PLAY PODCASTS
Episode 135

Episode 135

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.

Ubuntu Security Podcast · Ubuntu Security Team

October 22, 202111m 43s

Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Overview

Ubuntu 20.04 LTS targeted at Tianfu Cup 2021 plus we cover security updates for Linux kernel, nginx, Ardour and strongSwan.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-5091-3] Linux kernel (Azure) regression

[USN-5092-3] Linux kernel (Azure) regression [00:50]

[USN-5109-1] nginx vulnerability [01:44]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • Buffer overflow when handling files with modification dates a long time in the past - ie. 1969 or very far in the future - integer overflow in the autoindex module

[USN-5110-1] Ardour vulnerability [02:22]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • UAF in handling of crafted XML files - if using attacker provided files could DoS / RCE

[USN-5111-1, USN-5111-2] strongSwan vulnerabilities [02:39]

  • 2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Hirsute (21.04), Impish (21.10)
  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
  • Integer overflow when replacing certs in cache - if can send many requests with different certs can fill cache and then cause replacement of cache entries when gets full - LRU algorithm could then cause integer overflow and hence OOB write as a result
  • Integer overflow in gmp plugin - crafted RSASSA-PSS signature in say a self-signed CA cert sent by an initiation

[USN-5113-1] Linux kernel vulnerabilities [04:13]

Goings on in Ubuntu Security Community

Tianfu Cup 2021 [05:30]

  • https://www.tianfucup.com/en
  • 16-17th October - China’s own Pwn2Own
  • Teams required to use original vulns to hack target platforms - 1.5m USD total reward
  • Targets
    • Docker-CE on Ubuntu 20.04 w generic kernel running a Ubuntu 20.04 desktop container with ssh access as root to the container running unprivileged w/o uidmap, volume mount and default bridge network - 60k USD price
    • Ubuntu 20.04 / Centos 8 running in VMWare Workstation - unprivileged user to escalate to root - 40k USD
    • Ubuntu + qemu-kvm - 20.04 desktop host, running 20.04 server in qemu - VM escape w/o sandbox escape - 60k USD, w/ sandbox escape 150k USD
  • 3 5 minute attempts to run their exploits
  • According to media reports - Ubuntu 20.04 root privesc - 4 times, Docker-CE and qemu VM - once
  • Also iPhone 13 Pro was hacked using a no-interaction RCE attack, plus Google Chrome to get kernel privesc on Windows as well
  • Also according to one media outlet “details unknown but vendors are expected to release patches in coming weeks” - so far no contact / details have been provided to us…
  • Same has happened in previous years - no details get provided to vendors so issues don’t get patched - in the past, exploits which have been showcased at Tianfu have then allegedly gone on to be used in hacking campaigns by the Chinese government
  • Contrast with Pwn2Own - we are invited by organisers to watch and verify attempts in real-time to help judge whether exploits used are actually unique and new, and then ZDI provide details immediately regarding the vulns along with PoCs so we can patch them ASAP

Get in contact

← All episodes of Ubuntu Security Podcast