Episode 231

Ubuntu Security Podcast

Контент предоставлен Alex Murray and Ubuntu Security Team. Весь контент подкастов, включая эпизоды, графику и описания подкастов, загружается и предоставляется непосредственно компанией Alex Murray and Ubuntu Security Team или ее партнером по платформе подкастов. Если вы считаете, что кто-то использует вашу работу, защищенную авторским правом, без вашего разрешения, вы можете выполнить процедуру, описанную здесь https://ru.player.fm/legal.

7M ago 19:00

MP3•Главная эпизода

Overview

A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif, Roundcube, the Linux kernel and more.

This week in Ubuntu Security Updates

175 unique CVEs addressed

[USN-6842-1] gdb vulnerabilities (01:10)

6 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
a couple of these are inherited from binutils as they share that code - parsing of crafted ELF executables -> NULL ptr deref or possible heap based buffer overflow -> DoS/RCE
other stack and heap buffer overflows as well - parsing of crafted ada files and crafted debug info files as well -> DoS/RCE

[USN-6845-1] Hibernate vulnerability (02:12)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2020-25638
Object relational-mapping (ORM) library for Java
SQL injection in the JPA Criteria API implementation - could allow unvalidated literals when they are used in the SQL comments of a query when logging is enabled - fixed by properly escaping comments in this case

[USN-6846-1] Ansible vulnerabilities (02:46)

2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-5764
- CVE-2022-3697
Possibly would leak the password into log file when using the AWS EC2 module since failed to validate the tower_callback (nowadays is called aap_callback - Ansible Automation Platform) parameter appropriately
Allows to mark variables as unsafe - in that they may come from an external, untrusted source - won’t get evaluated/expanded when used to avoid possible info leaks etc - various issues where ansible would fail to respect this and essentially forget they were tagged as unsafe and end up exposing secrets as a result

[USN-6844-1] CUPS vulnerability (04:08)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- CVE-2024-35235
When starting, cups would arbitrarily chmod the socket specified as the Listen parameter to make it world-writable - if this was a symlink, would then make the target of the symlink world-readable - in general the cups config file is only writable by root so requires some other vuln to be able to exploit it where you can get write access to the config file to exploit it OR be able to replace the regular cups socket path with a user-controlled symlink - but if you can, then you can even change the cups config itself to be world-writable and hence modify other parameters like the user and group that cups should run as, as well as a crafted FoomaticRIPCommandLine then can run arbitrary commands as root

[USN-6849-1] Salt vulnerabilities (06:20)

2 CVEs addressed in Trusty ESM (14.04 ESM)
- CVE-2020-11652
- CVE-2020-11651
Failed to properly validate paths in some methods and also failed to restrict access to other methods, allowing them to be used without authentication - could then either allow arbitrary directory access or the ability to retrieve tokens from the master or run arbitrary commands on minions

[USN-6746-2] Google Guest Agent and Google OS Config Agent vulnerability (06:44)

1 CVEs addressed in Noble (24.04 LTS)
- CVE-2024-24786
A vuln in the embedded golang protobuf module - when parsing JSON could end up in an infinite loop -> DoS

[USN-6850-1] OpenVPN vulnerability (07:04)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2022-0547
[USN-5347-1] OpenVPN vulnerability from Episode 155 - possibly gets confused when using multiple authentication plugins and deferred authentication

[USN-6847-1] libheif vulnerabilities (07:36)

8 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
First time to mention libheif on the podcast - High Efficiency Image File Format - part of the MPEG-H standard - container format used to store images or sequences of images
Commonly seen due to its use by Apple for images on iPhone
C++ - usual types of issues
- UAF, buffer overflows, floating point exception etc
  - most found through fuzzing

[USN-6848-1] Roundcube vulnerabilities (08:21)

4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
webmail front-end for IMAP
2 different possible XSS issues due to mishandling of SVG - email containing an SVG could embed JS that then gets loaded when the email is viewed
Also possible XSS through a crafted user preference value - similarly through a crafted Content-Type/Content-Disposition header which can be used for attachment preview/download

[USN-6819-4] Linux kernel (Oracle) vulnerabilities (09:21)

