محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Player FM - برنامه پادکست
با برنامه Player FM !
با برنامه Player FM !
Episode 212
Manage episode 381061657 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Overview
With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-6437-1] VIPS vulnerabilities (00:35)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Jammy (22.04 LTS)
- Image processing library / CLI tool
- NULL ptr derefs + divide by zero -> crash -> DoS
- info leak since would fail to clear memory and leak this in the generated image
[USN-6435-1] OpenSSL vulnerabilities (01:26)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CPU-based DoS via an execssively large DH modulus (
p
parameter) value (over 10,000 bits) - OpenSSL by default will try and validate if the modulus over 10,000 bits and raise an error - but before the error is raised it would still check other aspects of the supplied key / parameters which in turn could use the
p
value and hence take an excessive amount of time - fixed by checking this earlier and erroring out in that case - Then was found that the
q
parameter could also be abused in the same way - since the size of this has to be less thanp
was fixed by just checking it against this
[USN-6450-1] OpenSSL vulnerabilities
- 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Two CPU-based DoS issues above plus
- Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
- The API for this was only “recently” introduced (3.x) - and in general not a lot of applications will be affected
- Issue specific to the AES-SIV (mode of AES that provides deterministic nonce-less key wrapping - used for key wrapping when transporting cryptographic keys; as well as nonce-based authenticated encryption that is resistant to nonce reuse)
- AES-SIV allows to perform authentication of data - and to do this the relevant OpenSSL API’s should be called with an input buffer length of 0 and a NULL ptr for the output buffer - BUT if the associated data to be authenticated was empty, in this case, OpenSSL would return success without doing any authentication
- In practice this is unlikely to be an issue since it doesn’t not affect non-empty data authentication which is the vast majority of use-cases
- Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
[USN-6165-2] GLib vulnerabilities (07:57)
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6165-1] GLib vulnerabilities from Episode 199
[USN-6374-2] Mutt vulnerabilities (05:08)
- 2 CVEs addressed in Mantic (23.10)
- [USN-6374-1] Mutt vulnerabilities from Episode 210
[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)
- 2 CVEs addressed in Mantic (23.10)
- HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of requests and immediately cancelling them many times over and over - exploited in the wild recently, achieving the largest DoS attack bandwidths seen - requires HTTP/2 implementations to essentially do heuristics over time to track allocated streams against connections and block the connection when too many are made or similar
- Fix for Kestrel web server in .NET
[USN-6362-2] .Net regressions
- 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- [USN-6362-1] .NET vulnerability from Episode 209
- Fix for DoS in handling of X.509 certificates
[USN-6199-2] PHP vulnerability (06:31)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6199-1] PHP vulnerability from Episode 202
[USN-6403-2] libvpx vulnerabilities (06:39)
- 2 CVEs addressed in Bionic ESM (18.04 ESM)
- WebM VP8/VP9 video en/decoder
- Heap buffer overflow -> DoS/RCE
- OOB read -> DoS
[USN-6408-2] libXpm vulnerabilities (07:00)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Infinite recursion -> stack exhaustion -> crash -> DoS
- Integer overflow -> heap buffer overflow -> RCE/DoS
- Two different OOB reads -> crash -> DoS
[USN-6448-1] Sofia-SIP vulnerability (09:01)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- SIP user agent - integer overflows and resulting heap buffer overflows due to missing length checks in the STUN message parser -> RCE
- Also fixed a OOB read as well -> DoS
[USN-6422-2] Ring vulnerabilities (09:17)
- 20 CVEs addressed in Mantic (23.10)
- Voice / video and chat platform (now called Jami, contains embedded copy of PJSIP - library implementing various related protocols for remote communication like SIP, STUN, RTP, ICE and others)
- Also missed various length checks, allowing possible integer underflow -> crash / memory corruption -> RCE
- Buffer overflow when using the internal DNS resolver
[USN-6449-1] FFmpeg vulnerabilities (09:58)
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various memory leaks -> DoS, plus some integer overflows -> buffer overflows in various parsers for different media types
[USN-6447-1] AOM vulnerabilities (11:32)
- 7 CVEs addressed in Focal (20.04 LTS)
- AV1 Video Codec Library - used by things like gstreamer, libavcodec - in turn is used by a huge number of multimedia applications from blender, ffmpeg, kodi, mplayer, obs-studio, vlc and more
- Very much a case of xkcd 2347 (Dependency)
- Various buffer overflows, use-after-frees, stack buffer overflow, NULL ptr derefs etc.
