Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
Episode 227
MP3•Episode home
Manage episode 416201461 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Overview
Ubuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.
This week in Ubuntu Security Updates
61 unique CVEs addressed
[USN-6749-1] FreeRDP vulnerabilities (00:45)
- 7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Bunch of issues all reported by researcher from Kaspersky - usual sorts of issues in this package - written in C etc
- OOB reads, heap buffer overflow, integer overflow / underflow -> OOB write
[USN-6752-1] FreeRDP vulnerabilities (01:41)
- 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Not long after those - more CVEs announced
- OOB read, NULL ptr deref and memory exhaustion
[USN-6657-2] Dnsmasq vulnerabilities (01:54)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6657-1] Dnsmasq vulnerabilities from Episode 220
[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)
- 5 CVEs addressed in Jammy (22.04 LTS)
[USN-6750-1] Thunderbird vulnerabilities (02:19)
- 8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- 115.10.1
[USN-6751-1] Zabbix vulnerabilities (02:54)
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- First time Zabbix has featured in the podcast!
- Fixes 2 reflected XSS issues - in newer versions both require the attacker to be able to specify the user’s specific CSRF token - but in older versions only there was only a session ID which is easier to guess
[USN-6753-1] CryptoJS vulnerability (03:38)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Insecure default config - uses older parameters for the implementation of PBKDF2 - SHA1 with a single iteration - makes any passwords protected via PBKDF2 in crypto-js easier to brute-force from the hashed value - instead updated to use SHA256 with 250,000 rounds
[USN-6754-1] nghttp2 vulnerabilities (04:32)
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 - all DoS attacks)
- HTTP/2 continuation frames - no proper limit on the amount of these frames which can be sent in a single stream - attacker can send many to cause a DoS on the server either through CPU by lots of processing or memory by storing all these headers in memory
[USN-6755-1] GNU cpio vulnerabilities (05:42)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Path traversal vuln - possible to write outside of the target directory
- Specific to Debian/Ubuntu etc since reverted part of the fix for historic CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the archive - since it broke the use of the
--no-absolute-filenames
CLI argument - Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu since focal
- Now use more correct fix from upstream (April 2023)
[USN-6756-1] less vulnerability (07:10)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
- Similar issue - this time in the use of
LESSOPEN
environment variable - failed to properly quote newlines embedded in a filename - could then allow for arbitrary code execution if ranless
on some untrusted file LESSOPEN
is automatically set in Debian/Ubuntu vialesspipe
- allows to run less on say a gz compressed log file or even on a tar.gz tarball to list the files etc
[USN-6757-1] PHP vulnerabilities (08:41)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the same network/site could set a cookie via HTTP with one name, which then gets used by sessions using HTTPS and when using a different cookie name - is a problem since certain cookie names (like
__Host-
and__Secure-
) have specific meanings which in general should be allowed to be specified by the network but only by the browser itself - so can be used to bypass usual restrictions (apparently this issue was reported upstream by the original reported of the 2022 vuln but it got ignored by upstream till now…) password_verify()
function would sometimes return true for wrong passwords - ie if the actual password started with a NUL byte and the specified a password was the empty string would verify as true (unlikely to be an issue in practice)- Heap buffer overflow due to a large
PHP_CLI_SERVER_WORKERS
env var value - integer overflow -> wraparound -> allocate small amount of memory for a large number of values -> buffer overflow (low priority since would need to be able to set this env var first)
[USN-6761-1] Anope vulnerability (11:15)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Failed to deny ability to reset the password of a suspended account and hence gain access again
[USN-6758-1] JSON5 vulnerability (11:37)
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- NodeJS module for the JSON5 format - “JSON for humans” - much more similar to yaml, does away with a lot of the usual quotes etc
- Protoype pollution vuln - when parsing would fail to restrict use of the
__proto__
key and hence would allow the ability to set arbitrary keys etc within the returned object -> RCE
[LSN-0103-1] Linux kernel vulnerability (12:46)
- 7 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
