To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Tôi hiểu rồi!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

Tương tự như Ubuntu Security Podcast

Player FM - Ứng dụng Podcast
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 162

15:38
 
Nghe
Đang phát
Chia sẻ
 

MP3Trang chủ episode
Manage episode 330556777 series 2423058
Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

Overview

This week we cover security updates for dpkg, logrotate, GnuPG, CUPS, InfluxDB and more, plus we take a quick look at some open positions on the team - come join us!

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5446-1, USN-5446-2] dpkg vulnerability [00:42]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Directory traversal vulnerability when extracting untrusted source packages
    • debian source packages consist of two tarballs - orig and debian
    • orig is unpacked and then debian in unpacked on top of that - if orig is crafted to contain a symlink which pointed to a file outside of the source code, then when unpacking debian it will follow that symlink and hence would overwrite arbitrary files outside the source directory
    • Only really a problem for debian/ubuntu developers

[USN-5447-1] logrotate vulnerability [02:58]

  • 1 CVEs addressed in Impish (21.10), Jammy (22.04 LTS)
  • logrotate creates a ‘state’ file to avoid parallel executions of itself - each instance locks this file as a mutex mechanism
  • if this doesn’t exist, it gets created - but is created world readable - which allows unprivileged users to take the lock on this file
  • as such the real logrotate will fail to run since it can’t get the lock -> DoS

[USN-5402-2] OpenSSL vulnerabilities [04:13]

[USN-5448-1] ncurses vulnerabilities [04:21]

[USN-5449-1] libXv vulnerability [04:58]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Remove X server could trigger OOB read in the X client via crafted response -> crash -> DoS

[USN-5431-1] GnuPG vulnerability [04:24]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Weakness in PGP/SKS keyserver design - if a key/certificate has many signatures, GnuPG will take an inordinate amount of time to process these when downloading the key from the keyserver -> DoS
    • Certificate spamming attack - anyone can sign someone else’s cert thereby attaching another signature to it on the SKS keyserver network
    • The OpenPGP spec doesn’t limit the number of signatures (but SKS keyserver network does - 150k)
    • So anyone can poison someone else’s cert by attaching a large number of signatures to it
    • GnuPG would download all of these signatures when importing a key and then proceed to validate them all
      • Also would do this when say validating a signature from that poisoned cert
  • Fixed to not import key signatures by default anymore and to then fallback to only import self-signatures on large keyblocks

[USN-5452-1] NTFS-3G vulnerability [07:55]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • ntfsck tool failed to perform proper bounds checking on filesystem metadata - if could trick a user into running it on an untrusted filesystem image could then possibly get code execution
    • Upstream have deprecated this tool and it is only present in the ntfs-3g-dev package which is not installed by default

[USN-5453-1] FreeType vulnerability [08:38]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • OOB read when processing a crafted font file -> DoS

[USN-5454-1, USN-5454-2] CUPS vulnerabilities [08:50]

  • 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Upstream Apple advisory describes this as:
    • “Logic issue addressed with improved state management… An application may be able to gain elevated privileges”
  • Looks like it was discovered by Mandiant
    • CUPS provides the ability to authenticate via Basic Web Authentication or through a 32-byte randomly generated token created at runtime
    • Comparison function would only compare the supplied token value against the real one based on the length of the shortest input - so if supplied an empty string then would compare 0 bytes of the two and return success!
  • Other two issues were memory handling issues in IPP printing - could submit a print job which would cause an OOB read in CUPS -> crash -> DoS

[USN-5451-1] InfluxDB vulnerability [10:39]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Similar authentication bug in InfluxDB - could bypass authentication by supplying a JWT token with an empty SharedSecret

