Artwork

محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal
Player FM - برنامه پادکست
با برنامه Player FM !

Episode 212

23:06
 
اشتراک گذاری
 

Manage episode 381061657 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Overview

With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-6437-1] VIPS vulnerabilities (00:35)

[USN-6435-1] OpenSSL vulnerabilities (01:26)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CPU-based DoS via an execssively large DH modulus (p parameter) value (over 10,000 bits)
  • OpenSSL by default will try and validate if the modulus over 10,000 bits and raise an error - but before the error is raised it would still check other aspects of the supplied key / parameters which in turn could use the p value and hence take an excessive amount of time - fixed by checking this earlier and erroring out in that case
  • Then was found that the q parameter could also be abused in the same way - since the size of this has to be less than p was fixed by just checking it against this

[USN-6450-1] OpenSSL vulnerabilities

  • 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • Two CPU-based DoS issues above plus
    • Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
      • The API for this was only “recently” introduced (3.x) - and in general not a lot of applications will be affected
    • Issue specific to the AES-SIV (mode of AES that provides deterministic nonce-less key wrapping - used for key wrapping when transporting cryptographic keys; as well as nonce-based authenticated encryption that is resistant to nonce reuse)
      • AES-SIV allows to perform authentication of data - and to do this the relevant OpenSSL API’s should be called with an input buffer length of 0 and a NULL ptr for the output buffer - BUT if the associated data to be authenticated was empty, in this case, OpenSSL would return success without doing any authentication
      • In practice this is unlikely to be an issue since it doesn’t not affect non-empty data authentication which is the vast majority of use-cases

[USN-6165-2] GLib vulnerabilities (07:57)

[USN-6374-2] Mutt vulnerabilities (05:08)

[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)

  • 2 CVEs addressed in Mantic (23.10)
  • HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of requests and immediately cancelling them many times over and over - exploited in the wild recently, achieving the largest DoS attack bandwidths seen - requires HTTP/2 implementations to essentially do heuristics over time to track allocated streams against connections and block the connection when too many are made or similar
    • Fix for Kestrel web server in .NET

[USN-6362-2] .Net regressions

[USN-6199-2] PHP vulnerability (06:31)

[USN-6403-2] libvpx vulnerabilities (06:39)

  • 2 CVEs addressed in Bionic ESM (18.04 ESM)
  • WebM VP8/VP9 video en/decoder
  • Heap buffer overflow -> DoS/RCE
  • OOB read -> DoS

[USN-6408-2] libXpm vulnerabilities (07:00)

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Infinite recursion -> stack exhaustion -> crash -> DoS
  • Integer overflow -> heap buffer overflow -> RCE/DoS
  • Two different OOB reads -> crash -> DoS

[USN-6448-1] Sofia-SIP vulnerability (09:01)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • SIP user agent - integer overflows and resulting heap buffer overflows due to missing length checks in the STUN message parser -> RCE
  • Also fixed a OOB read as well -> DoS

[USN-6422-2] Ring vulnerabilities (09:17)

[USN-6449-1] FFmpeg vulnerabilities (09:58)

[USN-6447-1] AOM vulnerabilities (11:32)

[USN-6288-2] MySQL vulnerability (12:40)

[USN-6451-1] ncurses vulnerability (12:47)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Heap buffer overflow via crafted terminfo file - found by fuzzing infotocap
    • terminfo files are usually trusted content so unlikely to be an issue in practice

[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)

[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)

[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)

[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)

[USN-6442-1] Linux kernel (BlueField) vulnerabilities

[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)

[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)

[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities

[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community

Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)

  • Ubuntu Summit
    • https://events.canonical.com/event/31/
    • Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS maintainers who want to be proactive about security and protecting their users
    • Tobias Heider will be presenting with Hector Martin on Asahi Linux and in particular Ubuntu Asahi - community project to bring the Asahi Linux work to Ubuntu (also was a great shout-out from Joe Ressington on the most recent Late Night Linux plus a good write-up on omgubuntu)

Goodbye and good luck to David Lane (21:31)

  • Led the snap store reviewers work - much more streamlined process for folks interacting on the snapcraft forum
  • Great manager + engineer and a great friend
  • See you at b-sides cbr in 2024

Get in contact

  continue reading

234 قسمت

Artwork

Episode 212

Ubuntu Security Podcast

143 subscribers

published

iconاشتراک گذاری
 
Manage episode 381061657 series 2423058
محتوای ارائه شده توسط Alex Murray and Ubuntu Security Team. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Alex Murray and Ubuntu Security Team یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Overview

With the Ubuntu Summit just around the corner, we preview a couple talks by the Ubuntu Security team, plus we look at security updates for OpenSSL, Sofia-SIP, AOM, ncurses, the Linux kernel and more.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-6437-1] VIPS vulnerabilities (00:35)

[USN-6435-1] OpenSSL vulnerabilities (01:26)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • CPU-based DoS via an execssively large DH modulus (p parameter) value (over 10,000 bits)
  • OpenSSL by default will try and validate if the modulus over 10,000 bits and raise an error - but before the error is raised it would still check other aspects of the supplied key / parameters which in turn could use the p value and hence take an excessive amount of time - fixed by checking this earlier and erroring out in that case
  • Then was found that the q parameter could also be abused in the same way - since the size of this has to be less than p was fixed by just checking it against this

