اشتراک گذاری
))
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
Episode 206
Manage episode 375202259 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Overview
This week we talk about HTTP Content-Length handling, intricacies of group management in container environments and making sure you check your return codes while covering vulns in HAProxy, Podman, Inetutils and more, plus we put a call out for input on using open source tools to secure your SDLC.
This week in Ubuntu Security Updates
69 unique CVEs addressed
[USN-6294-1, USN-6294-2] HAProxy vulnerability (01:00)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Would forward requests with empty
Content-Lengthheaders even when there was content in the request (which violates RFC 9110 - HTTP Semantics) - this RFC explicitly says:
If the message is forwarded by a downstream intermediary, a Content-Length field value that is inconsistent with the received message framing might cause a security failure due to request smuggling or response splitting. As a result, a sender MUST NOT forward a message with a Content-Length header field value that is known to be incorrect.
- As such, downstream HTTP/1 servers behind HAProxy may interpret the payload in the request as an extra request and hence this can be used for request smuggling as warned by the RFC
[USN-6295-1] Podman vulnerability (02:34)
- 1 CVEs addressed in Jammy (22.04 LTS)
- https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- interaction between supplemental groups, negative group permissions and setgid binaries
- supplemental groups - each user generally has a group specific to their user (so-called primary group for that user), but can also belong to other supplemental groups:
ubuntu@ubuntu:~$ groups ubuntu sudo - negative group permissions - not used often but allows to say that a certain group of users should not be able to access something - ie. denylisting
- setgid binary - like a setuid binary - no matter what group that executes the binary, the binary runs as the primary group of the binary
- so could a user could create a binary, make it set-group for one of their supplemental groups and then drop their primary group, run it and use that to access such a resource that has been denied access to their primary group?
- no, since on login, primary group gets added to the list of supplemental groups which can’t be modified by a user themself - this has been the standard behaviour in UNIX since 1994 in BSD 4.4 and hence Linux has always worked this way too
- However, podman is a container manager though and it manages groups within the container - and it failed to do this duplication of the primary group into the supplemental group and so would allow exactly this attack
[USN-6296-1] PostgreSQL vulnerabilities (06:44)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Latest upstream point releases, so contains both security fixes and other bug fixes
[USN-6298-1] ZZIPlib vulnerabilities (07:04)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- Provides the ability to read into a zip archive, as well as the ability to overlay a zip archive with an existing file system
- Used by applications like mpd, milkytracker and texlive (LaTeX etc)
- Two different DoS
- infinite loop -> CPU based DoS
- memory leak -> resource based DoS
- both require to parse an attacker provided ZIP archive
[USN-6297-1] Ghostscript vulnerability (07:50)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Buffer overflow when generating a PDF file for a DEVN device - DEVN is an abbreviation for DeviceN which is a type of colour space - ie a way of specifying different colour levels across a set of channels - ie. encoding colour information for a printer etc
- Needs an attacker to provide a crafted input file though…
[USN-6299-1] poppler vulnerabilities (08:40)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- someone has been fuzzing poppler - in particular the
pdftopsbinary - stack overflow and NULL ptr deref when handling crafted input PDFs -> crash -> DoS
[USN-6300-1] Linux kernel vulnerabilities (09:18)
- 24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-35829
- CVE-2023-35828
- CVE-2023-35824
- CVE-2023-35823
- CVE-2023-33288
- CVE-2023-33203
- CVE-2023-3268
- CVE-2023-32248
- CVE-2023-3141
- CVE-2023-30772
- CVE-2023-28466
- CVE-2023-23004
- CVE-2023-2269
- CVE-2023-2235
- CVE-2023-2194
- CVE-2023-2163
- CVE-2023-2124
- CVE-2023-2002
- CVE-2023-1990
- CVE-2023-1855
- CVE-2023-1611
- CVE-2023-0597
- CVE-2022-48502
- CVE-2022-4269
- 5.15 GA, AWS, GCP, IBM, Intel-IoTG, KVM, Low latency, NVIDIA, Raspi etc
- Have mentioned some of these previously - issues across various drivers and subsystems
- Lots of UAFs, a few OOB / NULL ptr deref, memory leak (DoS), OOB read / write as well
[USN-6301-1] Linux kernel vulnerabilities (10:07)
- 16 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 Xilinx ZynqMP on 20.04 (Hi Portia!)
- HWE / OEM etc on 18.04 ESM
- Very similar sorts of issues as above
[USN-6267-3] Firefox regressions (10:44)
- 12 CVEs addressed in Focal (20.04 LTS)
- Second lot of regressions in the upstream 116 release - now at 116.0.3
- often these regressions are for Windows users etc but this time we have one for Linux - in particular screensharing on Wayland was broken since would fail to properly negotiate framerate in webrtc with Pipewire
[USN-6302-1] Vim vulnerabilities (11:22)
- 15 CVEs addressed in Trusty ESM (14.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- More vim - is now the 8th most mentioned package in this podcast (only behind Linux kernel, Firefox, Thunderbird, PHP, MySQL, WebkitGTK)
[USN-6303-1, USN-6303-2] ClamAV vulnerability (11:50)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Infinite loop in the HFS+ parser -> DoS of entire ClamAV
[USN-6304-1] Inetutils vulnerabilities (12:14)
- 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04)
- Provides various utilities for different network services - ie. clients / servers for ftp, telnet, and talk
- NULL ptr deref in telnetd - not super interesting - if running telnetd you probably have bigger problems
- Failed to check return values of the various
setuid()=/=setgid()system calls used in ftpd/rshd/rlogin etc- daemon runs as root and uses these calls to drop privileges to the user who is logging in - if these fail, then users session will still be running as root - easy privesc (although not really able to be controlled by the remote attacker to induce this error to occur)
Goings on in Ubuntu Security Community
Brainstorming for a software security workshop (13:53)
Get in contact
218 قسمت