149 CVEs addressed in Jammy (22.04 LTS)
Of all these CVEs, 6 had a high priority rating
- many are due to bugs in the async handling of cryto operations in the in-kernel TLS implementation
  - CVE-2024-26582 and CVE-2024-26584 - both reported by Google kernelCTF program (talked about back in [USN-6766-2] Linux kernel vulnerabilities from Episode 228)
    - first is UAF in TLS handling of scattter/gather arrays
    - second is UAF when crypto requests get backlogged and the underlying crypto engine can’t process them all in time - can then end up having the async callback invoked twice
  - CVE-2024-26585
    - very similar - UAF in handling of crypto operations from TLS - thread which handles the socket could close this before all the operations had been scheduled
  - CVE-2024-26583 - similarly, race between async notify event and socket close -> UAF
- UAF in BPF and a UAF in netfilter - also reported via Google kernelCTF - both able to be triggered via an unpriv userns

Goings on in Ubuntu Security Community

Discussion of CISA KEV

US Gov Cybersecurity & Infrastructure Security Agency
- “America’s Cyber Defense Agency”
- National Coordinator for Critical Infrastructure Security and Resilience
Publish various guidance for organisations around topics of cybersecurity
- for instance, recently published a report “Exploring Memory Safety in Critical Open Source Projects”
  - Joint guidance (FBI, ASD / ACSC & Candadian CSC)
  - Builds on the previous case for memory safe roadmaps by looking at the prevalence of memory unsafe languages in various critical open source projects
Also maintain the KEV - Known Exploitable Vulnerabilities Catalog
- “authoritative source of vulnerabilities that have been exploited in the wild”
- Mandates for federal civilian agencies in the US to remediate KEV vulns within various timeframes
- Also recommend that anyone else monitors this list and immediately addresses these vulns as part of the vuln remediation plan
- List of vilns that are causing immediate harm based on observed adversarial activity
- Various requirements to be listed in the KEV:
  - CVE ID assigned
  - Evidence it has been or is being actively exploited
    - reliable evidence that execution of malicious code was performed on a system by an unauthorised actor
    - also includes both attempted and successful exploitation (e.g. includes honeypots as well as real systems)
  - Clear remediation guidelines
    - An update is available and should be applied OR
    - Vulnerable component should be removed from networks etc if it is EOL and cannot be updated
- available as CSV or JSON
- Currently lists 1126 CVEs including:
  - Accellion File Transfer Appliances
  - Adobe Reader, Flash Player
  - Apache HTTP Server, Struts (Solarwinds), Log4j
  - Huge number of Apple iOS etc (WebKit and more)
  - Atlassian Confluence
  - Citrix Gateways
  - Exim
  - Fortinet
  - Gitlab
  - Google Chromium
  - ImageMagick
  - Microsoft Windows and Exchange
  - Mozilla Firefox
  - Ivanti Pulse Connect Security
  - SaltStack
  - VMWare
  - WordPress
- Oldest CVEs are 2 against Windows from 2002 and 2004
- Newest include 26 2024 CVEs - various Chromium, Windows, Android Pixel, Ivanti and more
  - interestingly includes ARM Mali GPU Driver CVE-2024-4610 - this affects the Bifrost and Valhall drivers - in Ubuntu we only ship the related Midgard driver back in bionic and focal so not affected by this one
- but as you may have noticed, lots that we potentially are affected by
  - Apache HTTP Server, Exim, Firefox, Thunderbird - plus OpenJDK, GNU C Library, Bash, Roundcube (mentioned earlier but not this particular vuln), WinRAR (unrar), not to mention a number against the Linux kernel
    - all for Linux kernel are privesc - most against either netfilter or various other systems like perf, AF_PACKET, tty, ptrace, futex and others
For Ubuntu, not surprisingly, we prioritise these vulnerabilities in our patching process

Get in contact

248 эпизодов

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 231

Ubuntu Security Podcast

148 subscribers

published 7M ago

MP3•Главная эпизода

Overview

A look into CISA’s Known Exploited Vulnerability Catalogue is on our minds this week, plus we look at vulnerability updates for gdb, Ansible, CUPS, libheif, Roundcube, the Linux kernel and more.