Episode 121

Ubuntu Security Podcast

内容由Alex Murray and Ubuntu Security Team提供。所有播客内容（包括剧集、图形和播客描述）均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品，您可以按照此处概述的流程进行操作https://zh.player.fm/legal。

3y ago 14:35

MP3•单集首页

Overview

Ubuntu One opens up two-factor authentication for all, plus we cover security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4989-2] BlueZ vulnerabilities [00:57]

2 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2020-27153
- CVE-2020-26558
Episode 120 - bluetooth spec issue around pairing takeover plus a possible double-free in gattool that is likely quite hard to exploit due to time window race between the two free() calls

[USN-4990-1] Nettle vulnerabilities [01:27]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2018-16869
- CVE-2021-3580
Low level crypto library used by lots of packages - chrony, dnsmasq, lighttpd, qemu, squid, supertuxkart
Last covered just a few weeks ago in Episode 112 - is someone taking a closer look at this library?
Bleichenbacher type side-channel base on a padding oracle attack in endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a process on the same physical core as the victim - but could then allow the plaintext to be extracted
RSA algo possible crash which is able to be triggered on decryption of manipulated ciphertext
Changes required for both of these are too intrusive to backport for the older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu release if you are using nettle on these older releases and are concerned about possible attacks

[USN-4991-1] libxml2 vulnerabilities [03:08]

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Crafted XML could possibly trigger crash -> DoS or RCE

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Episode 106 - BootHole 2021 updates published to the security pocket
Vulns included the ability to load ACPI tables, UAF in rmmod, buffer overflow in command-line parser, cutmem command boot locking bypass, heap buffer overflow in option parser and menu rendering OOB write -> RCE —>@@ all could lead to a bypass of secure boot protections
Includes one grub - ie. same grub efi binary used across all recent Ubuntu releases
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021

[USN-4993-1] Dovecot vulnerabilities [05:13]

2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-33515
- CVE-2021-29157
STARTTLS plaintext command injection vuln via SMTP, plus if a local attacker could write files to the disk, they could supply their own keys to validate their own supplied JSON Web Token and hence login as any other user and then access their emails if using OAUTH2

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Various DoS issues where under certain configurations an attacker could issue particular requests and trigger various crashes in Apache

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
Usual mix of issues for a library which is written in memory unsafe language and handling complex image formats etc
Courtesy of OSS-Fuzz

[USN-4995-1] Thunderbird vulnerabilities [06:48]

20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
78.11.0 - usual mix of untrusted content/web framework issues inherited from Firefox, plus fixes for OpenPGP key handling, message signature TOCTTOU-type condition due to writing out signatures to disk that then could be replaced before being verified, UX issue in display of inline signed/encrypted messages with additional unprotected parts

[USN-4997-1] Linux kernel vulnerabilities [08:22]

17 CVEs addressed in Hirsute (21.04)
5.11
Basically the same set of fixes for all kernels, including a couple quite interesting ones:
- eBPF verifier bypass provides OOB write primitive, could allow a local attacker to perform code execution in the kernel -> privesc
- Race condition in CAN BCM networking protocol -> various UAFs -> code execution as well
Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP race condition -> UAF etc

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

1 CVEs addressed in Bionic (18.04 LTS)
- CVE-2021-3609
5.3
CAN BCM

[USN-5003-1] Linux kernel vulnerabilities [10:35]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 (bionic, xenial esm hwe, trusty esm azure)
CAN BCM and eBPF verifier OOB write

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one
Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums, publishers on the Snap Store etc
Allows to use a phone / desktop TOTP app as second factor, or Yubikey TOTP etc
Has actually been supported since 2014 but only available to a beta testing group plus for all Canonical employees, due to challenges in account recovery
- Since Ubuntu One purposefully doesn’t store any real identifying information (name, email, username) we can’t easily verify account holders if they lose the 2FA device
- The intent is to be robust even in the event that a users email address is compromised
Now have a comprehensive code recovery experience including printable backup codes and mechanisms in place to encourage users to exercise backup codes so that users can feel confident in using these if they need to (ie where did I put my backup codes again..?)

Get in contact

231集单集

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 121

Ubuntu Security Podcast

139 subscribers

published 3y ago

MP3•单集首页

Overview

Ubuntu One opens up two-factor authentication for all, plus we cover security updates for Nettle, libxml2, GRUB2, the Linux kernel and more.

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4989-2] BlueZ vulnerabilities [00:57]

2 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2020-27153
- CVE-2020-26558
Episode 120 - bluetooth spec issue around pairing takeover plus a possible double-free in gattool that is likely quite hard to exploit due to time window race between the two free() calls

[USN-4990-1] Nettle vulnerabilities [01:27]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2018-16869
- CVE-2021-3580
Low level crypto library used by lots of packages - chrony, dnsmasq, lighttpd, qemu, squid, supertuxkart
Last covered just a few weeks ago in Episode 112 - is someone taking a closer look at this library?
Bleichenbacher type side-channel base on a padding oracle attack in endian conversion of RSA decrypted PKCS#1 v1.5 data - requires to run a process on the same physical core as the victim - but could then allow the plaintext to be extracted
RSA algo possible crash which is able to be triggered on decryption of manipulated ciphertext
Changes required for both of these are too intrusive to backport for the older releases (e.g. 16.04 ESM) so suggest to upgrade to a newer Ubuntu release if you are using nettle on these older releases and are concerned about possible attacks

[USN-4991-1] libxml2 vulnerabilities [03:08]

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Crafted XML could possibly trigger crash -> DoS or RCE

