To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Got it!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Similar to Ubuntu Security Podcast

Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 229

13:22
 
Play
Playing
Share
 

MP3Episode home
Manage episode 421290257 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Overview

As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.

This week in Ubuntu Security Updates

152 unique CVEs addressed

[USN-6783-1] VLC vulnerabilities (00:54)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • integer underflow and a heap buffer overflow -> RCE

[USN-6663-3] OpenSSL update (01:40)

  • Affecting Noble (24.04 LTS)
  • [USN-6663-1] OpenSSL update from Episode 220 - hardening improvement to return deterministic random bytes instead of an error when an incorrect padding length is detected during PKCS#1 v1.5 RSA to avoid this being used for possible Bleichenbacher timing attacks

[USN-6673-3] python-cryptography vulnerability (02:32)

[USN-6736-2] klibc vulnerabilities (02:43)

[USN-6784-1] cJSON vulnerabilities (02:58)

  • 3 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • 2 different researchers fuzzing cJSON APIs
    • all different NULL ptr deref - requires particular / “incorrect” or possible misuse use of the APIs (like passing in purposefully corrupted values) so unlikely to be an issue in practice

[USN-6785-1] GNOME Remote Desktop vulnerability (03:52)

  • 1 CVEs addressed in Noble (24.04 LTS)
  • Discovered by a member of the SUSE security team when reviewing g-r-d
  • Exposed various DBus services that were able to be called by any unprivileged user which would then return the SSL private key used to encrypt the connection - so could allow a local user to possibly spy on the sessions of other users remotely connected to the system

[USN-6786-1] Netatalk vulnerabilities (04:45)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Apple file sharing implementation for Linux
  • If the same path was shared via both AFP and SMB then a remote attacker could combine various operations through both file-systems (like creating a crafted symlink, which would then be followed during a second operation where a file is renamed) to allow them to overwrite arbirary files and hence achieve arbitrary code execution on the host

[USN-6788-1] WebKitGTK vulnerabilities (05:48)

  • 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Possible pointer authentication bypass - used on arm64 in particular - demonstrated at Pwn2Own earlier this year by Manfred Paul - $60k

[USN-6789-1] LibreOffice vulnerability (06:28)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Unchecked script execution triggered when clicking on a graphic - allows to run arbitrary scripts without the usual prompt

[USN-6790-1] amavisd-new vulnerability (07:09)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • MTA / AV interface - often used in conjunction with Postfix, not just for AV but also can be used to do DKIM verification and integration with spamassassin etc
  • Misinterpreted MIME message boundaries in emails, allowing email parts to possibly bypass usual checks

[USN-6791-1] Unbound vulnerability (07:46)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • DNSBomb attack announced recently at IEEE S&P - affecting multiple different DNS implementations including BIND, Unbound, PowerDNS, Knot, DNSMasq and others
  • Unbound itself was not necessarily vulnerable to such an attack specifically, but could be used to generate such an attack against others - in particular Unbound had the highest amplification factor of ~22k times - next highest was DNSMasq at ~3k times
  • Fix involves introducing a number of timeout parameters for various operations and discarding operations if they take longer than this to avoid the ability to “store up” responses to be released at a later time

[USN-6793-1] Git vulnerabilities (09:31)

[USN-6792-1] Flask-Security vulnerability

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)

[USN-6794-1] FRR vulnerabilities

[USN-6777-4] Linux kernel (HWE) vulnerabilities (09:40)

[USN-6795-1] Linux kernel (Intel IoTG) vulnerabilities (10:00)

[USN-6779-2] Firefox regressions (10:30)

[USN-6787-1] Jinja2 vulnerability (10:48)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Incorrect handling of various HTML attributes - attacker could then possibly inject arbitrary HTML attrs/values and hence inject JS code to peform XSS attacks etc

[USN-6797-1] Intel Microcode vulnerabilities (11:22)

  • 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Latest release from upstream - mitigates against various hardware vulns
    • A couple issues in SGX/TDX on different Intel Xeon processors:
      • Invalid restrictions -> local root -> super-privesc
      • Invalid input on TDX -> local root -> super-privesc
      • Invalid SGX base key calculation -> info leak
    • Transient execution attacks to read privileged information
    • DoS through bus lock mishandling or through invalid instruction sequences

Get in contact

  continue reading

240 episodes

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 229

Ubuntu Security Podcast

146 subscribers

published

Play Playing
iconShare
 
MP3Episode home
Manage episode 421290257 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Overview

As the podcast winds down for a break over the next month, this week we talk about RSA timing side-channel attacks and the recently announced DNSBomb vulnerability as we cover security updates in VLC, OpenSSL, Netatalk, WebKitGTK, amavisd-new, Unbound, Intel Microcode and more.