[USN-6450-1] OpenSSL vulnerabilities

  • 4 CVEs addressed in Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • Two CPU-based DoS issues above plus
    • Possible truncation / overrun during the initialisation of various ciphers if the key or IV lengths differ compared to when initially established - some ciphers allow a variable length IV (e.g. AES-GCM) and so it is possible that an application will use a non-standard IV length during the use of the cipher compared to when they initialise it
      • The API for this was only “recently” introduced (3.x) - and in general not a lot of applications will be affected
    • Issue specific to the AES-SIV (mode of AES that provides deterministic nonce-less key wrapping - used for key wrapping when transporting cryptographic keys; as well as nonce-based authenticated encryption that is resistant to nonce reuse)
      • AES-SIV allows to perform authentication of data - and to do this the relevant OpenSSL API’s should be called with an input buffer length of 0 and a NULL ptr for the output buffer - BUT if the associated data to be authenticated was empty, in this case, OpenSSL would return success without doing any authentication
      • In practice this is unlikely to be an issue since it doesn’t not affect non-empty data authentication which is the vast majority of use-cases

[USN-6165-2] GLib vulnerabilities (07:57)

[USN-6374-2] Mutt vulnerabilities (05:08)

[USN-6438-1, USN-6438-2, USN-6427-2] .NET vulnerabilities (05:15)

  • 2 CVEs addressed in Mantic (23.10)
  • HTTP/2 Rapid Reset - DoS on server side by clients sending a large number of requests and immediately cancelling them many times over and over - exploited in the wild recently, achieving the largest DoS attack bandwidths seen - requires HTTP/2 implementations to essentially do heuristics over time to track allocated streams against connections and block the connection when too many are made or similar
    • Fix for Kestrel web server in .NET

[USN-6362-2] .Net regressions

[USN-6199-2] PHP vulnerability (06:31)

[USN-6403-2] libvpx vulnerabilities (06:39)

  • 2 CVEs addressed in Bionic ESM (18.04 ESM)
  • WebM VP8/VP9 video en/decoder
  • Heap buffer overflow -> DoS/RCE
  • OOB read -> DoS

[USN-6408-2] libXpm vulnerabilities (07:00)

  • 4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Infinite recursion -> stack exhaustion -> crash -> DoS
  • Integer overflow -> heap buffer overflow -> RCE/DoS
  • Two different OOB reads -> crash -> DoS

[USN-6448-1] Sofia-SIP vulnerability (09:01)

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Lunar (23.04), Mantic (23.10)
  • SIP user agent - integer overflows and resulting heap buffer overflows due to missing length checks in the STUN message parser -> RCE
  • Also fixed a OOB read as well -> DoS

[USN-6422-2] Ring vulnerabilities (09:17)

[USN-6449-1] FFmpeg vulnerabilities (09:58)

[USN-6447-1] AOM vulnerabilities (11:32)

[USN-6288-2] MySQL vulnerability (12:40)

[USN-6451-1] ncurses vulnerability (12:47)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
  • Heap buffer overflow via crafted terminfo file - found by fuzzing infotocap
    • terminfo files are usually trusted content so unlikely to be an issue in practice

[USN-6416-3] Linux kernel (Raspberry Pi) vulnerabilities (14:00)

[USN-6439-1, USN-6439-2] Linux kernel vulnerabilities (15:09)

[USN-6440-1, USN-6440-2] Linux kernel vulnerabilities (15:40)

[USN-6441-1, USN-6441-2] Linux kernel vulnerabilities (15:50)

[USN-6442-1] Linux kernel (BlueField) vulnerabilities

[USN-6443-1] Linux kernel (OEM) vulnerabilities (15:55)

[USN-6444-1, USN-6444-2] Linux kernel vulnerabilities (16:46)

[USN-6445-1, USN-6445-2] Linux kernel (Intel IoTG) vulnerabilities

[USN-6446-1, USN-6446-2] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community

Preparation for Riga Product Roadmap Sprint, Ubuntu Summit and Engineering Sprint (17:33)

  • Ubuntu Summit
    • https://events.canonical.com/event/31/
    • Mark Esler will be presenting “Improving FOSS Security” - designed for FOSS maintainers who want to be proactive about security and protecting their users
    • Tobias Heider will be presenting with Hector Martin on Asahi Linux and in particular Ubuntu Asahi - community project to bring the Asahi Linux work to Ubuntu (also was a great shout-out from Joe Ressington on the most recent Late Night Linux plus a good write-up on omgubuntu)

Goodbye and good luck to David Lane (21:31)

  • Led the snap store reviewers work - much more streamlined process for folks interacting on the snapcraft forum
  • Great manager + engineer and a great friend
  • See you at b-sides cbr in 2024

Get in contact

  continue reading

234 قسمت

All episodes

×
 
Loading …

به Player FM خوش آمدید!

Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.

 

راهنمای مرجع سریع