Overview Ubuntu get’s pwned again at Pwn2Own Vancouver 2022, plus we look at security updates for the Linux kernel, RSyslog, ClamAV, Apport and more. This week in Ubuntu Security Updates 57 unique CVEs addressed [USN-5413-1] Linux kernel vulnerabilities [01:06] 6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM) CVE-2022-28390 CVE-2022-27223 CVE-2022-26490 CVE-2021-4157 CVE-2021-39713 CVE-2020-27820 4.4 - 16.04 ESM GA + 14.04 ESM UAF in nouveau driver when device is removed - external NVIDIA GPU? or local user unbinding the driver? UAF due to race condition in network packet scheduler OOB write in NFS - user who had access to an NFS mount could possibly exploit this Buffer overflow in ST Micro NFC driver - failed to validate parameters from NFC device - physically approximate attacker could possibly exploit this but would need custom hw/sw Similarly, Xilinx USB2 gadget driver failed to validate USB endpoints ESM CAN/USB double-free [USN-5415-1] Linux kernel vulnerabilities [02:27] 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS) CVE-2022-27223 CVE-2022-26490 CVE-2022-25375 CVE-2022-25258 CVE-2022-20008 CVE-2022-1016 CVE-2021-26401 CVE-2020-27820 5.4 - 20.04 LTS GA + 18.04 LTS HWE + clouds Above vulns plus: AMD specific issue around insufficient mitigations for Spectre v2 attacks OOB read -> info leak through mishandling of MMC/SD read errors [USN-5417-1] Linux kernel vulnerabilities [03:07] 8 CVEs addressed in Focal (20.04 LTS), Impish (21.10) CVE-2022-29156 CVE-2022-27223 CVE-2022-26966 CVE-2022-26490 CVE-2022-25375 CVE-2022-25258 CVE-2022-20008 CVE-2021-26401 5.13 - 21.10, 20.04 LTS HWE + some clouds ~ same as above [USN-5418-1] Linux kernel vulnerabilities [03:19] 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS) CVE-2022-27223 CVE-2022-26966 CVE-2022-26490 CVE-2022-25375 CVE-2022-25258 CVE-2022-24958 CVE-2022-23042 CVE-2022-23040 CVE-2022-23039 CVE-2022-23038 CVE-2022-23037 CVE-2022-23036 CVE-2021-26401 4.15 - 18.04 LTS GA, 16.04 ESM HWE + clouds + OEM, 14.04 ESM azure ~ same as above [USN-5416-1] Linux kernel (OEM) vulnerabilities [03:26] 5 CVEs addressed in Focal (20.04 LTS) CVE-2022-28390 CVE-2022-28389 CVE-2022-28388 CVE-2022-1516 CVE-2022-1158 5.14 - 20.04 LTS OEM KVM mishandled guest page table updates -> guest VM crash host OS 2 similar issues in CAN bus drivers - 8 Devices USB2CAN and Microchip CAN Bus analyzer both had double-free on error paths - local attacker could crash -> DoS Plus ESM CAN/USB issue from above [USN-5419-1] Rsyslog vulnerabilities [04:26] 3 CVEs addressed in Xenial ESM (16.04 ESM) CVE-2019-17042 CVE-2019-17041 CVE-2018-16881 2 issues in handling of various message types (AIX + Cisco log messages failed to properly validate contents and so could result in heap buffer overflow) 1 in handling of plain TCP socket comms - but this module is not enabled in the default rsyslog configuration for Ubuntu [USN-5420-1] Vorbis vulnerabilities [05:01] 3 CVEs addressed in Xenial ESM (16.04 ESM) CVE-2018-10393 CVE-2018-10392 CVE-2017-14160 heap buffer overflow, OOB read + stack buffer overflow via crafted input files - DoS / RCE [USN-5421-1] LibTIFF vulnerabilities [05:16] 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10) CVE-2022-0865 CVE-2022-0891 CVE-2022-0562 CVE-2022-0561 CVE-2020-35522 Similar types of issues in libtiff - OOB reads / writes [USN-5422-1] libxml2 vulnerabilities [05:32] 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS) CVE-2022-29824 CVE-2022-23308 UAF plus possible integer overflows -> unspec impact (but requires victim to process a multiGB XML file) [USN-5311-2] containerd regression [06:03] 1 CVEs addressed in Focal (20.04 LTS), Impish (21.10) CVE-2022-23648 Episode 152 - subsequent update to containerd by different team reverted the CVE fix accidentally - reinstated it [USN-5423-1, USN-5423-2] ClamAV vulnerabilities [06:24] 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS) CVE-2022-20796 CVE-2022-20792 CVE-2022-20785 CVE-2022-20771 CVE-2022-20770 0.103.6 Various infinite loops in different parsers (CPU-based DoS), memory leaks plus a couple OOB writes [USN-5424-1] OpenLDAP vulnerability [06:53] 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS) CVE-2022-29155 SQL injection in the sql backend of slapd via an SQL statement within a LDAP query [USN-5425-1] PCRE vulnerabilities [07:09] 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS) CVE-2020-14155 CVE-2019-20838 OOB read -> info leak integer overflow -> buffer overflow? -> crash / code execution [USN-5426-1] needrestart vulnerability [07:20] 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS) CVE-2022-30688 detects daemons that need to be restarted after libraries are upgraded uses various regex’s to detect scripting languages - but since these were not specific enough, it could allow a user to get their own script executed in the context of the user which is running needrestart - which could be root [USN-5427-1] Apport vulnerabilities [08:08] 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Impish (21.10), Jammy (22.04 LTS) CVE-2022-28658 CVE-2022-28657 CVE-2022-28656 CVE-2022-28655 CVE-2022-28654 CVE-2022-28652 CVE-2022-1242 CVE-2021-3899 Gerrit Venema reported a heap of issues in Apport - thanks to Marc Deslauriers on our team for working on these Crash handler in Ubuntu - is invoked by the kernel when an application crashes to collect various data to then upload to Ubuntu developers Runs as root but can be invoked as a regular user so has been a target for privesc vulns in the past Has various code to drop privileges etc but these were found to be incomplete Impacts of these issues range from DoS by crashing Apport through to local privesc to root [USN-5428-1] libXrandr vulnerabilities [09:14] 2 CVEs addressed in Xenial ESM (16.04 ESM) CVE-2016-7948 CVE-2016-7947 Integer overflows -> OOB write plus another different OOB write - all able to be triggered by a malicious remote X server Goings on in Ubuntu Security Community Ubuntu in Pwn2Own Vancouver 2022 [09:39] 15 year anniversary of Pwn2Own 17 teams attempting to exploit 21 targets - including Ubuntu Desktop for EoP https://www.zerodayinitiative.com/blog/2022/5/17/pwn2own-vancouver-2022-the-schedule 5 different teams targeting Ubuntu Desktop - Ubuntu 22.04 LTS fully up-to-date Prize of $40k USD 2 on day 1, 2 on day 2, 1 on day 3 (tomorrow) https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results So far all 4 have been successful: Team Orca of Sea Security (not live streamed) OOBW + UAF Keith Yeo UAF Bien Pham UAF Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), and Xinyu Xing (@xingxinyu) of Team TUTELARY UAF Lots of great new bugs - expect to hear more about these in the coming weeks Past episodes covering Ubuntu @ Pwn2Own over previous years Episode 111 and Episode 71 - in particular has a great interview with Steve and Marc from our team who cover what it is like as a vendor Get in contact security@ubuntu.com #ubuntu-security on the Libera.Chat IRC network ubuntu-hardened mailing list Security section on discourse.ubuntu.com @ubuntu_sec on twitter