[USN-6288-2] MySQL vulnerability (12:40)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6288-1] MySQL vulnerabilities from Episode 205
[USN-6451-1] ncurses vulnerability (12:47)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Heap buffer overflow via crafted terminfo file - found by fuzzing
infotocap
- terminfo files are usually trusted content so unlikely to be an issue in practice
[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)
- 13 CVEs addressed in Jammy (22.04 LTS)
- 5.15 raspi for 22.04 LTS
- Most interesting vuln fixed is AMD “INCEPTION” - [USN-6319-1] AMD Microcode vulnerability from Episode 207 - speculative execution attack similar to the original Spectre
- Have now added a mitigation within the kernel itself rather than having to rely on CPU microcode (particularly when that microcode only covers a subset of the affected CPUs)
[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 generic,low-latency,kvm,aws etc
- includes various high priority fixes which we’ve covered in previous episodes
[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- 4.15
- kvm, gcp, aws, azure, generic, lowlatency on 18.04 / 16.04 HWE
- azure 14.04
- same as above
[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)
- 9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 xilinx zyncmp, ibm, gkeop, kvm, oracle, aws, gcp, azure, generic, lowlatency
[USN-6442-1] Linux kernel (BlueField) vulnerabilities
- 10 CVEs addressed in Focal (20.04 LTS)
- 5.4 bluefiled (same as above)
[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)
- 6 CVEs addressed in Jammy (22.04 LTS)
- 6.1 oem
[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)
- 11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- 6.2 starfive, aws, oracle, azure, kvm, lowlatency, raspi, gcp, generic for 23.04
[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities
- 24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-5197
- CVE-2023-4921
- CVE-2023-4881
- CVE-2023-4623
- CVE-2023-4622
- CVE-2023-44466
- CVE-2023-42756
- CVE-2023-42755
- CVE-2023-42753
- CVE-2023-42752
- CVE-2023-4273
- CVE-2023-4244
- CVE-2023-4194
- CVE-2023-4155
- CVE-2023-4132
- CVE-2023-3866
- CVE-2023-3865
- CVE-2023-3863
- CVE-2023-38432
- CVE-2023-34319
- CVE-2023-3338
- CVE-2023-2156
- CVE-2023-20569
- CVE-2023-1206
- 5.15 intel iotg
[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 gkeop, nvidia, ibm, raspi, gcp, gke, kvm, oracle, aws, azure, azure-fde
Goings on in Ubuntu Security Community
Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)
- Ubuntu Summit
- https://events.canonical.com/event/31/
- Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS maintainers who want to be proactive about security and protecting their users
- Tobias Heider will be presenting with Hector Martin on Asahi Linux and in particular Ubuntu Asahi - community project to bring the Asahi Linux work to Ubuntu (also was a great shout-out from Joe Ressington on the most recent Late Night Linux plus a good write-up on omgubuntu)
Goodbye and good luck to David Lane (21:31)
- Led the snap store reviewers work - much more streamlined process for folks interacting on the snapcraft forum
- Great manager + engineer and a great friend
- See you at b-sides cbr in 2024
Get in contact
237 قسمت
Manage episode 381061657 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمتها، گرافیکها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آنها آپلود و ارائه میشوند. اگر فکر میکنید شخصی بدون اجازه شما از اثر دارای حق نسخهبرداری شما استفاده میکند، میتوانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Overview
With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.
