Ubuntu Security Podcast

Episode 198

2023-06-09

Overview This week we investigate the mystery of failing GPG signatures for the 16.04 ISO images, plus we look at security updates for CUPS, Avahi, the Linux kernel, FRR, Go and more. This week in Ubuntu Security Updates 58 unique CVEs addressed [USN-6128-1, USN-6128-2] CUPS vulnerability (00:56) 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04) CVE-2023-32324 Heap buffer overflow when printing debug messages - apparently requires cupsd.conf to...

Overview

This week we investigate the mystery of failing GPG signatures for the 16.04 ISO images, plus we look at security updates for CUPS, Avahi, the Linux kernel, FRR, Go and more.

This week in Ubuntu Security Updates

58 unique CVEs addressed

[USN-6128-1, USN-6128-2] CUPS vulnerability (00:56)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-32324
Heap buffer overflow when printing debug messages - apparently requires cupsd.conf to have LogLevel as debug which is not usually the case

[USN-6129-1] Avahi vulnerability (01:39)

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-1981
DoS -> if called with an unknown service name, would result in a NULL pointer dereference and crash - found via dfuzzer - a fuzzer for D-Bus services

[USN-6130-1] Linux kernel vulnerabilities (02:23)

4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM)
- CVE-2023-1380
- CVE-2023-30456
- CVE-2023-31436
- CVE-2023-32233
4.15 GA for 18.04 ESM (generic, virtual, lowlatency, KVM, AWS, Snapdragon, Azure, GCP, Oracle)
- HWE + GCP, Azure, GKE, AWS etc for 16.04 ESM
- Azure for 14.04 ESM
race condition -> UAF -> privesc in netfilter
- [USN-6122-1] Linux kernel (OEM) vulnerabilities from Episode 197
KVM mishandling of control registers for nested guest VMs
- [USN-6123-1] Linux kernel (OEM) vulnerabilities from Episode 197
OOB read in the USB handling code for Broadcom FullMAC USB WiFi driver - requires an attacker to create a malicious USB device and insert that into your machine to be able to trigger (shout out to USBGuard)
OOB write in network queuing scheduler - able to be triggered though an unprivileged user namespace (again)

[USN-6127-1] Linux kernel vulnerabilities (04:41)

5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
- CVE-2023-2612
- CVE-2023-1380
- CVE-2023-30456
- CVE-2023-31436
- CVE-2023-32233
5.15
- 22.10 GA (virtual, raspi, generic, aws, lowlatency, ibm, azure, gcp, oracle, kvm, aws)
- 22.04 HWE (ditto)
- 20.04 HWE (ditto + OEMs)
Same as above plus a race condition in shiftfs -> kernel deadlock -> DoS

[USN-6135-1] Linux kernel (Azure CVM) vulnerabilities (05:06)

5 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-2612
- CVE-2023-1380
- CVE-2023-30456
- CVE-2023-31436
- CVE-2023-32233
5.15 Azure FDE (22.04, 20.04)

[USN-6131-1] Linux kernel vulnerabilities (05:18)

5 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2023-2612
- CVE-2023-1380
- CVE-2023-30456
- CVE-2023-31436
- CVE-2023-32233
5.4 GA 20.04, HWE 18.04

[USN-6132-1] Linux kernel vulnerabilities (05:30)

13 CVEs addressed in Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2023-1118
- CVE-2023-32269
- CVE-2023-2612
- CVE-2023-2162
- CVE-2023-1513
- CVE-2023-1078
- CVE-2023-1075
- CVE-2023-0459
- CVE-2022-3707
- CVE-2023-1380
- CVE-2023-30456
- CVE-2023-31436
- CVE-2023-32233
5.4 (20.04 bluefield, 18.04 AWS)

[USN-6133-1] Linux kernel (Intel IoTG) vulnerabilities (05:42)

12 CVEs addressed in Jammy (22.04 LTS)
- CVE-2023-1118
- CVE-2023-32269
- CVE-2023-2162
- CVE-2023-20938
- CVE-2023-1872
- CVE-2023-1513
- CVE-2023-1078
- CVE-2023-1075
- CVE-2023-0459
- CVE-2022-3707
- CVE-2022-27672
- CVE-2023-1829
5.15 Intel IoTG

[USN-6134-1] Linux kernel (Intel IoTG) vulnerabilities

24 CVEs addressed in Focal (20.04 LTS)
- CVE-2023-1118
- CVE-2023-32269
- CVE-2023-26545
- CVE-2023-2162
- CVE-2023-21102
- CVE-2023-20938
- CVE-2023-1872
- CVE-2023-1652
- CVE-2023-1513
- CVE-2023-1078
- CVE-2023-1075
- CVE-2023-1074
- CVE-2023-1073
- CVE-2023-0459
- CVE-2023-0458
- CVE-2023-0394
- CVE-2022-4842
- CVE-2022-47929
- CVE-2022-4129
- CVE-2022-3707
- CVE-2022-27672
- CVE-2023-0386
- CVE-2023-1281
- CVE-2023-1829
5.15 Intel IoTG as well

[USN-6112-2] Perl vulnerability (05:54)

1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-31484
[USN-6112-1] Perl vulnerability from Episode 197
failed to properly validate TLS certs when using CPAN and HTTP::Tiny

[USN-6136-1] FRR vulnerabilities (06:19)

2 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-31490
- CVE-2023-31489
Implements BGP, OSPF, RIP, IS-IS, PIM and more - successor to Quagga
Two issues in BGP handling - both OOB reads due to failing to use the right lengths when reading packet structures, implemented in C

[USN-6137-1] LibRaw vulnerabilities (06:43)

