandling of control registers for nested guest VMs
    • OOB write in network queuing scheduler - also able to be triggered though an unprivileged user namespace
Kernel type 22.04 20.04 18.04 16.04 14.04
aws 96.2 96.2
aws-hwe 96.2
azure 96.3 96.2 96.2
azure-5.4 96.2
gcp 96.3 96.2 96.2
gcp-4.15 96.2
gcp-5.15 96.3
gcp-5.4 96.2
generic-4.15 96.2 96.2
generic-4.4 96.2 96.2
generic-5.15 96.3
generic-5.4 96.2 96.2
gke 96.3 96.2
gke-5.15 96.3
gke-5.4 96.2
gkeop 96.2
gkeop-5.4 96.2
ibm 96.3 96.2
ibm-5.4 96.2
linux 96.3
lowlatency-4.15 96.2 96.2
lowlatency-4.4 96.2 96.2
lowlatency-5.15 96.3
lowlatency-5.4 96.2 96.2

[USN-6246-1] Linux kernel vulnerabilities

[USN-6247-1] Linux kernel (OEM) vulnerabilities

[USN-6248-1] Linux kernel (OEM) vulnerabilities

[USN-6249-1] Linux kernel (OEM) vulnerabilities

[USN-6250-1] Linux kernel vulnerabilities

[USN-6251-1] Linux kernel vulnerabilities

[USN-6252-1] Linux kernel vulnerabilities

[USN-6254-1] Linux kernel vulnerabilities

[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities

[USN-6256-1] Linux kernel (IoT) vulnerabilities

[USN-6260-1] Linux kernel vulnerabilities

[USN-6261-1] Linux kernel (IoT) vulnerabilities

[USN-6245-1] Trove vulnerabilities

  • Affecting Jammy (22.04 LTS)

[USN-5807-3] libXpm vulnerability

[USN-6253-1] libvirt vulnerability

[USN-6257-1] Open VM Tools vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)

[USN-6258-1] LLVM Toolchain vulnerabilities

[USN-5193-3] X.Org X Server vulnerabilities

[USN-6259-1] Open-iSCSI vulnerabilities

[USN-6262-1] Wireshark vulnerabilities

[USN-6265-1] RabbitMQ vulnerability

[USN-6264-1] WebKitGTK vulnerabilities

[USN-6263-1] OpenJDK vulnerabilities

[USN-6266-1] librsvg vulnerability [13:55]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Directory traversal vuln - arbitrary file read by using a specially crafted include element that specifies say - simple PoC provided by the upstream reporter

[USN-6267-1] Firefox vulnerabilities [14:47]

Goings on in Ubuntu Security Community

Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]

Get in contact

  continue reading

219 قسمت

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
U
Ubuntu Security Podcast
Ubuntu Security Podcast podcast artworkUbuntu Security Podcast podcast artwork

Episode 204

Ubuntu Security Podcast

130 subscribers

published

پخش پخش کردن
iconاشتراک گذاری
 
MP3خانه قسمت
Manage episode 373264959 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Overview

This week we look at the recent Zenbleed vulnerability affecting some AMD processors, plus we cover security updates for the Linux kernel, a high profile OpenSSH vulnerability and finally Andrei is back with a deep dive into recent academic research around how to safeguard machine learning systems when used across distributed deployments.

This fortnight in Ubuntu Security Updates

123 unique CVEs addressed

[USN-6238-1] Samba vulnerabilities [01:15]

  • 5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
  • Possible attacker-in-the-middle attack when configured to do SMB2 packet signing (as it was not properly enforced), couple issues in the Spotlight protocol implementation (used to enable MacOS clients to search the Samba share via Finder) - DoS via a possible infinite loop when processing RPC packets which specified 0 elements in an array-like structure, plus info leak where full server-side path of resources would be returned in results

[USN-6237-2] curl regression

[USN-6239-1] ECDSA Util vulnerability [02:13]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Very similar to “Psychic Signatures” vuln in Java (OpenJDK) - [USN-5546-1, USN-5546-2] OpenJDK vulnerabilities from Episode 172 - basically would fail to first check if the provided exponents in the signature were zero - since if they are, then an all-zero signature would be considered as valid - so could easily forge a signature

[USN-6232-1] wkhtmltopdf vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)