This week in Ubuntu Security Updates
91 unique CVEs addressed
[USN-6437-1] VIPS vulnerabilities (00:35)
- 5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Jammy (22.04 LTS)
- Image processing library / CLI tool
- NULL ptr derefs + divide by zero -> crash -> DoS
- info leak since would fail to clear memory and leak this in the generated image
[USN-6435-1] OpenSSL vulnerabilities (01:26)
- 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CPU-based DoS via an execssively large DH modulus (
p
parameter) value (over 10,000 bits) - OpenSSL by default will try and validate if the modulus over 10,000 bits and raise an error - but before the error is raised it would still check other aspects of the supplied key / parameters which in turn could use the
p
value and hence take an excessive amount of time - fixed by checking this earlier and erroring out in that case - Then was found that the
q
parameter could also be abused in the same way - since the size of this has to be less thanp
was fixed by just checking it against this
[USN-6450-1] OpenSSL vulnerabilities
- 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- Two CPU-based DoS issues above plus
- Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
- The API for this was only “recently” introduced (3.x) - and in general not a lot of applications will be affected
- Issue specific to the AES-SIV (mode of AES that provides deterministic nonce-less key wrapping - used for key wrapping when transporting cryptographic keys; as well as nonce-based authenticated encryption that is resistant to nonce reuse)
- AES-SIV allows to perform authentication of data - and to do this the relevant OpenSSL API’s should be called with an input buffer length of 0 and a NULL ptr for the output buffer - BUT if the associated data to be authenticated was empty, in this case, OpenSSL would return success without doing any authentication
- In practice this is unlikely to be an issue since it doesn’t not affect non-empty data authentication which is the vast majority of use-cases
- Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
[USN-6165-2] GLib vulnerabilities (07:57)
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6165-1] GLib vulnerabilities from Episode 199
[USN-6374-2] Mutt vulnerabilities (05:08)
- 2 CVEs addressed in Mantic (23.10)
- [USN-6374-1] Mutt vulnerabilities from Episode 210
[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)
- 2 CVEs addressed in Mantic (23.10)
- HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of requests and immediately cancelling them many times over and over - exploited in the wild recently, achieving the largest DoS attack bandwidths seen - requires HTTP/2 implementations to essentially do heuristics over time to track allocated streams against connections and block the connection when too many are made or similar
- Fix for Kestrel web server in .NET
[USN-6362-2] .Net regressions
- 1 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- [USN-6362-1] .NET vulnerability from Episode 209
- Fix for DoS in handling of X.509 certificates
[USN-6199-2] PHP vulnerability (06:31)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6199-1] PHP vulnerability from Episode 202
[USN-6403-2] libvpx vulnerabilities (06:39)
- 2 CVEs addressed in Bionic ESM (18.04 ESM)
- WebM VP8/VP9 video en/decoder
- Heap buffer overflow -> DoS/RCE
- OOB read -> DoS
[USN-6408-2] libXpm vulnerabilities (07:00)
- 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Infinite recursion -> stack exhaustion -> crash -> DoS
- Integer overflow -> heap buffer overflow -> RCE/DoS
- Two different OOB reads -> crash -> DoS
[USN-6448-1] Sofia-SIP vulnerability (09:01)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
- SIP user agent - integer overflows and resulting heap buffer overflows due to missing length checks in the STUN message parser -> RCE
- Also fixed a OOB read as well -> DoS
[USN-6422-2] Ring vulnerabilities (09:17)
- 20 CVEs addressed in Mantic (23.10)
- Voice / video and chat platform (now called Jami, contains embedded copy of PJSIP - library implementing various related protocols for remote communication like SIP, STUN, RTP, ICE and others)
- Also missed various length checks, allowing possible integer underflow -> crash / memory corruption -> RCE
- Buffer overflow when using the internal DNS resolver
[USN-6449-1] FFmpeg vulnerabilities (09:58)
- 8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various memory leaks -> DoS, plus some integer overflows -> buffer overflows in various parsers for different media types
[USN-6447-1] AOM vulnerabilities (11:32)
- 7 CVEs addressed in Focal (20.04 LTS)
- AV1 Video Codec Library - used by things like gstreamer, libavcodec - in turn is used by a huge number of multimedia applications from blender, ffmpeg, kodi, mplayer, obs-studio, vlc and more
- Very much a case of xkcd 2347 (Dependency)
- Various buffer overflows, use-after-frees, stack buffer overflow, NULL ptr derefs etc.