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-1729
- CVE-2021-32142
Heap buffer overflow and stack buffer overflow (mitigated by stack protector etc)

[USN-6138-1] libssh vulnerabilities (07:01)

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-2283
- CVE-2023-1667
NULL ptr deref during re-keying - already authenticated user could trigger a DoS
Possible for a client to avoid having its signature fully verified IF during the verification process there is insufficient memory - fails, leaves in error state that then falls though to an OK state

[USN-6139-1] Python vulnerability (07:37)

1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10), Lunar (23.04)
- CVE-2023-24329
[USN-5960-1] Python vulnerability from Episode 191 - original upstream fix was incomplete

[USN-6140-1] Go vulnerabilities (07:57)

8 CVEs addressed in Kinetic (22.10), Lunar (23.04)
- CVE-2023-29400
- CVE-2023-24540
- CVE-2023-24539
- CVE-2023-24538
- CVE-2022-41725
- CVE-2023-24537
- CVE-2023-24534
- CVE-2022-41724
Various content injection issues in JS, CSS and HTML template handling due to failing to properly parse various delimiting elements (like backtick ` for JS etc)
Also two DoS since could trigger a panic due to mishandling of memory

[USN-6141-1] xfce4-settings vulnerability (08:31)

1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)
- CVE-2022-45062
MIME helper failed to properly parse input - is called via xdg-open - so could call xdg-open with crafted input that would then get passed through to whatever application (like say the browser / file manager etc) and hence could run these other applications with arbitrary arguments - e.g. could embed a link in a PDF and when the user clicks this can then get say the browser to be launched with arbitrary arguments
e.g. could set the --remote-allow-origins flag to specify an attacker controlled domain which is then allowed to connect to the local debugging port and hence execute arbitrary JS on any other domain - steal creds etc

[USN-6142-1] nghttp2 vulnerability (10:16)

1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic ESM (18.04 ESM), Focal (20.04 LTS)
- CVE-2020-11080
C library for HTTP/2
Overly large SETTINGS frames would cause a CPU-based DoS - mitigated by setting a max limit for these frame types and rejecting if too large

[USN-6143-1] Firefox vulnerabilities (10:50)

4 CVEs addressed in Focal (20.04 LTS)
- CVE-2023-34415
- CVE-2023-34417
- CVE-2023-34416
- CVE-2023-34414
114.0 release

[USN-6144-1] LibreOffice vulnerabilities (10:59)

2 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- CVE-2023-2255
- CVE-2023-0950
Array index underflow in handling of crafted formulas in Calc - memory corruption -> RCE
Failed to prompt user before loading a document into an IFrame - document can then contain other elements like JS etc that get executed

[USN-6028-2] libxml2 vulnerabilities (11:35)

3 CVEs addressed in Lunar (23.04)
- CVE-2023-29469
- CVE-2023-28484
- CVE-2022-2309
2 different NULL ptr deref, possible double free
- DoS / RCE via crafted XML documents

Goings on in Ubuntu Security Community Recent report of invalid GPG signatures on 16.04 ISOs (12:04)

https://discourse.ubuntu.com/t/is-ubuntu-vulnerable-to-fake-keys/21997/4
User reported that the SHA256SUMS file for 16.04 ISOs on old-releases.ubuntu.com failed to validate
Sounds scary - has the server been hacked and the ISOs (and hence SHA256SUMS file) been tampered with?
We don’t sign the ISOs directly - instead (like apt) we take a hash of the ISO file and then sign the file containing that list of hashes - for performance
So in this case, it would appear that the SHA256SUMS file has been modified and so does not validate properly
One other thing to note, this report was made in a follow-up comment to an older thread where someone mentioned that they are able to upload arbitrary keys to the ubuntu keyserver that mimic the archive / CD image signing keys etc - this is the nature of key servers - anyone can upload any key with any arbitrary identifiers - but since keys are generated from randomness, it is theoretically impossible to generate a key with the same underlying cryptographic fingerprint (even if it has the same name / email address associated with it)
Always important to make sure you use the right keys - as identified by their fingerprint - these are listed on the wiki https://wiki.ubuntu.com/SecurityTeam/FAQ#GPG_Keys_used_by_Ubuntu
These keys are also contained on all Ubuntu installs within the /usr/share/keyrings/ubuntu-archive-keyring.gpg file from the ubuntu-keyring package
Able to easily verify this behaviour locally:

wget -q https://old-releases.ubuntu.com/releases/xenial/SHA256SUMS{,.gpg}
gpg --verify --no-default-keyring --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --verbose SHA256SUMS.gpg SHA256SUMS

gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg:                using DSA key 46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Fri 01 Mar 2019 02:56:07 ACDT
gpg:                using RSA key D94AA3F0EFE21092
gpg: using pgp trust model
gpg: BAD signature from "Ubuntu CD Image Automatic Signing Key (2012) " [unknown]
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

So far so scary - it really does look like the SHA256SUMS file was modified
But if we look closer, we can see GPG says the signature was made on 28th February 2019 - this corresponds with the 16.04.6 point release - yet the most recent point release was 16.04.7 from 13th August 2020 for BootHole (Alex and Joe take an in-depth and behind-the-scenes look at BootHole / GRUB from Episode 84) - so it appears that perhaps the various signature files were not regenerated when the 16.04.7 point release was made (yet the various SUMS files were)
Marc went asking around, vorlon from Foundations confirmed this was the case
Simply had to run the script to resign this and push it to the server - now all is good as can be seen below

gpg: Signature made Fri 09 Jun 2023 00:38:30 ACST
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: using pgp trust model
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096