Episode 212

Ubuntu Security Podcast

محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

9M ago 23:06

MP3•خانه قسمت

Overview

With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-6437-1] VIPS vulnerabilities (00:35)

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Jammy (22.04 LTS)
Image processing library / CLI tool
NULL ptr derefs + divide by zero -> crash -> DoS
info leak since would fail to clear memory and leak this in the generated image

[USN-6435-1] OpenSSL vulnerabilities (01:26)

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CVE-2023-3817
- CVE-2023-3446
CPU-based DoS via an execssively large DH modulus (p parameter) value (over 10,000 bits)
OpenSSL by default will try and validate if the modulus over 10,000 bits and raise an error - but before the error is raised it would still check other aspects of the supplied key / parameters which in turn could use the p value and hence take an excessive amount of time - fixed by checking this earlier and erroring out in that case
Then was found that the q parameter could also be abused in the same way - since the size of this has to be less than p was fixed by just checking it against this

[USN-6450-1] OpenSSL vulnerabilities

4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
Two CPU-based DoS issues above plus
- Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
  - The API for this was only “recently” introduced (3.x) - and in general not a lot of applications will be affected
- Issue specific to the AES-SIV (mode of AES that provides deterministic nonce-less key wrapping - used for key wrapping when transporting cryptographic keys; as well as nonce-based authenticated encryption that is resistant to nonce reuse)
  - AES-SIV allows to perform authentication of data - and to do this the relevant OpenSSL API’s should be called with an input buffer length of 0 and a NULL ptr for the output buffer - BUT if the associated data to be authenticated was empty, in this case, OpenSSL would return success without doing any authentication
  - In practice this is unlikely to be an issue since it doesn’t not affect non-empty data authentication which is the vast majority of use-cases

[USN-6165-2] GLib vulnerabilities (07:57)

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
[USN-6165-1] GLib vulnerabilities from Episode 199

[USN-6374-2] Mutt vulnerabilities (05:08)

2 CVEs addressed in Mantic (23.10)
- CVE-2023-4875
- CVE-2023-4874
[USN-6374-1] Mutt vulnerabilities from Episode 210

[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)

2 CVEs addressed in Mantic (23.10)
- CVE-2023-44487
- CVE-2023-36799
HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of requests and immediately cancelling them many times over and over - exploited in the wild recently, achieving the largest DoS attack bandwidths seen - requires HTTP/2 implementations to essentially do heuristics over time to track allocated streams against connections and block the connection when too many are made or similar
- Fix for Kestrel web server in .NET

[USN-6362-2] .Net regressions

1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- CVE-2023-36799
[USN-6362-1] .NET vulnerability from Episode 209
Fix for DoS in handling of X.509 certificates

[USN-6199-2] PHP vulnerability (06:31)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CVE-2023-3247
[USN-6199-1] PHP vulnerability from Episode 202

[USN-6403-2] libvpx vulnerabilities (06:39)

2 CVEs addressed in Bionic ESM (18.04 ESM)
- CVE-2023-5217
- CVE-2023-44488
WebM VP8/VP9 video en/decoder
Heap buffer overflow -> DoS/RCE
OOB read -> DoS

[USN-6408-2] libXpm vulnerabilities (07:00)

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
Infinite recursion -> stack exhaustion -> crash -> DoS
Integer overflow -> heap buffer overflow -> RCE/DoS
Two different OOB reads -> crash -> DoS

[USN-6448-1] Sofia-SIP vulnerability (09:01)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- CVE-2023-32307
SIP user agent - integer overflows and resulting heap buffer overflows due to missing length checks in the STUN message parser -> RCE
Also fixed a OOB read as well -> DoS

[USN-6422-2] Ring vulnerabilities (09:17)

20 CVEs addressed in Mantic (23.10)
Voice / video and chat platform (now called Jami, contains embedded copy of PJSIP - library implementing various related protocols for remote communication like SIP, STUN, RTP, ICE and others)
Also missed various length checks, allowing possible integer underflow -> crash / memory corruption -> RCE
Buffer overflow when using the internal DNS resolver

[USN-6449-1] FFmpeg vulnerabilities (09:58)

8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
Various memory leaks -> DoS, plus some integer overflows -> buffer overflows in various parsers for different media types

[USN-6447-1] AOM vulnerabilities (11:32)

7 CVEs addressed in Focal (20.04 LTS)
AV1 Video Codec Library - used by things like gstreamer, libavcodec - in turn is used by a huge number of multimedia applications from blender, ffmpeg, kodi, mplayer, obs-studio, vlc and more
- Very much a case of xkcd 2347 (Dependency)
Various buffer overflows, use-after-frees, stack buffer overflow, NULL ptr derefs etc.

[USN-6288-2] MySQL vulnerability (12:40)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CVE-2023-22053
[USN-6288-1] MySQL vulnerabilities from Episode 205

[USN-6451-1] ncurses vulnerability (12:47)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CVE-2020-19189
Heap buffer overflow via crafted terminfo file - found by fuzzing infotocap
- terminfo files are usually trusted content so unlikely to be an issue in practice

[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)

13 CVEs addressed in Jammy (22.04 LTS)
5.15 raspi for 22.04 LTS
Most interesting vuln fixed is AMD “INCEPTION” - [USN-6319-1] AMD Microcode vulnerability from Episode 207 - speculative execution attack similar to the original Spectre
Have now added a mitigation within the kernel itself rather than having to rely on CPU microcode (particularly when that microcode only covers a subset of the affected CPUs)

[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)

11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
4.4 generic,low-latency,kvm,aws etc
includes various high priority fixes which we’ve covered in previous episodes

[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)

12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
4.15
- kvm, gcp, aws, azure, generic, lowlatency on 18.04 / 16.04 HWE
- azure 14.04
same as above

[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)

9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
5.4 xilinx zyncmp, ibm, gkeop, kvm, oracle, aws, gcp, azure, generic, lowlatency

[USN-6442-1] Linux kernel (BlueField) vulnerabilities

10 CVEs addressed in Focal (20.04 LTS)
5.4 bluefiled (same as above)

[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)

6 CVEs addressed in Jammy (22.04 LTS)
6.1 oem

[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)

11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
6.2 starfive, aws, oracle, azure, kvm, lowlatency, raspi, gcp, generic for 23.04

[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities

24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
5.15 intel iotg

[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities

11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
5.15 gkeop, nvidia, ibm, raspi, gcp, gke, kvm, oracle, aws, azure, azure-fde

Goings on in Ubuntu Security Community

Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)

Ubuntu Summit
- https://events.canonical.com/event/31/
- Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS maintainers who want to be proactive about security and protecting their users
- Tobias Heider will be presenting with Hector Martin on Asahi Linux and in particular Ubuntu Asahi - community project to bring the Asahi Linux work to Ubuntu (also was a great shout-out from Joe Ressington on the most recent Late Night Linux plus a good write-up on omgubuntu)

Goodbye and good luck to David Lane (21:31)

Led the snap store reviewers work - much more streamlined process for folks interacting on the snapcraft forum
Great manager + engineer and a great friend
See you at b-sides cbr in 2024

Get in contact

237 قسمت

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 212

Ubuntu Security Podcast

143 subscribers

published 9M ago