Episode 135

Ubuntu Security Podcast

Alex Murray and Ubuntu Security Team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 Alex Murray and Ubuntu Security Team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

2+ y ago 11:43

MP3•에피소드 홈

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5092-3] Linux kernel (Azure) regression [00:50]

12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
Failure to boot on large Azure instance types - caused by a patch that got backported to the 5.14 upstream stable kernel that was purported to head off possible future problems, but itself caused issues on say the Standard_D48_v3 instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped that patch to resolve the issue

[USN-5109-1] nginx vulnerability [01:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2017-20005
Buffer overflow when handling files with modification dates a long time in the past - ie. 1969 or very far in the future - integer overflow in the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2020-22617
UAF in handling of crafted XML files - if using attacker provided files could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2021-41991
- CVE-2021-41990
Integer overflow when replacing certs in cache - if can send many requests with different certs can fill cache and then cause replacement of cache entries when gets full - LRU algorithm could then cause integer overflow and hence OOB write as a result
Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
5.11 hirsute kernel (20.04 HWE)
overlayfs perms handling issue, race condition -> OOB read in VT subsystem, integer overflow in hashtable implementation in BPF, ext4 xattrs race -> UAF, ath9k race condition -> info leak

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

https://www.tianfucup.com/en
16-17th October - China’s own Pwn2Own
Teams required to use original vulns to hack target platforms - 1.5m USD total reward
Targets
- Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04 desktop container with ssh access as root to the container running unprivileged w/o uidmap, volume mount and default bridge network - 60k USD price
- Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged user to escalate to root - 40k USD
- Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu - VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
3 5 minute attempts to run their exploits
According to media reports - Ubuntu 20.04 root privesc - 4 times, Docker-CE and qemu VM - once
Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus Google Chrome to get kernel privesc on Windows as well
Also according to one media outlet “details unknown but vendors are expected to release patches in coming weeks” - so far no contact / details have been provided to us…
Same has happened in previous years - no details get provided to vendors so issues don’t get patched - in the past, exploits which have been showcased at Tianfu have then allegedly gone on to be used in hacking campaigns by the Chinese government
Contrast with Pwn2Own - we are invited by organisers to watch and verify attempts in real-time to help judge whether exploits used are actually unique and new, and then ZDI provide details immediately regarding the vulns along with PoCs so we can patch them ASAP

Get in contact

231 에피소드

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 135

Ubuntu Security Podcast

138 subscribers

published 2+ y ago

MP3•에피소드 홈

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5092-3] Linux kernel (Azure) regression [00:50]

12 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
Failure to boot on large Azure instance types - caused by a patch that got backported to the 5.14 upstream stable kernel that was purported to head off possible future problems, but itself caused issues on say the Standard_D48_v3 instance (48 vCPUs, 192GB RAM, 1.2TB storage) - dropped that patch to resolve the issue

[USN-5109-1] nginx vulnerability [01:44]

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2017-20005
Buffer overflow when handling files with modification dates a long time in the past - ie. 1969 or very far in the future - integer overflow in the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- CVE-2020-22617
UAF in handling of crafted XML files - if using attacker provided files could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
- CVE-2021-41991
- CVE-2021-41990
Integer overflow when replacing certs in cache - if can send many requests with different certs can fill cache and then cause replacement of cache entries when gets full - LRU algorithm could then cause integer overflow and hence OOB write as a result
Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

8 CVEs addressed in Focal (20.04 LTS), Hirsute (21.04)
5.11 hirsute kernel (20.04 HWE)
overlayfs perms handling issue, race condition -> OOB read in VT subsystem, integer overflow in hashtable implementation in BPF, ext4 xattrs race -> UAF, ath9k race condition -> info leak

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

https://www.tianfucup.com/en
16-17th October - China’s own Pwn2Own
Teams required to use original vulns to hack target platforms - 1.5m USD total reward
Targets
- Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04 desktop container with ssh access as root to the container running unprivileged w/o uidmap, volume mount and default bridge network - 60k USD price
- Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged user to escalate to root - 40k USD
- Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu - VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
3 5 minute attempts to run their exploits
According to media reports - Ubuntu 20.04 root privesc - 4 times, Docker-CE and qemu VM - once
Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus Google Chrome to get kernel privesc on Windows as well
Also according to one media outlet “details unknown but vendors are expected to release patches in coming weeks” - so far no contact / details have been provided to us…
Same has happened in previous years - no details get provided to vendors so issues don’t get patched - in the past, exploits which have been showcased at Tianfu have then allegedly gone on to be used in hacking campaigns by the Chinese government
Contrast with Pwn2Own - we are invited by organisers to watch and verify attempts in real-time to help judge whether exploits used are actually unique and new, and then ZDI provide details immediately regarding the vulns along with PoCs so we can patch them ASAP

Get in contact

231 에피소드

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Усі епізоди

플레이어 FM에 오신것을 환영합니다!

플레이어 FM은 웹에서 고품질 팟캐스트를 검색하여 지금 바로 즐길 수 있도록 합니다. 최고의 팟캐스트 앱이며 Android, iPhone 및 웹에서도 작동합니다. 장치 간 구독 동기화를 위해 가입하세요.

500개 이상의 주제를 청취

Ubuntu Security Podcast와 비슷한 콘텐츠

들어볼 가치가 있는 팟캐스트

Ubuntu Security Podcast « » Episode 135

Overview

This week in Ubuntu Security Updates

[USN-5091-3] Linux kernel (Azure) regression

[USN-5092-3] Linux kernel (Azure) regression [00:50]

[USN-5109-1] nginx vulnerability [01:44]

[USN-5110-1] Ardour vulnerability [02:22]

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

[USN-5113-1] Linux kernel vulnerabilities [04:13]

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

Get in contact

Episode 135

Overview

This week in Ubuntu Security Updates

[USN-5091-3] Linux kernel (Azure) regression

[USN-5092-3] Linux kernel (Azure) regression [00:50]

[USN-5109-1] nginx vulnerability [01:44]

[USN-5110-1] Ardour vulnerability [02:22]

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

[USN-5113-1] Linux kernel vulnerabilities [04:13]

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

Get in contact

들어볼 가치가 있는 팟캐스트

플레이어 FM에 오신것을 환영합니다!

Ubuntu Security Podcast와 비슷한 콘텐츠

빠른 참조 가이드

Ubuntu Security Podcast « »
Episode 135