Untuk memberi Anda pengalaman terbaik, situs ini menggunakan cookie. Tinjau Kebijakan Privasi kami dan Ketentuan Layanan untuk belajar lebih. Mengerti!
Artwork

Alex Murray Ubuntu Security Team Linux Tech Operating Systems Alex and Joe Security Software Development
Konten disediakan oleh Alex Murray and Ubuntu Security Team. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Alex Murray and Ubuntu Security Team atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang dijelaskan di sini https://id.player.fm/legal.

Mirip dengan Ubuntu Security Podcast

Player FM - Aplikasi Podcast
Offline dengan aplikasi Player FM !
Get it on App Store Get it on Google Play

Ubuntu Security Podcast « »
Episode 179

16:07
 
Putar
Memutar
Bagikan
 

MP3Beranda episode
Manage episode 342661503 series 2423058
Konten disediakan oleh Alex Murray and Ubuntu Security Team. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Alex Murray and Ubuntu Security Team atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang dijelaskan di sini https://id.player.fm/legal.

Overview

Finer grained control for unprivileged user namespaces is on the horizon for Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS, Squid and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-5626-2] Bind vulnerabilities [00:40]

[USN-5627-1] PCRE vulnerabilities [01:01]

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • 2 OOB read with crafted regexes - possible info leak

[USN-5628-1] etcd vulnerabilities [01:19]

  • 4 CVEs addressed in Focal (20.04 LTS)
  • distributed key/value store used by kubernetes
  • all these vulns come from a security audit conducted by Trail of Bits in January of 2020.
    • performed both manual and automated review -> go-sec, errcheck, ineffassign etc
    • also fuzzed the WAL file handling (write-ahead logging - used to record transactions that have been committed but not yet applied to the main database)
  • 2 issues in WAL file handling (crash), plus one in handling of directory permissions for a directory that may already exist (info leak) and one in setup of endpoints that could allow a DoS

[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]

[USN-5633-1, USN-5635-1, USN-5640-1, USN-5644-1] Linux kernel vulnerabilities [03:09]

[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • 5.17 OEM
  • netfilter remote DoS via crafted packet with a very short payload

[USN-5632-1] OAuthLib vulnerability [03:40]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • OAuth implementation for Python3 - used by various other applications like keystone, django, duplicity
  • DoS via a malicious redirect URL specifying an IPv6 address - could trigger an exception -> application crash -> DoS

[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]

  • 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Various issues in handling of crafted JPEG/PPM files - stack buffer overflow, heap buffer overflow, NULL pointer dereference, resource consumption based DoS in cjpeg utility - crafted file with a valid Targa header but incomplete data - would keep trying pixel after reaching EOF - internally used getc() which returns the special value EOF when the end of file is reached - this is actually -1 but requires the caller to check for this special value - if not, would interpret this as pixel data (all bits set -> 255,255,255 -> white) resulting in JPEG file that was possibly thousands of times bigger than the input file - fixed to use existing input routines to read the data which already check for EOF condition

[USN-5629-1] Python vulnerability [05:54]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Open redirect in http.server through a URI which has multiple / at the beginning - a URI such as //path gets treated as an absolute URI rather than a path - could then end up sending a 301 location header with a misleading target
  • Upstream dispute this - state that it should not be used in production as it only implements basic security checks

[USN-5636-1] SoS vulnerability [06:39]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • sosreport - used to gather details of a system etc for debug/analysis
  • Redacts passwords - previously used a hardcoded list of possible things that could contain passwords - instead now looks for anything with the name password and redacts that

[USN-5637-1] libvpx vulnerability [07:45]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • OOB read -> info leak / crash

[USN-5638-1] Expat vulnerability [07:55]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • UAF with crafted XML content -> crash / RCE

[USN-5641-1] Squid vulnerabilities [08:06]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Failed to properly handle ACLs for cache manager, allowing a trusted client to read other client ids / credentials and internal network structure
  • Integer overflow -> buffer overread when using SSPI/SMB authentication helpers for NTLM authentication - since this is in handling of credentials, could allow an attacker to read decrypted user credentials or other memory regions from Squid

[USN-5642-1] WebKitGTK vulnerabilities [08:57]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Buffer overflow when handling malicious web content -> RCE

[USN-5643-1] Ghostscript vulnerabilities [09:18]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • 2 issues in PDF file handling
    • NULL pointer dereference -> DoS
    • heap buffer overflow -> DoS / RCE

Goings on in Ubuntu Security Community

Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]

Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]