[USN-6288-2] MySQL vulnerability (12:40)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6288-1] MySQL vulnerabilities from Episode 205
[USN-6451-1] ncurses vulnerability (12:47)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- Heap buffer overflow via crafted terminfo file - found by fuzzing
infotocap
- terminfo files are usually trusted content so unlikely to be an issue in practice
[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)
- 13 CVEs addressed in Jammy (22.04 LTS)
- 5.15 raspi for 22.04 LTS
- Most interesting vuln fixed is AMD “INCEPTION” - [USN-6319-1] AMD Microcode vulnerability from Episode 207 - speculative execution attack similar to the original Spectre
- Have now added a mitigation within the kernel itself rather than having to rely on CPU microcode (particularly when that microcode only covers a subset of the affected CPUs)
[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)
- 11 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- 4.4 generic,low-latency,kvm,aws etc
- includes various high priority fixes which we’ve covered in previous episodes
[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)
- 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- 4.15
- kvm, gcp, aws, azure, generic, lowlatency on 18.04 / 16.04 HWE
- azure 14.04
- same as above
[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)
- 9 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- 5.4 xilinx zyncmp, ibm, gkeop, kvm, oracle, aws, gcp, azure, generic, lowlatency
[USN-6442-1] Linux kernel (BlueField) vulnerabilities
- 10 CVEs addressed in Focal (20.04 LTS)
- 5.4 bluefiled (same as above)
[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)
- 6 CVEs addressed in Jammy (22.04 LTS)
- 6.1 oem
[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)
- 11 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04)
- 6.2 starfive, aws, oracle, azure, kvm, lowlatency, raspi, gcp, generic for 23.04
[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities
- 24 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-5197
- CVE-2023-4921
- CVE-2023-4881
- CVE-2023-4623
- CVE-2023-4622
- CVE-2023-44466
- CVE-2023-42756
- CVE-2023-42755
- CVE-2023-42753
- CVE-2023-42752
- CVE-2023-4273
- CVE-2023-4244
- CVE-2023-4194
- CVE-2023-4155
- CVE-2023-4132
- CVE-2023-3866
- CVE-2023-3865
- CVE-2023-3863
- CVE-2023-38432
- CVE-2023-34319
- CVE-2023-3338
- CVE-2023-2156
- CVE-2023-20569
- CVE-2023-1206
- 5.15 intel iotg
[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities
- 11 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- 5.15 gkeop, nvidia, ibm, raspi, gcp, gke, kvm, oracle, aws, azure, azure-fde
Goings on in Ubuntu Security Community
Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)
- Ubuntu Summit
- https://events.canonical.com/event/31/
- Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS maintainers who want to be proactive about security and protecting their users
- Tobias Heider will be presenting with Hector Martin on Asahi Linux and in particular Ubuntu Asahi - community project to bring the Asahi Linux work to Ubuntu (also was a great shout-out from Joe Ressington on the most recent Late Night Linux plus a good write-up on omgubuntu)
Goodbye and good luck to David Lane (21:31)
- Led the snap store reviewers work - much more streamlined process for folks interacting on the snapcraft forum
- Great manager + engineer and a great friend
- See you at b-sides cbr in 2024
Get in contact
237 قسمت
همه قسمت ها
×به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.