This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Player FM -播客应用
使用Player FM应用程序离线!
使用Player FM应用程序离线!
Episode 138
Manage episode 307506001 series 2423058
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Overview
This week we discuss some of the challenges and trade-offs encountered when providing security support for ageing software, plus we discuss security updates for the Linux kernel, Firejail, Samba, PostgreSQL and more.
This week in Ubuntu Security Updates
42 unique CVEs addressed
[USN-5138-1] python-py vulnerability [00:38]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Python library providing path handling, config file parsing and other features which are now in standard lib or other packages - has been deprecated
- ReDoS against path handling code (regex with catastrophic backtracking)
[USN-5139-1] Linux kernel (OEM 5.10) vulnerabilities [01:25]
- 7 CVEs addressed in Focal (20.04 LTS)
- Power8 specific KVM issue -> guest can crash host -> DoS
- AMD cryptographic coprocessor driver memory leaks -> DoS
- eBPF integer overflow -> DoS / code-exec
- NFC UAF
- SCTP info leak
[USN-5140-1] Linux kernel (OEM 5.14) vulnerabilities [02:12]
- 3 CVEs addressed in Focal (20.04 LTS)
- eBPF integer overflow -> DoS / code-exec
- AMD cryptographic coprocessor driver memory leaks -> DoS
[USN-5137-2] Linux kernel vulnerabilities [02:33]
- 9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 (focal bluefield / oracle, bionic oracle / gke)
[LSN-0082-1] Linux kernel vulnerability [03:05]
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- 2 high priority vulns from GPZ (Episode 138) in tty subsystem and 1 in BPF verifier - code-exec -> privesc
- UAF in IPv4 networking routing handling
[USN-5141-1] Firejail vulnerability [03:48]
- 1 CVEs addressed in Focal (20.04 LTS)
- TOCTOU race condition in handling of overlayfs - decided to drop support for overlayfs since was deemed - thanks to Reiner Herrmann for providing this update
[USN-5142-1] Samba vulnerabilities [04:43]
- 9 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Raft of issues including unauthenticated users able to become root on domain members since Samba might incorrectly map local users to domain members, plus incorrect handling of Kerberos tickets such that delegated users could become domain admin by confusing Samba on which user a ticket represented
- Memory corruption issues too
- In particular the fix to correctly map local to domain users results in changed behaviour regarding matching AD users to local users - would previously fallback to a local user but now does not to avoid someone specifying DOMAIN/root and then having that fallback to say root on the local machine
- https://www.samba.org/samba/security/CVE-2020-25717.html
[USN-5144-1] OpenEXR vulnerability [05:55]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Integer overflow -> buffer overflow -> crash / RCE
[USN-5145-1] PostgreSQL vulnerabilities [06:08]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Incorrect handling of SSL cert verification - could allow a remote attacker to inject arbitrary SQL queries on the initial connection establishment (similar to various STARTTLS vulns which have been seen recently) - would process data sent in the clear before the TLS connection had been established but should just throw this away
- New upstream release with other bug fixes too (13.5 - impish/hirsute, 12.9 - focal, 10.19 - bionic)
[USN-5147-1] Vim vulnerabilities [07:13]
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Swap file permissions handling, restricted mode bypass (shouldn’t be considered a real security mechanism), various memory corruption issues too
[USN-5149-1] AccountsService vulnerability [08:01]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Double free in SetLanguage() DBus method - memory corruption in root daemon which can be triggered by an unprivileged user - is due to a Ubuntu specific patch which we include so that when the user selects a language / format we save this in their
~/.pam_environment
to keep settings in sync - Patch contained code to use an existing pointer but then freed it - and then it would get freed again by the original code
- Priv-esc by getting accountsservice daemon to run arbitrary code
[USN-5148-1] hivex vulnerability [09:24]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Tools for handling Windows Registry hive files