This week in Ubuntu Security Updates

152 unique CVEs addressed

[USN-6783-1] VLC vulnerabilities (00:54)

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10)
  • integer underflow and a heap buffer overflow -> RCE

[USN-6663-3] OpenSSL update (01:40)

  • Affecting Noble (24.04 LTS)
  • [USN-6663-1] OpenSSL update from Episode 220 - hardening improvement to return deterministic random bytes instead of an error when an incorrect padding length is detected during PKCS#1 v1.5 RSA to avoid this being used for possible Bleichenbacher timing attacks

[USN-6673-3] python-cryptography vulnerability (02:32)

[USN-6736-2] klibc vulnerabilities (02:43)

[USN-6784-1] cJSON vulnerabilities (02:58)

  • 3 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • 2 different researchers fuzzing cJSON APIs
    • all different NULL ptr deref - requires particular / “incorrect” or possible misuse use of the APIs (like passing in purposefully corrupted values) so unlikely to be an issue in practice

[USN-6785-1] GNOME Remote Desktop vulnerability (03:52)

  • 1 CVEs addressed in Noble (24.04 LTS)
  • Discovered by a member of the SUSE security team when reviewing g-r-d
  • Exposed various DBus services that were able to be called by any unprivileged user which would then return the SSL private key used to encrypt the connection - so could allow a local user to possibly spy on the sessions of other users remotely connected to the system

[USN-6786-1] Netatalk vulnerabilities (04:45)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Apple file sharing implementation for Linux
  • If the same path was shared via both AFP and SMB then a remote attacker could combine various operations through both file-systems (like creating a crafted symlink, which would then be followed during a second operation where a file is renamed) to allow them to overwrite arbirary files and hence achieve arbitrary code execution on the host

[USN-6788-1] WebKitGTK vulnerabilities (05:48)

  • 1 CVEs addressed in Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Possible pointer authentication bypass - used on arm64 in particular - demonstrated at Pwn2Own earlier this year by Manfred Paul - $60k

[USN-6789-1] LibreOffice vulnerability (06:28)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Unchecked script execution triggered when clicking on a graphic - allows to run arbitrary scripts without the usual prompt

[USN-6790-1] amavisd-new vulnerability (07:09)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • MTA / AV interface - often used in conjunction with Postfix, not just for AV but also can be used to do DKIM verification and integration with spamassassin etc
  • Misinterpreted MIME message boundaries in emails, allowing email parts to possibly bypass usual checks

[USN-6791-1] Unbound vulnerability (07:46)

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • DNSBomb attack announced recently at IEEE S&P - affecting multiple different DNS implementations including BIND, Unbound, PowerDNS, Knot, DNSMasq and others
  • Unbound itself was not necessarily vulnerable to such an attack specifically, but could be used to generate such an attack against others - in particular Unbound had the highest amplification factor of ~22k times - next highest was DNSMasq at ~3k times
  • Fix involves introducing a number of timeout parameters for various operations and discarding operations if they take longer than this to avoid the ability to “store up” responses to be released at a later time

[USN-6793-1] Git vulnerabilities (09:31)

[USN-6792-1] Flask-Security vulnerability

  • 1 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS)

[USN-6794-1] FRR vulnerabilities

[USN-6777-4] Linux kernel (HWE) vulnerabilities (09:40)

[USN-6795-1] Linux kernel (Intel IoTG) vulnerabilities (10:00)

[USN-6779-2] Firefox regressions (10:30)

[USN-6787-1] Jinja2 vulnerability (10:48)

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Incorrect handling of various HTML attributes - attacker could then possibly inject arbitrary HTML attrs/values and hence inject JS code to peform XSS attacks etc

[USN-6797-1] Intel Microcode vulnerabilities (11:22)

  • 9 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Mantic (23.10), Noble (24.04 LTS)
  • Latest release from upstream - mitigates against various hardware vulns
    • A couple issues in SGX/TDX on different Intel Xeon processors:
      • Invalid restrictions -> local root -> super-privesc
      • Invalid input on TDX -> local root -> super-privesc
      • Invalid SGX base key calculation -> info leak
    • Transient execution attacks to read privileged information
    • DoS through bus lock mishandling or through invalid instruction sequences

Get in contact

  continue reading

240 episodes

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Similar to Ubuntu Security Podcast

Listen to 500+ topics
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Quick Reference Guide

Top Podcasts
The Bill Simmons Podcast
PTI
First Take
Marketplace
Comedy of the Week
The Bugle
How Did This Get Made?
Doug Loves Movies
Planet Money
TED Talks Daily
NBC Nightly News with Lester Holt
The World This Hour
Daily Boost Motivation and Coaching
Radiolab
Science Friday
This American Life
Criminal
Sword and Scale
In The Dark
Player FM logo
Help/FAQ | Upgrade | Advertise
Arts|Business|Comedy|Economics|Entertainment|News|Politics|Religion
Science|Soccer|Sports|Storytelling|Technology|True Crime
Copyright 2024 | Sitemap | Privacy Policy | Terms of Service | | Copyright
Episode being played series thumbnail
icon icon
Speed
Series settings
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in...
Player FM
Browser
Chrome
Safari
Firefox