Episode 164

More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we cover security vulnerabilities and updates for ca-certificates, Varnish Cache, FFmpeg, Firefox, PHP and more.

Ubuntu Security Podcast · Ubuntu Security Team

June 17, 202211m 50s

Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Overview

More Intel CPU issues, including Hertzbleed and MMIO stale data, plus we cover security vulnerabilities and updates for ca-certificates, Varnish Cache, FFmpeg, Firefox, PHP and more.

This week in Ubuntu Security Updates

64 unique CVEs addressed

[USN-5473-1] ca-certificates update [00:41]

Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
Updates to the latest 2.50 version of the Mozilla CA bundle - in particular this removes a bunch of expired certs plus an old (but still valid) GeoTrust certificate and others - also adds some new CA certs from GlobalTrust, Certum, GlobalSign too

[USN-5396-2] Ghostscript vulnerability [01:30]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2019-25059
Episode 158

[USN-5474-1] Varnish Cache vulnerabilities [01:41]

4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
Thanks to Luís Infante da Câmara for preparing, testing and providing the debdiff’s for these updates
- Possible HTTP/1 and HTTP/2 request smuggling attacks
- DoS via triggering an assertion failure
- Pointer of one client reused on the next if both share the same connection - can expose info from the old client to the new one

[USN-5472-1] FFmpeg vulnerabilities [02:30]

35 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
Thanks to Luís Infante da Câmara for preparing, testing and providing the debdiff’s for these updates
Updates ffmpeg to latest upstream bug-fix releases
- 4.4.2 for 21.10, 22.04 LTS
- 4.2.7 for 20.04 LTS
- 3.4.11 for 18.04 LTS

[USN-5475-1] Firefox vulnerabilities [03:04]

12 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10)
101.0.1
Usual mix of web browser / framework issues fixed - specially crafted website -> could exploit to cause DoS, info leak, spoof the browser UI, conduct XSS attacks, bypass content security policy (CSP) restrictions, or execute arbitrary code

[USN-5476-1] Liblouis vulnerabilities [03:54]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- CVE-2022-31783
- CVE-2022-26981
Braille translation library + utils
Buffer overflow -> crash -> DoS
OOB write -> crash -> DoS / RCE

[USN-5359-2] rsync vulnerability [04:27]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2018-25032
Episode 156 (zlib memory corruption issue when compressing input data)

[USN-5477-1] ncurses vulnerabilities [04:54]

6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)
Various memory corruption vulns fixed - requires to process crafted input files (e.g. termcap - but this is usually trusted so hence negligible rating for most of these CVEs)

[USN-5478-1] util-linux vulnerability [05:28]

1 CVEs addressed in Xenial ESM (16.04 ESM)
- CVE-2016-5011
Memory leak in libblkid when parsing crafted MSDOS partition table

[USN-5479-1] PHP vulnerabilities [05:40]

2 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS)
- CVE-2022-31626
- CVE-2022-31625
both issues in handling of crafted inputs into database drivers - 1 for postgres and 1 for mysql
- uninitialised var in pg driver -> UAF in certain error scenario -> RCE
- buffer overflow in password handler for mysqlnd (native driver) - rogue MySQL server could trigger this to get RCE

Goings on in Ubuntu Security Community

News on latest Intel security issues [06:33]

Hertzbleed & MMIO stale data both disclosed this week
Hertzbleed - interesting new crypto side-channel attack demonstrated against SIKE (Supersingular Isogeny Key Encapsulation - post-quantum key encapsulation mechanism)
- Turns a frequency side-channel into a timing side-channel such that code which was previously assumed to be constant time can still leak information about the key, allowing it to be recovered by mounting a chosen cipher-text attack from a client, observing the timing response of the server and then inferring the secret key as a result
- Acknowledged by both Intel and AMD but likely all modern processors which employ dynamic voltage and frequency scaling are affected
- Intel have released guidance for how to harden crypto implementations against this attack
- No changes/fixes for this in kernel/microcode/toolchain etc - instead will be up to individual libraries to assess if they may be affected and then refactor accordindly
MMIO stale-data
- Vulns in memory mapped I/O - generally only applicable to virtualisation when untrusted guest have access to MMIO
  - not transient execution attacks themselves but since these vulns allow stale data to persist, can then be inferred by a TEA (think Spectre etc)
- consists of a series of different issues for various microarchitectural buffers / registers where stale data is left after being copied / moved - then can be sampled via a TEA to infer the value
- different processor models have different microarchitectural buffers so some may or may not be affected
- 3 separate vulns (CVEs) identified based on the microarchitectural buffer affected and the technique used to read from it
- Fixes required in both kernel and intel-microcode packages
  - Kernels will have already been released by the time you hear this
  - Microcode is currently being released via the -updates pocket of the archive - will then publish to -security once fully phased to all users
    - Likely early on Monday next week
More details in next week’s episode

Get in contact

← All episodes of Ubuntu Security Podcast