[USN-5442-2] Linux kernel vulnerabilities [11:06]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 - GCP/GKE/IBM/Oracle/Raspi
  • Bing-Jhong Billy Jheng found integer overflow in io_uring - an unprivileged user can spam requests which would eventually overflow counter and then could be used to trigger an OOB write -> controlled memory corruption -> privesc
  • Similarly, Jann Horn (GPZ) found kernel didn’t properly check privileges of a process when allowing it to set a flag which would then disable seccomp filters on another process or itself
    • Could then allow an unprivileged process to turn of seccomp for itself / other processes and allow them to bypass intended access restrictions
  • Regular kernel security bug - ref count issue in network queueing subsystem -> UAF - able to be triggered by a local attacker -> crash / code execution

[USN-5443-2] Linux kernel vulnerabilities [12:47]

[USN-5457-1] WebKitGTK vulnerabilities [12:58]

Goings on in Ubuntu Security Community

Hiring

Security Engineer - Ubuntu [13:25]

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more [14:24]

Get in contact

  continue reading

232 tập

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 162

Ubuntu Security Podcast

139 subscribers

published

Nghe Đang phát
iconChia sẻ
 
MP3Trang chủ episode
Manage episode 330556777 series 2423058
Nội dung được cung cấp bởi Alex Murray and Ubuntu Security Team. Tất cả nội dung podcast bao gồm các tập, đồ họa và mô tả podcast đều được Alex Murray and Ubuntu Security Team hoặc đối tác nền tảng podcast của họ tải lên và cung cấp trực tiếp. Nếu bạn cho rằng ai đó đang sử dụng tác phẩm có bản quyền của bạn mà không có sự cho phép của bạn, bạn có thể làm theo quy trình được nêu ở đây https://vi.player.fm/legal.

Overview

This week we cover security updates for dpkg, logrotate, GnuPG, CUPS, InfluxDB and more, plus we take a quick look at some open positions on the team - come join us!

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-5446-1, USN-5446-2] dpkg vulnerability [00:42]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Directory traversal vulnerability when extracting untrusted source packages
    • debian source packages consist of two tarballs - orig and debian
    • orig is unpacked and then debian in unpacked on top of that - if orig is crafted to contain a symlink which pointed to a file outside of the source code, then when unpacking debian it will follow that symlink and hence would overwrite arbitrary files outside the source directory
    • Only really a problem for debian/ubuntu developers

[USN-5447-1] logrotate vulnerability [02:58]

  • 1 CVEs addressed in Impish (21.10), Jammy (22.04 LTS)
  • logrotate creates a ‘state’ file to avoid parallel executions of itself - each instance locks this file as a mutex mechanism
  • if this doesn’t exist, it gets created - but is created world readable - which allows unprivileged users to take the lock on this file
  • as such the real logrotate will fail to run since it can’t get the lock -> DoS

[USN-5402-2] OpenSSL vulnerabilities [04:13]

[USN-5448-1] ncurses vulnerabilities [04:21]

[USN-5449-1] libXv vulnerability [04:58]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Remove X server could trigger OOB read in the X client via crafted response -> crash -> DoS

[USN-5431-1] GnuPG vulnerability [04:24]

  • 1 CVEs addressed in Bionic (18.04 LTS)
  • Weakness in PGP/SKS keyserver design - if a key/certificate has many signatures, GnuPG will take an inordinate amount of time to process these when downloading the key from the keyserver -> DoS
    • Certificate spamming attack - anyone can sign someone else’s cert thereby attaching another signature to it on the SKS keyserver network
    • The OpenPGP spec doesn’t limit the number of signatures (but SKS keyserver network does - 150k)
    • So anyone can poison someone else’s cert by attaching a large number of signatures to it
    • GnuPG would download all of these signatures when importing a key and then proceed to validate them all
      • Also would do this when say validating a signature from that poisoned cert
  • Fixed to not import key signatures by default anymore and to then fallback to only import self-signatures on large keyblocks

[USN-5452-1] NTFS-3G vulnerability [07:55]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • ntfsck tool failed to perform proper bounds checking on filesystem metadata - if could trick a user into running it on an untrusted filesystem image could then possibly get code execution
    • Upstream have deprecated this tool and it is only present in the ntfs-3g-dev package which is not installed by default