  • Often has been a source of increased attack surface for the kernel
  • Disabling of unpriv userns has often been recommended to mitigate various kernel vulns
  • This is done via sysctl in Ubuntu:
sudo sysctl kernel.unprivileged_userns_clone=0
  • Big hammer - either on or off
  • Various applications have legitimate uses of unpriv userns
    • flatpak / bubblewrap etc
    • some of these ship a helper application which is setuid root so they can still use user namespaces but this then creates another attack surface - the setuid-root binary
    • instead it would be better to have a way to only allow particular applications to use unprivileged user namespaces and then deny it to others
    • would provide much finer grained control to this potentially risky feature
  • AppArmor developers have added support for just this
    • all unconfined applications would be denied and only confined applications which have the userns permission would be allowed
  • For now, it is planned to have this disabled by default for 22.10
    • AppArmor will have a sysctl to enable it so can be tested
    • Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle
  • With any luck, 23.04 will ship with this enabled along with AppArmor confinement for things like bubblewrap etc that require this capability
  • Snaps will get it for free since they are confined by AppArmor out of the box
  • John Johansen is working with the kernel team to land this in the kernel for 22.10
  • Georgia Garcia is working on the userspace side to add support for creating policy that specifies the userns permission in apparmor package too
  • Hopefully can all land both via the FeatureFreezeException (FFe) process

Ubuntu Security Podcast on break for 1 week

Get in contact

  continue reading

231 episode

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development
Artwork

Episode 179

Ubuntu Security Podcast

138 subscribers

published

Putar Memutar
iconBagikan
 
MP3Beranda episode
Manage episode 342661503 series 2423058
Konten disediakan oleh Alex Murray and Ubuntu Security Team. Semua konten podcast termasuk episode, grafik, dan deskripsi podcast diunggah dan disediakan langsung oleh Alex Murray and Ubuntu Security Team atau mitra platform podcast mereka. Jika Anda yakin seseorang menggunakan karya berhak cipta Anda tanpa izin, Anda dapat mengikuti proses yang dijelaskan di sini https://id.player.fm/legal.

Overview

Finer grained control for unprivileged user namespaces is on the horizon for Ubuntu 22.10, plus we cover security updates for PCRE, etcd, OAuthLib, SoS, Squid and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-5626-2] Bind vulnerabilities [00:40]

[USN-5627-1] PCRE vulnerabilities [01:01]

  • 2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • 2 OOB read with crafted regexes - possible info leak

[USN-5628-1] etcd vulnerabilities [01:19]

  • 4 CVEs addressed in Focal (20.04 LTS)
  • distributed key/value store used by kubernetes
  • all these vulns come from a security audit conducted by Trail of Bits in January of 2020.
    • performed both manual and automated review -> go-sec, errcheck, ineffassign etc
    • also fuzzed the WAL file handling (write-ahead logging - used to record transactions that have been committed but not yet applied to the main database)
  • 2 issues in WAL file handling (crash), plus one in handling of directory permissions for a directory that may already exist (info leak) and one in setup of endpoints that could allow a DoS

[USN-5630-1, USN-5639-1] Linux kernel vulnerabilities [02:45]

[USN-5633-1, USN-5635-1, USN-5640-1, USN-5644-1] Linux kernel vulnerabilities [03:09]

[USN-5634-1] Linux kernel (OEM) vulnerability [03:23]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • 5.17 OEM
  • netfilter remote DoS via crafted packet with a very short payload

[USN-5632-1] OAuthLib vulnerability [03:40]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • OAuth implementation for Python3 - used by various other applications like keystone, django, duplicity
  • DoS via a malicious redirect URL specifying an IPv6 address - could trigger an exception -> application crash -> DoS

[USN-5631-1] libjpeg-turbo vulnerabilities [04:05]

  • 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • Various issues in handling of crafted JPEG/PPM files - stack buffer overflow, heap buffer overflow, NULL pointer dereference, resource consumption based DoS in cjpeg utility - crafted file with a valid Targa header but incomplete data - would keep trying pixel after reaching EOF - internally used getc() which returns the special value EOF when the end of file is reached - this is actually -1 but requires the caller to check for this special value - if not, would interpret this as pixel data (all bits set -> 255,255,255 -> white) resulting in JPEG file that was possibly thousands of times bigger than the input file - fixed to use existing input routines to read the data which already check for EOF condition

[USN-5629-1] Python vulnerability [05:54]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Open redirect in http.server through a URI which has multiple / at the beginning - a URI such as //path gets treated as an absolute URI rather than a path - could then end up sending a 301 location header with a misleading target
  • Upstream dispute this - state that it should not be used in production as it only implements basic security checks