- OOB read with specially crafted input file -> crash -> DoS
Goings on in Ubuntu Security Community
How to handle large security updates in outdated software versions? [09:56]
- Samba updates in [USN-5142-1] do not include Bionic
- Upstream released a new 4.13.14 which we could upgrade to in F/H/I/J without a lot of work or risk of regression since those releases already used a more recent version like 4.11 etc so the change in behaviour as a result of upgrading was so large and other packages in the archive were still compatible with this new version
- Upstream has released patches for these vulns back to 4.10 but this is 686 individual patches - bionic has Samba 4.7 and so would require a lot of manual work to backport these ~700 patches, and the risk of introducing a regression (ie breaking something) when backporting such a large set of changes is higher
- We are security engineers not full-time Samba software developers so not cognisant of all the possible pitfalls etc
- Other option would be to update Samba in bionic to 4.13.14 like in the later releases, other packages like talloc, tdb, tevent and ldb and these would all need to be upgraded as well
- But this new Samba version only supports python3, not python2.7 which the older Samba currently in bionic does
- FreeIPA in bionic is Python2 so would then be broken if we did this upgrade
- We could also try and upgrade FreeIPA to a newer version which uses Python3 but it isn’t clear if the required Python3 dependencies even exist in the 18.04 archive - so they man need to be backported and introduced there as well
- Either option involves a lot of change and hence complexity ∴ a high risk of regression
- Unclear yet which will be the preferred option but this illustrates the difficulties involved in doing security support for old software versions which upstream has ceased to provide support
- Will likely come across more cases like this as we get further into ESM support periods for various packages - Bionic is still in it’s LTS phase till 2023 so not even in ESM and already has trouble for Samba
- Watch this space…
Get in contact
231集单集
Manage episode 307506001 series 2423058
内容由Alex Murray and Ubuntu Security Team提供。所有播客内容(包括剧集、图形和播客描述)均由 Alex Murray and Ubuntu Security Team 或其播客平台合作伙伴直接上传和提供。如果您认为有人在未经您许可的情况下使用您的受版权保护的作品,您可以按照此处概述的流程进行操作https://zh.player.fm/legal。
Overview
This week we discuss some of the challenges and trade-offs encountered when providing security support for ageing software, plus we discuss security updates for the Linux kernel, Firejail, Samba, PostgreSQL and more.
This week in Ubuntu Security Updates
42 unique CVEs addressed
[USN-5138-1] python-py vulnerability [00:38]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- Python library providing path handling, config file parsing and other features which are now in standard lib or other packages - has been deprecated
- ReDoS against path handling code (regex with catastrophic backtracking)
[USN-5139-1] Linux kernel (OEM 5.10) vulnerabilities [01:25]
- 7 CVEs addressed in Focal (20.04 LTS)
- Power8 specific KVM issue -> guest can crash host -> DoS
- AMD cryptographic coprocessor driver memory leaks -> DoS
- eBPF integer overflow -> DoS / code-exec
- NFC UAF
- SCTP info leak
[USN-5140-1] Linux kernel (OEM 5.14) vulnerabilities [02:12]
- 3 CVEs addressed in Focal (20.04 LTS)
- eBPF integer overflow -> DoS / code-exec
- AMD cryptographic coprocessor driver memory leaks -> DoS
[USN-5137-2] Linux kernel vulnerabilities [02:33]
- 9 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 (focal bluefield / oracle, bionic oracle / gke)
[LSN-0082-1] Linux kernel vulnerability [03:05]
- 4 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)
- 2 high priority vulns from GPZ (Episode 138) in tty subsystem and 1 in BPF verifier - code-exec -> privesc
- UAF in IPv4 networking routing handling
[USN-5141-1] Firejail vulnerability [03:48]
- 1 CVEs addressed in Focal (20.04 LTS)
- TOCTOU race condition in handling of overlayfs - decided to drop support for overlayfs since was deemed - thanks to Reiner Herrmann for providing this update
[USN-5142-1] Samba vulnerabilities [04:43]
- 9 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Raft of issues including unauthenticated users able to become root on domain members since Samba might incorrectly map local users to domain members, plus incorrect handling of Kerberos tickets such that delegated users could become domain admin by confusing Samba on which user a ticket represented