[USN-6241-1] OpenStack vulnerability

  • 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)

[USN-6240-1] FRR vulnerability

[USN-6242-1, USN-6242-2] OpenSSH vulnerability [03:08]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Result of an incomplete fix for historical vulnerability CVE-2016-10009 in PKCS#11 module in ssh-agent
  • Vuln is hence very similar to that, ie. if you chose to forward the ssh-agent socket to a remote machine, then the remote machine could cause your local ssh-agent to execute arbitrary code - it does this by causing the PKCS#11 module in ssh-agent to load an attacker controlled library from /usr/lib on your local machine
    • On the surface, it would appear that it would require a malicious library to be on your machine in this privileged location - BUT there are a bunch of seemingly innocuous libraries in say standard Ubuntu that can be abused to cause malicious actions and get arbitrary code execution. This is exactly what Qualys did to demonstrate the impact of this vuln - https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
      • very clever use of various pieces of surprising behaviour from various libraries (such as the ability to make the stack executable or register signal handlers just by dlopen()‘ing a module) - chain these together to then get code execution
    • It does though require you to use ssh-agent forwarding - this is generally discouraged, and instead you should probably use an jump host - this is even mentioned in the man page for ssh
  • Fixed by making module loading more defensive (ie that they contain the expected symbols and if not abort etc)

[USN-6243-1] Graphite-Web vulnerabilities

[USN-6203-2] Django vulnerability

[USN-6129-2] Avahi vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)

[USN-6244-1] AMD Microcode vulnerability [05:57]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Zenbleed - Tavis Ormandy (GPZ) discovered new hardware vuln via fuzzing of the ISA - great writeup on his blog - https://lock.cmpxchg8b.com/zenbleed.html
  • Only specific to AMD’s Zen2 family of processors and is related to speculative execution - but unlike Spectre etc, speculative execution is not used as the attack primitive - instead for Zenbleed, the processor fails to properly clean up state after speculatively executing a particular vector register instruction - which then allows an attacker thread / process to read this data from the vector register - all comes about because these registers are not like the normal physical registers in the CPU, but instead are shared as a “Register File” - this sharing means that when one instruction gets speculatively executed, but which turns out to not actually be needed, it fails to properly clean up - and then leaks this data via the shared register file which can be read by another process which is executing at the same time
  • Tavis also released a handy PoC - requires the use of specific assembly language intructions and so it is not clear if this could be exploited remotely say via JS running a web-browser - but it definitely can be exploited by local users to spy on all other processes in the system (that use vector registers), including root / VMs etc
    • What kinds of things use these vector registers? Turns out is is many, since glibc implements functions like strlen() using them - and this is a very common operation in all kinds of code
  • So basically anyone with local unprivileged code-access on an affected system could snoop on passwords etc
  • AMD released a microcode update to fix this - but only for server-oriented EPYC line of processors (code named “Rome”) - so in that case all you need to do is install this microcode update and reboot and you are good.
  • But that still leaves a lot of other platforms without an official fix - according to their advisory they will release BIOS firmware updates for other affected processors later in the year
  • You can however set a so-called “chicken bit” in the processor which (as far as I can tell) instructs it to not execute this particular instruction out-of-order (ie not speculatively execute it) - AMD haven’t actually said what this does but that is the assumption. As such, this does have an effect on performance, although it is not clear how much.
wrmsr -a 0xc0011029 $(($(rdmsr -c 0xc0011029) | (1<<9)))
  • Kernel developers have then developed a patch to automatically enable this chicken-bit if the associated microcode update is not present - for Ubuntu we plan to include this fix in the next round of kernel security updates, due on 21st August

[LSN-0096-1] Linux kernel vulnerability [11:47]