[USN-5453-1] FreeType vulnerability [08:38]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • OOB read when processing a crafted font file -> DoS

[USN-5454-1, USN-5454-2] CUPS vulnerabilities [08:50]

  • 3 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
  • Upstream Apple advisory describes this as:
    • “Logic issue addressed with improved state management… An application may be able to gain elevated privileges”
  • Looks like it was discovered by Mandiant
    • CUPS provides the ability to authenticate via Basic Web Authentication or through a 32-byte randomly generated token created at runtime
    • Comparison function would only compare the supplied token value against the real one based on the length of the shortest input - so if supplied an empty string then would compare 0 bytes of the two and return success!
  • Other two issues were memory handling issues in IPP printing - could submit a print job which would cause an OOB read in CUPS -> crash -> DoS

[USN-5451-1] InfluxDB vulnerability [10:39]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Similar authentication bug in InfluxDB - could bypass authentication by supplying a JWT token with an empty SharedSecret

[USN-5442-2] Linux kernel vulnerabilities [11:06]

  • 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 - GCP/GKE/IBM/Oracle/Raspi
  • Bing-Jhong Billy Jheng found integer overflow in io_uring - an unprivileged user can spam requests which would eventually overflow counter and then could be used to trigger an OOB write -> controlled memory corruption -> privesc
  • Similarly, Jann Horn (GPZ) found kernel didn’t properly check privileges of a process when allowing it to set a flag which would then disable seccomp filters on another process or itself
    • Could then allow an unprivileged process to turn of seccomp for itself / other processes and allow them to bypass intended access restrictions
  • Regular kernel security bug - ref count issue in network queueing subsystem -> UAF - able to be triggered by a local attacker -> crash / code execution

[USN-5443-2] Linux kernel vulnerabilities [12:47]

[USN-5457-1] WebKitGTK vulnerabilities [12:58]

Goings on in Ubuntu Security Community

Hiring

Security Engineer - Ubuntu [13:25]

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more [14:24]

Get in contact

  continue reading

232 tập

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Tất cả các tập

×
 
Loading …

Chào mừng bạn đến với Player FM!

Player FM đang quét trang web để tìm các podcast chất lượng cao cho bạn thưởng thức ngay bây giờ. Đây là ứng dụng podcast tốt nhất và hoạt động trên Android, iPhone và web. Đăng ký để đồng bộ các theo dõi trên tất cả thiết bị.

 

Tương tự như Ubuntu Security Podcast

Nghe hơn 500 chủ đề
Player FM - Ứng dụng Podcast
Chuyển sang chế độ ngoại tuyến với ứng dụng Player FM !
Get it on App Store Get it on Google Play

Hướng dẫn sử dụng nhanh

Podcast hàng đầu
Tạp chí thể thao
Tạp chí kinh tế
KBS WORLD Radio Tiếng Hàn qua phim ảnh
Vietnamese News - NHK WORLD RADIO JAPAN
Tạp chí tiêu điểm
The Present Writer
Tạp chí khoa học
Podcasts – Life Abroad Podcast
Player FM logo
Trợ giúp / Hỏi đáp FAQ | Nâng cấp | Advertise
Nghệ thuật|Kinh doanh|Hài kịch|Kinh tế|Giải trí|Tin tức|Chính trị|Tôn giáo
Khoa học|Bóng đá|Thể thao|Chuyện kể|Công nghệ|Tội phạm có thật
Bản quyền 2024 | Sơ đồ trang web | Chính Sách Bảo Mật | Điều khoản dịch vụ | | Bản quyền
Episode being played series thumbnail
icon icon
Tốc độ
Cài đặt series
1x
1x
Volume
100%
icon
icon icon
/

Xem Player FM trong ...
Player FM
Browser
Chrome
Safari
Firefox