[USN-5636-1] SoS vulnerability [06:39]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • sosreport - used to gather details of a system etc for debug/analysis
  • Redacts passwords - previously used a hardcoded list of possible things that could contain passwords - instead now looks for anything with the name password and redacts that

[USN-5637-1] libvpx vulnerability [07:45]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • OOB read -> info leak / crash

[USN-5638-1] Expat vulnerability [07:55]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • UAF with crafted XML content -> crash / RCE

[USN-5641-1] Squid vulnerabilities [08:06]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Failed to properly handle ACLs for cache manager, allowing a trusted client to read other client ids / credentials and internal network structure
  • Integer overflow -> buffer overread when using SSPI/SMB authentication helpers for NTLM authentication - since this is in handling of credentials, could allow an attacker to read decrypted user credentials or other memory regions from Squid

[USN-5642-1] WebKitGTK vulnerabilities [08:57]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Buffer overflow when handling malicious web content -> RCE

[USN-5643-1] Ghostscript vulnerabilities [09:18]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • 2 issues in PDF file handling
    • NULL pointer dereference -> DoS
    • heap buffer overflow -> DoS / RCE

Goings on in Ubuntu Security Community

Ubuntu 22.10 (Kinetic Kudu) Beta Released [09:45]

Preview of planned unprivileged user namespace restrictions in Ubuntu 22.10 [11:05]

  • Often has been a source of increased attack surface for the kernel
  • Disabling of unpriv userns has often been recommended to mitigate various kernel vulns
  • This is done via sysctl in Ubuntu:
sudo sysctl kernel.unprivileged_userns_clone=0
  • Big hammer - either on or off
  • Various applications have legitimate uses of unpriv userns
    • flatpak / bubblewrap etc
    • some of these ship a helper application which is setuid root so they can still use user namespaces but this then creates another attack surface - the setuid-root binary
    • instead it would be better to have a way to only allow particular applications to use unprivileged user namespaces and then deny it to others
    • would provide much finer grained control to this potentially risky feature
  • AppArmor developers have added support for just this
    • all unconfined applications would be denied and only confined applications which have the userns permission would be allowed
  • For now, it is planned to have this disabled by default for 22.10
    • AppArmor will have a sysctl to enable it so can be tested
    • Security team will work on getting the various packages within the Ubuntu archive that require unprivileged user namespaces to be confined by AppArmor and hence allowed to use them during the next development cycle
  • With any luck, 23.04 will ship with this enabled along with AppArmor confinement for things like bubblewrap etc that require this capability
  • Snaps will get it for free since they are confined by AppArmor out of the box
  • John Johansen is working with the kernel team to land this in the kernel for 22.10
  • Georgia Garcia is working on the userspace side to add support for creating policy that specifies the userns permission in apparmor package too
  • Hopefully can all land both via the FeatureFreezeException (FFe) process

Ubuntu Security Podcast on break for 1 week

Get in contact

  continue reading

231 episode

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Усі епізоди

×
 
Loading …

Selamat datang di Player FM!

Player FM memindai web untuk mencari podcast berkualitas tinggi untuk Anda nikmati saat ini. Ini adalah aplikasi podcast terbaik dan bekerja untuk Android, iPhone, dan web. Daftar untuk menyinkronkan langganan di seluruh perangkat.

 

Mirip dengan Ubuntu Security Podcast

Dengarkan 500+ topik
Player FM - Aplikasi Podcast
Offline dengan aplikasi Player FM !
Get it on App Store Get it on Google Play

Panduan Referensi Cepat

Podcast Teratas
Laga Raga - Berita Olahraga Terkini
Digipreneur Podcast - Digital Marketing, Startup, Teknologi, dan Bisnis Online di Indonesia
Podcast Awal Minggu
Dummy Podcast Indonesia
Show Box
Rasarab - Indonesia
Indonesian News - NHK WORLD RADIO JAPAN
Asumsi Bersuara
Actionesia
Sains Sekitar Kita
TemuKonco Podcast
Player FM logo
Bantuan/FAQ | Tingkatkan | Advertise
Seni|Bisnis|Komedi|Ekonomi|Hiburan|Berita|Politik|Agama
Ilmu Pengetahuan|Sepak Bola|Olah raga|Cerita|Teknologi|Kejahatan
Hak Cipta 2024 | Peta Situs | Kebijakan Privasi | Ketentuan Layanan | | hak cipta
Episode being played series thumbnail
icon icon
Kecepatan
Pengaturan Seri
1x
1x
Volume
100%
icon
icon icon
/

Lihat Player FM di ...
Player FM
Browser
Chrome
Safari
Firefox