Kernel type | 22.04 | 20.04 | 18.04 |
---|---|---|---|
aws | 103.3 | 103.3 | — |
aws-5.15 | — | 103.3 | — |
aws-5.4 | — | — | 103.3 |
aws-6.5 | 103.1 | — | — |
azure | 103.3 | 103.3 | — |
azure-5.4 | — | — | 103.3 |
azure-6.5 | 103.1 | — | — |
gcp | 103.3 | 103.3 | — |
gcp-5.15 | — | 103.3 | — |
gcp-5.4 | — | — | 103.3 |
gcp-6.5 | 103.1 | — | — |
generic-5.15 | — | 103.3 | — |
generic-5.4 | — | 103.3 | 103.3 |
gke | 103.3 | 103.3 | — |
hwe-6.5 | 103.1 | — | — |
ibm | 103.3 | — | — |
ibm-5.15 | — | 103.3 | — |
linux | 103.3 | — | — |
lowlatency-5.15 | — | 103.3 | — |
lowlatency-5.4 | — | 103.3 | 103.3 |
canonical-livepatch status
[USN-6760-1] Gerbv vulnerability (13:01)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Vuln found by the Ubuntu Security team - David and (former member) Andrei - Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of testing with ASan enabled - crafted filename -> crash
[USN-6759-1] FreeRDP vulnerabilities (13:41)
- 5 CVEs addressed in Noble (24.04 LTS)
[USN-6737-2] GNU C Library vulnerability
- 1 CVEs addressed in Noble (24.04 LTS)
[USN-6729-3] Apache HTTP Server vulnerabilities
- 3 CVEs addressed in Noble (24.04 LTS)
[USN-6718-3] curl vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6733-2] GnuTLS vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6734-2] libvirt vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6744-3] Pillow vulnerability
- 1 CVEs addressed in Noble (24.04 LTS)
Goings on in Ubuntu Security Community
Ubuntu 24.04 LTS (Noble Numbat) released (14:27)
- https://ubuntu.com/blog/canonical-releases-ubuntu-24-04-noble-numbat
- https://ubuntu.com/blog/ubuntu-desktop-24-04-noble-numbat-deep-dive
- https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
- Up to 12 years of support via Ubuntu Pro + Legacy Support Add-on
- New security features / improvements:
- Unprivileged user namespace restrictions
- Binary hardening
- AppArmor 4
- Disabling of old TLS versions
- Upstream Kernel Security Features
- Intel shadow stack support
- Secure virtualisation with AMD SEV-SNP and Intel TDX
- Strict compile-time bounds checking
Get in contact
232 episodes
MP3•Episode home
Manage episode 416201461 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Overview
Ubuntu 24.04 LTS is finally released and we cover all the new security features it brings, plus we look at security vulnerabilities in, and updates for, FreeRDP, Zabbix, CryptoJS, cpio, less, JSON5 and a heap more.
This week in Ubuntu Security Updates
61 unique CVEs addressed
[USN-6749-1] FreeRDP vulnerabilities (00:45)
- 7 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Bunch of issues all reported by researcher from Kaspersky - usual sorts of issues in this package - written in C etc
- OOB reads, heap buffer overflow, integer overflow / underflow -> OOB write
[USN-6752-1] FreeRDP vulnerabilities (01:41)
- 4 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Not long after those - more CVEs announced
- OOB read, NULL ptr deref and memory exhaustion
[USN-6657-2] Dnsmasq vulnerabilities (01:54)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- [USN-6657-1] Dnsmasq vulnerabilities from Episode 220
[USN-6743-3] Linux kernel (Azure) vulnerabilities (02:13)
- 5 CVEs addressed in Jammy (22.04 LTS)
[USN-6750-1] Thunderbird vulnerabilities (02:19)
- 8 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- 115.10.1
[USN-6751-1] Zabbix vulnerabilities (02:54)
- 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- First time Zabbix has featured in the podcast!
- Fixes 2 reflected XSS issues - in newer versions both require the attacker to be able to specify the user’s specific CSRF token - but in older versions only there was only a session ID which is easier to guess
[USN-6753-1] CryptoJS vulnerability (03:38)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Insecure default config - uses older parameters for the implementation of PBKDF2 - SHA1 with a single iteration - makes any passwords protected via PBKDF2 in crypto-js easier to brute-force from the hashed value - instead updated to use SHA256 with 250,000 rounds
[USN-6754-1] nghttp2 vulnerabilities (04:32)
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Fixes for most recent issue in HTTP/2 (plus a few older HTTP/2 issues for ESM releases - HTTP/2 Rapid Reset and 2 disclosed by Netflix back in 2019 which we covered back in [USN-4099-1] nginx vulnerabilities from Episode 49 - all DoS attacks)
- HTTP/2 continuation frames - no proper limit on the amount of these frames which can be sent in a single stream - attacker can send many to cause a DoS on the server either through CPU by lots of processing or memory by storing all these headers in memory
[USN-6755-1] GNU cpio vulnerabilities (05:42)
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Path traversal vuln - possible to write outside of the target directory
