Episode 135

Ubuntu Security Podcast

Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

2+ y ago 11:43

MP3•Trang chủ episode

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5092-3] Linux kernel (Azure) regression [00:50]

12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
Failure to boot on large Azure instance types - caused by a patch that got backported to the 5.14 upstream stable kernel that was purported to head off possible future problems, but itself caused issues on say the Standard_D48_v3 instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped that patch to resolve the issue

[USN-5109-1] nginx vulnerability [01:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2017-20005
Buffer overflow when handling files with modification dates a long time in the past - ie. 1969 or very far in the future - integer overflow in the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2020-22617
UAF in handling of crafted XML files - if using attacker provided files could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2021-41991
- CVE-2021-41990
Integer overflow when replacing certs in cache - if can send many requests with different certs can fill cache and then cause replacement of cache entries when gets full - LRU algorithm could then cause integer overflow and hence OOB write as a result
Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
5.11 hirsute kernel (20.04 HWE)
overlayfs perms handling issue, race condition -> OOB read in VT subsystem, integer overflow in hashtable implementation in BPF, ext4 xattrs race -> UAF, ath9k race condition -> info leak

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

https://www.tianfucup.com/en
16-17th October - China’s own Pwn2Own
Teams required to use original vulns to hack target platforms - 1.5m USD total reward
Targets
- Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04 desktop container with ssh access as root to the container running unprivileged w/o uidmap, volume mount and default bridge network - 60k USD price
- Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged user to escalate to root - 40k USD
- Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu - VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
3 5 minute attempts to run their exploits
According to media reports - Ubuntu 20.04 root privesc - 4 times, Docker-CE and qemu VM - once
Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus Google Chrome to get kernel privesc on Windows as well
Also according to one media outlet “details unknown but vendors are expected to release patches in coming weeks” - so far no contact / details have been provided to us…
Same has happened in previous years - no details get provided to vendors so issues don’t get patched - in the past, exploits which have been showcased at Tianfu have then allegedly gone on to be used in hacking campaigns by the Chinese government
Contrast with Pwn2Own - we are invited by organisers to watch and verify attempts in real-time to help judge whether exploits used are actually unique and new, and then ZDI provide details immediately regarding the vulns along with PoCs so we can patch them ASAP

Get in contact

231 tập

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 135

Ubuntu Security Podcast

138 subscribers

published 2+ y ago

Chia sẻ

MP3•Trang chủ episode

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5092-3] Linux kernel (Azure) regression [00:50]

12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
Failure to boot on large Azure instance types - caused by a patch that got backported to the 5.14 upstream stable kernel that was purported to head off possible future problems, but itself caused issues on say the Standard_D48_v3 instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped that patch to resolve the issue

[USN-5109-1] nginx vulnerability [01:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2017-20005
Buffer overflow when handling files with modification dates a long time in the past - ie. 1969 or very far in the future - integer overflow in the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2020-22617
UAF in handling of crafted XML files - if using attacker provided files could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2021-41991
- CVE-2021-41990
Integer overflow when replacing certs in cache - if can send many requests with different certs can fill cache and then cause replacement of cache entries when gets full - LRU algorithm could then cause integer overflow and hence OOB write as a result
Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
5.11 hirsute kernel (20.04 HWE)
overlayfs perms handling issue, race condition -> OOB read in VT subsystem, integer overflow in hashtable implementation in BPF, ext4 xattrs race -> UAF, ath9k race condition -> info leak

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

https://www.tianfucup.com/en
16-17th October - China’s own Pwn2Own
Teams required to use original vulns to hack target platforms - 1.5m USD total reward
Targets
- Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04 desktop container with ssh access as root to the container running unprivileged w/o uidmap, volume mount and default bridge network - 60k USD price
- Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged user to escalate to root - 40k USD
- Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu - VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
3 5 minute attempts to run their exploits
According to media reports - Ubuntu 20.04 root privesc - 4 times, Docker-CE and qemu VM - once
Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus Google Chrome to get kernel privesc on Windows as well
Also according to one media outlet “details unknown but vendors are expected to release patches in coming weeks” - so far no contact / details have been provided to us…
Same has happened in previous years - no details get provided to vendors so issues don’t get patched - in the past, exploits which have been showcased at Tianfu have then allegedly gone on to be used in hacking campaigns by the Chinese government
Contrast with Pwn2Own - we are invited by organisers to watch and verify attempts in real-time to help judge whether exploits used are actually unique and new, and then ZDI provide details immediately regarding the vulns along with PoCs so we can patch them ASAP

Get in contact

231 tập

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

All episodes

Chào mừng bạn đến với Player FM!

Player FM đang quét trang web để tìm các podcast chất lượng cao cho bạn thưởng thức ngay bây giờ. Đây là ứng dụng podcast tốt nhất và hoạt động trên Android, iPhone và web. Đăng ký để đồng bộ các theo dõi trên tất cả thiết bị.

Nghe hơn 500 chủ đề

Tương tự như Ubuntu Security Podcast

Podcast đáng để nghe

Ubuntu Security Podcast « » Episode 135

Overview

This week in Ubuntu Security Updates

[USN-5091-3] Linux kernel (Azure) regression

[USN-5092-3] Linux kernel (Azure) regression [00:50]

[USN-5109-1] nginx vulnerability [01:44]

[USN-5110-1] Ardour vulnerability [02:22]

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

[USN-5113-1] Linux kernel vulnerabilities [04:13]

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

Get in contact

Episode 135

Overview

This week in Ubuntu Security Updates

[USN-5091-3] Linux kernel (Azure) regression

[USN-5092-3] Linux kernel (Azure) regression [00:50]

[USN-5109-1] nginx vulnerability [01:44]

[USN-5110-1] Ardour vulnerability [02:22]

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

[USN-5113-1] Linux kernel vulnerabilities [04:13]

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

Get in contact

Podcast đáng để nghe

Chào mừng bạn đến với Player FM!

Tương tự như Ubuntu Security Podcast

Hướng dẫn sử dụng nhanh

Ubuntu Security Podcast « »
Episode 135