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Episode 106 - BootHole 2021 updates published to the security pocket
Vulns included the ability to load ACPI tables, UAF in rmmod, buffer overflow in command-line parser, cutmem command boot locking bypass, heap buffer overflow in option parser and menu rendering OOB write -> RCE —>@@ all could lead to a bypass of secure boot protections
Includes one grub - ie. same grub efi binary used across all recent Ubuntu releases
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021

[USN-4993-1] Dovecot vulnerabilities [05:13]

2 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-33515
- CVE-2021-29157
STARTTLS plaintext command injection vuln via SMTP, plus if a local attacker could write files to the disk, they could supply their own keys to validate their own supplied JSON Web Token and hence login as any other user and then access their emails if using OAUTH2

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Various DoS issues where under certain configurations an attacker could issue particular requests and trigger various crashes in Apache

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

5 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
Usual mix of issues for a library which is written in memory unsafe language and handling complex image formats etc
Courtesy of OSS-Fuzz

[USN-4995-1] Thunderbird vulnerabilities [06:48]

20 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
78.11.0 - usual mix of untrusted content/web framework issues inherited from Firefox, plus fixes for OpenPGP key handling, message signature TOCTTOU-type condition due to writing out signatures to disk that then could be replaced before being verified, UX issue in display of inline signed/encrypted messages with additional unprotected parts

[USN-4997-1] Linux kernel vulnerabilities [08:22]

17 CVEs addressed in Hirsute (21.04)
5.11
Basically the same set of fixes for all kernels, including a couple quite interesting ones:
- eBPF verifier bypass provides OOB write primitive, could allow a local attacker to perform code execution in the kernel -> privesc
- Race condition in CAN BCM networking protocol -> various UAFs -> code execution as well
Plus others -> Wifi FragAttack fixes, other eBPF verifier fixes, SCTP race condition -> UAF etc

[USN-4999-1] Linux kernel vulnerabilities [09:51]

17 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
5.8 (groovy, focal hwe)

[USN-5000-1] Linux kernel vulnerabilities [10:08]

15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 (focal, bionic hwe)

[USN-5001-1] Linux kernel (OEM) vulnerabilities

15 CVEs addressed in Focal (20.04 LTS)
5.10

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

1 CVEs addressed in Bionic (18.04 LTS)
- CVE-2021-3609
5.3
CAN BCM

[USN-5003-1] Linux kernel vulnerabilities [10:35]

3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
4.15 (bionic, xenial esm hwe, trusty esm azure)
CAN BCM and eBPF verifier OOB write

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

https://ubuntu.com/blog/two-factor-authentication-coming-to-ubuntu-one
Used for access to discourse.ubuntu.com, Launchpad, ubuntuforums, publishers on the Snap Store etc
Allows to use a phone / desktop TOTP app as second factor, or Yubikey TOTP etc
Has actually been supported since 2014 but only available to a beta testing group plus for all Canonical employees, due to challenges in account recovery
- Since Ubuntu One purposefully doesn’t store any real identifying information (name, email, username) we can’t easily verify account holders if they lose the 2FA device
- The intent is to be robust even in the event that a users email address is compromised
Now have a comprehensive code recovery experience including printable backup codes and mechanisms in place to encourage users to exercise backup codes so that users can feel confident in using these if they need to (ie where did I put my backup codes again..?)

Get in contact

231集单集

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Усі епізоди

欢迎使用Player FM

Player FM正在网上搜索高质量的播客，以便您现在享受。它是最好的播客应用程序，适用于安卓、iPhone和网络。注册以跨设备同步订阅。

收听超过500个主题

类似 Ubuntu Security Podcast 的节目

值得一听的播客

Ubuntu Security Podcast « » Episode 121

Overview

This week in Ubuntu Security Updates

[USN-4989-2] BlueZ vulnerabilities [00:57]

[USN-4990-1] Nettle vulnerabilities [01:27]

[USN-4991-1] libxml2 vulnerabilities [03:08]

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

[USN-4993-1] Dovecot vulnerabilities [05:13]

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

[USN-4995-1] Thunderbird vulnerabilities [06:48]

[USN-4997-1] Linux kernel vulnerabilities [08:22]

[USN-4999-1] Linux kernel vulnerabilities [09:51]

[USN-5000-1] Linux kernel vulnerabilities [10:08]

[USN-5001-1] Linux kernel (OEM) vulnerabilities

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

[USN-5003-1] Linux kernel vulnerabilities [10:35]

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

Get in contact

Episode 121

Overview

This week in Ubuntu Security Updates

[USN-4989-2] BlueZ vulnerabilities [00:57]

[USN-4990-1] Nettle vulnerabilities [01:27]

[USN-4991-1] libxml2 vulnerabilities [03:08]

[USN-4992-1] GRUB 2 vulnerabilities [03:33]

[USN-4993-1] Dovecot vulnerabilities [05:13]

[USN-4994-1, USN-4994-2] Apache HTTP Server vulnerabilities [05:58]

[USN-4996-1, USN-4996-2] OpenEXR vulnerabilities [06:16]

[USN-4995-1] Thunderbird vulnerabilities [06:48]

[USN-4997-1] Linux kernel vulnerabilities [08:22]

[USN-4999-1] Linux kernel vulnerabilities [09:51]

[USN-5000-1] Linux kernel vulnerabilities [10:08]

[USN-5001-1] Linux kernel (OEM) vulnerabilities

[USN-5002-1] Linux kernel (HWE) vulnerability [10:23]

[USN-5003-1] Linux kernel vulnerabilities [10:35]

Goings on in Ubuntu Security Community

2FA coming to Ubuntu One [11:04]

Get in contact

值得一听的播客

欢迎使用Player FM

类似 Ubuntu Security Podcast 的节目

快速参考指南

Ubuntu Security Podcast « »
Episode 121