Episode 192

Ubuntu Security Podcast

Зроблено Alex Murray and Ubuntu Security Team і знайдено завдяки Player FM та нашій спільноті. Авторські права належать видавцю, а не Player FM, і аудіоматеріали транслюються безпосередньо з сервера видавця. Натисніть на кнопку Підписатися, щоб слідкувати за оновленнями в Player FM або скопіюйте і вставте посилання на канал до іншої програми для подкастів.

2M ago 15:47

MP3•Головна епізоду

Overview

Ubuntu gets pwned at Pwn2Own 2023, plus we cover security updates for vulns in GitPython, object-path, amanda, url-parse and the Linux kernel - and we mention the recording of Alex’s Everything Open 2023 presentation as well.

This week in Ubuntu Security Updates

91 unique CVEs addressed

[USN-5968-1] GitPython vulnerability [00:46]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- CVE-2022-24439
RCE via a malicious URL when cloning a repo - would call git clone under the hood and pass the purported URL in without any validation
Used as a dependency for other Python based tools etc - in particular by Bandit, Python security checking tool - used to scan python projects for security issues - would be ironic if a tool used to scan for security problems could be used to leverage an attack - so I took a quick look at the source code for bandit and it seems to only use GitPython to check if the current directory is a git repo or not - so would not be able to be exploited by this issue

[USN-5967-1] object-path vulnerabilities [02:11]

3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
all prototype pollution vulns - a type of injection attack that particularly applies for languages like Javascript, where an attacker can add arbitrary properties to global / default javascript objects that then get inherited by user-defined objects - and so can result in the ability to change the logic of the application or potentially even get remote code execution (depending on how those object properties are used by the application)

[USN-5942-2] Apache HTTP Server vulnerability [02:56]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2023-25690
request smuggling attack against mod_proxy

[USN-5966-1, USN-5966-2] amanda vulnerabilities [03:06]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
amanda has several suid-root binaries - each was able to be abused in a different way - one to see if a given directory existed or not (info leak), and the others to both get code execution etc - update introduced a regression which was then also fixed

[USN-5969-1] gif2apng vulnerabilities [04:00]

3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5971-1] Graphviz vulnerabilities [04:12]

3 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
2 different NULL ptr derefs, 1 buffer overflow -> DoS / RCE

[USN-5954-2] Firefox regressions [04:40]

9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
111.0.1 - fixes a couple regressions on macOS and Windows apparently

[USN-5972-1] Thunderbird vulnerabilities [04:58]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
102.9.0

[USN-5973-1] url-parse vulnerabilities [05:11]

8 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
nodejs module for parsing URLs - even for such a seemingly simple task as parsing URLs, can have various vulnerabilities
- DoS, SSRF, open-redirect, or bypass various other authorisation checks
upstream project now recommends to use the URL interface from nodejs and the various browsers for “better security and accuracy”

[USN-5974-1] GraphicsMagick vulnerabilities [06:24]

7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5686-4] Git vulnerability [06:37]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2022-39253
[USN-5686-1] Git vulnerabilities from Episode 181

[USN-5970-1] Linux kernel vulnerabilities [06:45]

9 CVEs addressed in Kinetic (22.10)

[LSN-0093-1] Linux kernel vulnerability [07:15]

2 CVEs addressed in all the various Livepatch supported releases (LTS and 16.04 ESM) across various different kernels
- CVE-2023-0461
- CVE-2023-0179
UAF in Upper Level Protocol and buffer overflow in netfilter when handling VLAN headers - both could allow a local user to DoS / code execution in kernel -> EoP

Kernel type	22.04	20.04	18.04	16.04
aws	93.1	93.1	93.1	—
aws-5.15	—	93.1	—	—
aws-5.4	—	—	93.1	—
aws-hwe	—	—	—	93.1
azure	93.1	93.1	—	93.1
azure-4.15	—	—	93.1	—
azure-5.4	—	—	93.1	—
gcp	93.2	93.1	—	93.1
gcp-4.15	—	—	93.1	—
gcp-5.15	—	93.2	—	—
gcp-5.4	—	—	93.1	—
generic-4.15	—	—	93.1	93.1
generic-5.4	—	93.1	93.1	—
gke	93.2	93.1	—	—
gke-4.15	—	—	93.1	—
gke-5.15	—	93.2	—	—
gke-5.4	—	—	93.1	—
gkeop	—	93.1	—	—
gkeop-5.4	—	—	93.1	—
ibm	93.1	93.1	—	—
linux	93.1	—	—	—
lowlatency-4.15	—	—	93.1	93.1
lowlatency-5.4	—	93.1	93.1	—
oem	—	—	93.1	—