  • 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
  • OOB write in netfilter -> crash / code-exec - plus a UAF in netfilter as well - both require CAP_NET_ADMIN to exploit - but can get this in an unprivileged user namespace -> privesc
  • Plus a bunch of vulns covered in previous episodes
    • OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver
    • KVM mishandling of control registers for nested guest VMs
    • OOB write in network queuing scheduler - also able to be triggered though an unprivileged user namespace
Kernel type 22.04 20.04 18.04 16.04 14.04
aws 96.2 96.2
aws-hwe 96.2
azure 96.3 96.2 96.2
azure-5.4 96.2
gcp 96.3 96.2 96.2
gcp-4.15 96.2
gcp-5.15 96.3
gcp-5.4 96.2
generic-4.15 96.2 96.2
generic-4.4 96.2 96.2
generic-5.15 96.3
generic-5.4 96.2 96.2
gke 96.3 96.2
gke-5.15 96.3
gke-5.4 96.2
gkeop 96.2
gkeop-5.4 96.2
ibm 96.3 96.2
ibm-5.4 96.2
linux 96.3
lowlatency-4.15 96.2 96.2
lowlatency-4.4 96.2 96.2
lowlatency-5.15 96.3
lowlatency-5.4 96.2 96.2

[USN-6246-1] Linux kernel vulnerabilities

[USN-6247-1] Linux kernel (OEM) vulnerabilities

[USN-6248-1] Linux kernel (OEM) vulnerabilities

[USN-6249-1] Linux kernel (OEM) vulnerabilities

[USN-6250-1] Linux kernel vulnerabilities

[USN-6251-1] Linux kernel vulnerabilities

[USN-6252-1] Linux kernel vulnerabilities

[USN-6254-1] Linux kernel vulnerabilities

[USN-6255-1] Linux kernel (Intel IoTG) vulnerabilities

[USN-6256-1] Linux kernel (IoT) vulnerabilities

[USN-6260-1] Linux kernel vulnerabilities

[USN-6261-1] Linux kernel (IoT) vulnerabilities

[USN-6245-1] Trove vulnerabilities

  • Affecting Jammy (22.04 LTS)

[USN-5807-3] libXpm vulnerability

[USN-6253-1] libvirt vulnerability

[USN-6257-1] Open VM Tools vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)

[USN-6258-1] LLVM Toolchain vulnerabilities

[USN-5193-3] X.Org X Server vulnerabilities

[USN-6259-1] Open-iSCSI vulnerabilities

[USN-6262-1] Wireshark vulnerabilities

[USN-6265-1] RabbitMQ vulnerability

[USN-6264-1] WebKitGTK vulnerabilities

[USN-6263-1] OpenJDK vulnerabilities

[USN-6266-1] librsvg vulnerability [13:55]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
  • Directory traversal vuln - arbitrary file read by using a specially crafted include element that specifies say - simple PoC provided by the upstream reporter

[USN-6267-1] Firefox vulnerabilities [14:47]

Goings on in Ubuntu Security Community

Andrei discusses safeguarding machine learning infrastructure when used in distributed applications [15:05]

Get in contact

  continue reading

219 قسمت

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

همه قسمت ها

×
 
Loading …

به Player FM خوش آمدید!

Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.

 

Player FM - برنامه پادکست
با برنامه Player FM !
Get it on App Store Get it on Google Play

مشابه Ubuntu Security Podcast

به بیش از 500 موضوع گوش کنید
Player FM - برنامه پادکست
با برنامه Player FM !
Get it on App Store Get it on Google Play

مردم عاشق ما هستند!

بررسی های کاربران

"عاشق قابلیت آفلاین شدم"
"از این طریق می توانید از اشتراک های پادکستتان استفاده کنید. همچنین راهی فوق العاده ست برای کشف پادکست های جدید"

راهنمای مرجع سریع

پادکست های برتر
Dialogue Podcast | پادکست دیالوگ
طنزپردازی | tanzpardazi
نود و هشت، پنجاه و سه
GoushFilm | گوش‌فیلم
Timche podcast | پادکست اقتصادی تیمچه
پادکست – جادی دات نت | کیبرد آزاد
ایستگاه فردا
مجله شبانگاهی
Hellitalk
StringBooks
ChannelB پادکست فارسی
Player FM logo
تماس با ما | راهنما/پرسش و پاسخ | ارتقا | Advertise
هنر|تجارت|کمدی|اقتصاد|سرگرمی|اخبار|سیاست|دین
علم|فوتبال|ورزشی|داستان سرایی|تکنولوژی|جنایت واقعی
حق چاپ 2023 | نقشه سایت | حریم خصوصی | شرایط خدمات | | کپی رایت
Episode being played series thumbnail
icon icon
سرعت
تنظیمات سری
1x
1x
Volume
100%
icon
icon icon
/

مشاهده Player FM در ...
Player FM
Browser
Chrome
Safari
Firefox