- Memory corruption issues too
- In particular the fix to correctly map local to domain users results in changed behaviour regarding matching AD users to local users - would previously fallback to a local user but now does not to avoid someone specifying DOMAIN/root and then having that fallback to say root on the local machine
- https://www.samba.org/samba/security/CVE-2020-25717.html
[USN-5144-1] OpenEXR vulnerability [05:55]
- 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS)
- Integer overflow -> buffer overflow -> crash / RCE
[USN-5145-1] PostgreSQL vulnerabilities [06:08]
- 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Incorrect handling of SSL cert verification - could allow a remote attacker to inject arbitrary SQL queries on the initial connection establishment (similar to various STARTTLS vulns which have been seen recently) - would process data sent in the clear before the TLS connection had been established but should just throw this away
- New upstream release with other bug fixes too (13.5 - impish/hirsute, 12.9 - focal, 10.19 - bionic)
[USN-5147-1] Vim vulnerabilities [07:13]
- 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Swap file permissions handling, restricted mode bypass (shouldn’t be considered a real security mechanism), various memory corruption issues too
[USN-5149-1] AccountsService vulnerability [08:01]
- 1 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Double free in SetLanguage() DBus method - memory corruption in root daemon which can be triggered by an unprivileged user - is due to a Ubuntu specific patch which we include so that when the user selects a language / format we save this in their
~/.pam_environment
to keep settings in sync - Patch contained code to use an existing pointer but then freed it - and then it would get freed again by the original code
- Priv-esc by getting accountsservice daemon to run arbitrary code
[USN-5148-1] hivex vulnerability [09:24]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
- Tools for handling Windows Registry hive files
- OOB read with specially crafted input file -> crash -> DoS
Goings on in Ubuntu Security Community
How to handle large security updates in outdated software versions? [09:56]
- Samba updates in [USN-5142-1] do not include Bionic
- Upstream released a new 4.13.14 which we could upgrade to in F/H/I/J without a lot of work or risk of regression since those releases already used a more recent version like 4.11 etc so the change in behaviour as a result of upgrading was so large and other packages in the archive were still compatible with this new version
- Upstream has released patches for these vulns back to 4.10 but this is 686 individual patches - bionic has Samba 4.7 and so would require a lot of manual work to backport these ~700 patches, and the risk of introducing a regression (ie breaking something) when backporting such a large set of changes is higher
- We are security engineers not full-time Samba software developers so not cognisant of all the possible pitfalls etc
- Other option would be to update Samba in bionic to 4.13.14 like in the later releases, other packages like talloc, tdb, tevent and ldb and these would all need to be upgraded as well
- But this new Samba version only supports python3, not python2.7 which the older Samba currently in bionic does
- FreeIPA in bionic is Python2 so would then be broken if we did this upgrade
- We could also try and upgrade FreeIPA to a newer version which uses Python3 but it isn’t clear if the required Python3 dependencies even exist in the 18.04 archive - so they man need to be backported and introduced there as well
- Either option involves a lot of change and hence complexity ∴ a high risk of regression
- Unclear yet which will be the preferred option but this illustrates the difficulties involved in doing security support for old software versions which upstream has ceased to provide support
- Will likely come across more cases like this as we get further into ESM support periods for various packages - Bionic is still in it’s LTS phase till 2023 so not even in ESM and already has trouble for Samba
- Watch this space…
Get in contact
231集单集
所有剧集
×欢迎使用Player FM
Player FM正在网上搜索高质量的播客,以便您现在享受。它是最好的播客应用程序,适用于安卓、iPhone和网络。注册以跨设备同步订阅。