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

[USN-5975-1] Linux kernel vulnerabilities

31 CVEs addressed in Xenial ESM (16.04 ESM)

[USN-5976-1] Linux kernel (OEM) vulnerabilities

9 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)

[USN-5977-1] Linux kernel (OEM) vulnerabilities

3 CVEs addressed in Jammy (22.04 LTS)

Goings on in Ubuntu Security Community

pwn2own 2023 [08:02]

pwn2own - part of CanSecWest security conference in Vancouver, Canada
originally started as an informal event, now is organised by Trend’s ZDI and is attended by many of the best offensive security research teams in the world
compete to hack various known targets under various categories
Runs over 3 days
Ubuntu Desktop was a target again this year, in particular in the local user elevation of privilege category - standard unprivileged user account which can be used to escalate privileges to root - targeting the latest Ubuntu interim release 22.10 (Kinetic)
competitors get 3 attempts, each with a time limit of 10 minutes to get their exploit to work
From our side, we had a team of 4 engineers (Steve Beattie, John Johansen and Georgia Garcia from the Ubuntu Security team and Thadeu Cascardo from the Ubuntu Kernel team) who were on call to be shown the exploit and vulnerability and within 30 minutes would have to determine if it was already known or not
Day 1 saw 2 attempts
- one unsuccessful, the other was a previously known (but unpatched)
Day 2 saw 1 successful attempt (incorrect pointer scaling issue)
Day 3 saw 3 successful attempts
- one also previously known, the other two double free and a UAF
In total, 6 separate teams targeted Ubuntu Desktop, 5 were successful, and the other was not able to get their exploit to work in the allotted time limit
- Details surrounding all of these vulnerabilities is embargoed for now, but will become available in the future
- Only minor details have been released publicly by ZDI at this time (ie incorrect pointer scaling, double free and UAF) but all (unsurprisingly) related to the memory unsafety of C
Interesting to see the macOS was only targeted once (successful), and Windows 11 twice (both successful too) yet Ubuntu had 6
Yet last year, there were 6 for WIndows 11, and 4 for Ubuntu
Is Ubuntu seen as an easy target? Or are there more security researchers looking at Ubuntu compared to Windows nowadays?
Does the open source nature of Linux make it easier to find vulns since the source code is easily able to be inspected?
Pace of development of the upstream kernel is quite fast, lots of new subsystems like io_uring and large attack surfaces through unprivileged user namespaces perhaps make Ubuntu more of an easy target
- Part of the motivation to want to restrict access to unprivileged user namespaces in the future
More details to follow once vulns have been made public
Thanks to Steve, JJ, Georgia and Thadeu
Day 1 Results
Day 2 Results
Day 3 Results

Securing a distro and you own open source project - Everything Open 2023 [14:27]

https://youtu.be/a-_5aJIjjLQ
Ubuntu is one of the most popular Linux distributions and is used by millions of people all over the world. It contains software from a wide array of different upstream projects and communities across a number of different language ecosystems. Ubuntu also aims to provide the best user experience for consuming all these various pieces of software, whilst being both as secure and usable as possible.
The Ubuntu Security team is responsible for keeping all of this software secure and patched against known vulnerabilities, as well as proactively looking for new possible security issues, and finally for ensuring the distribution as a whole is secured through proactive hardening work. They also have a huge depth of experience in working with upstream open source projects to report, manage patch and disclose security vulnerabilities. Find out both how they keep Ubuntu secure and how you can improve the security of your own open source project or the projects you contribute to.

Get in contact

205 епізодів

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Ubuntu Security Podcast

Episode 192