- Specific to Debian/Ubuntu etc since reverted part of the fix for historic CVE-2015-1197 - path traversal via inclusion of a malicious symlink in the archive - since it broke the use of the
--no-absolute-filenames
CLI argument - Was reverted back in 2.13+dfsg-2 - this was included in all releases of Ubuntu since focal
- Now use more correct fix from upstream (April 2023)
[USN-6756-1] less vulnerability (07:10)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Second vuln in less in the last 10 weeks or so - [USN-6664-1] less vulnerability from Episode 220
- Similar issue - this time in the use of
LESSOPEN
environment variable - failed to properly quote newlines embedded in a filename - could then allow for arbitrary code execution if ranless
on some untrusted file LESSOPEN
is automatically set in Debian/Ubuntu vialesspipe
- allows to run less on say a gz compressed log file or even on a tar.gz tarball to list the files etc
[USN-6757-1] PHP vulnerabilities (08:41)
- 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- Incomplete fix for historic CVE-2022-31629 - ability for an attacker on the same network/site could set a cookie via HTTP with one name, which then gets used by sessions using HTTPS and when using a different cookie name - is a problem since certain cookie names (like
__Host-
and__Secure-
) have specific meanings which in general should be allowed to be specified by the network but only by the browser itself - so can be used to bypass usual restrictions (apparently this issue was reported upstream by the original reported of the 2022 vuln but it got ignored by upstream till now…) password_verify()
function would sometimes return true for wrong passwords - ie if the actual password started with a NUL byte and the specified a password was the empty string would verify as true (unlikely to be an issue in practice)- Heap buffer overflow due to a large
PHP_CLI_SERVER_WORKERS
env var value - integer overflow -> wraparound -> allocate small amount of memory for a large number of values -> buffer overflow (low priority since would need to be able to set this env var first)
[USN-6761-1] Anope vulnerability (11:15)
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
- Failed to deny ability to reset the password of a suspended account and hence gain access again
[USN-6758-1] JSON5 vulnerability (11:37)
- 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
- NodeJS module for the JSON5 format - “JSON for humans” - much more similar to yaml, does away with a lot of the usual quotes etc
- Protoype pollution vuln - when parsing would fail to restrict use of the
__proto__
key and hence would allow the ability to set arbitrary keys etc within the returned object -> RCE
[LSN-0103-1] Linux kernel vulnerability (12:46)
- 7 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)
Kernel type | 22.04 | 20.04 | 18.04 |
---|---|---|---|
aws | 103.3 | 103.3 | — |
aws-5.15 | — | 103.3 | — |
aws-5.4 | — | — | 103.3 |
aws-6.5 | 103.1 | — | — |
azure | 103.3 | 103.3 | — |
azure-5.4 | — | — | 103.3 |
azure-6.5 | 103.1 | — | — |
gcp | 103.3 | 103.3 | — |
gcp-5.15 | — | 103.3 | — |
gcp-5.4 | — | — | 103.3 |
gcp-6.5 | 103.1 | — | — |
generic-5.15 | — | 103.3 | — |
generic-5.4 | — | 103.3 | 103.3 |
gke | 103.3 | 103.3 | — |
hwe-6.5 | 103.1 | — | — |
ibm | 103.3 | — | — |
ibm-5.15 | — | 103.3 | — |
linux | 103.3 | — | — |
lowlatency-5.15 | — | 103.3 | — |
lowlatency-5.4 | — | 103.3 | 103.3 |
canonical-livepatch status
[USN-6760-1] Gerbv vulnerability (13:01)
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
- Vuln found by the Ubuntu Security team - David and (former member) Andrei - Andrei found this whilst patching Gerbv back in 2023 and doing a bunch of testing with ASan enabled - crafted filename -> crash
[USN-6759-1] FreeRDP vulnerabilities (13:41)
- 5 CVEs addressed in Noble (24.04 LTS)
[USN-6737-2] GNU C Library vulnerability
- 1 CVEs addressed in Noble (24.04 LTS)
[USN-6729-3] Apache HTTP Server vulnerabilities
- 3 CVEs addressed in Noble (24.04 LTS)
[USN-6718-3] curl vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6733-2] GnuTLS vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6734-2] libvirt vulnerabilities
- 2 CVEs addressed in Noble (24.04 LTS)
[USN-6744-3] Pillow vulnerability
- 1 CVEs addressed in Noble (24.04 LTS)
Goings on in Ubuntu Security Community
Ubuntu 24.04 LTS (Noble Numbat) released (14:27)
- https://ubuntu.com/blog/canonical-releases-ubuntu-24-04-noble-numbat
- https://ubuntu.com/blog/ubuntu-desktop-24-04-noble-numbat-deep-dive
- https://ubuntu.com/blog/whats-new-in-security-for-ubuntu-24-04-lts
- Up to 12 years of support via Ubuntu Pro + Legacy Support Add-on
- New security features / improvements:
- Unprivileged user namespace restrictions
- Binary hardening
- AppArmor 4
- Disabling of old TLS versions
- Upstream Kernel Security Features
- Intel shadow stack support
- Secure virtualisation with AMD SEV-SNP and Intel TDX
- Strict compile-time bounds checking
Get in contact
232 episodes
All episodes
×Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.