This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
コンテンツは Alex Murray and Ubuntu Security Team によって提供されます。エピソード、グラフィック、ポッドキャストの説明を含むすべてのポッドキャスト コンテンツは、Alex Murray and Ubuntu Security Team またはそのポッドキャスト プラットフォーム パートナーによって直接アップロードされ、提供されます。誰かがあなたの著作権で保護された作品をあなたの許可なく使用していると思われる場合は、ここで概説されているプロセスに従うことができますhttps://ja.player.fm/legal。
Ubuntu Security Podcastに似ているもの
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Daily update on current cyber security threats
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
Player FM -ポッドキャストアプリ
Player FMアプリでオフラインにしPlayer FMう!
Player FMアプリでオフラインにしPlayer FMう!
))
Episode 118
Manage episode 294113250 series 2423058
コンテンツは Alex Murray and Ubuntu Security Team によって提供されます。エピソード、グラフィック、ポッドキャストの説明を含むすべてのポッドキャスト コンテンツは、Alex Murray and Ubuntu Security Team またはそのポッドキャスト プラットフォーム パートナーによって直接アップロードされ、提供されます。誰かがあなたの著作権で保護された作品をあなたの許可なく使用していると思われる場合は、ここで概説されているプロセスに従うことができますhttps://ja.player.fm/legal。
Overview
This week we look at DMCA notices sent against Ubuntu ISOs plus security updates for nginx, DHCP, Lasso, Django, Dnsmasq and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4967-1, USN-4967-2] nginx vulnerability [00:50]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 1 byte buffer overflow, able to be trigged by a crafted DNS response - UDP so could possibly be more easily forged than TCP (less state) - crash, RCE
[USN-4968-1, USN-4968-2] LZ4 vulnerability [01:27]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- integer overflow -> OOB write -> crash, RCE - crafted lz4 archive
[USN-4969-1, USN-4969-2] DHCP vulnerability [01:52]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Crafted lease file could trigger an OOB read - could be triggered against both dhclient and dhcpd - DoS. In case of dhcpd could also cause that lease to be deleted (and the one that follows it in the lease database). ISC claim impact is LESS is using compiler hardening (stack-protector-strong) - since in this case will trigger an abort - but if not used it will keep running…
[USN-4970-1] GUPnP vulnerability [03:15]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- DNS rebinding attack - able to be exploited by a remote web server - cause the local web browser into triggering actions against local UPnP services that use gupnp library as it would not check that the Host header specified the expected IP address. Could then be used for data exfil / tampering etc.
- Can be mitigated against by using a DNS resolver that prevents DNS rebinding
[USN-4971-1] libwebp vulnerabilities [04:11]
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Google’s image format to relace both jpg/png and be faster (like vp8 video codec using predictive encoding - uses neighboring pixels to predict values in a block and then encodes only the difference)
- C library :( - memory unsafe
- OOB reads, heap buffer overflow, UAF, excessive memory allocation etc
- DoS, RCE etc
[USN-4972-1] PostgreSQL vulnerabilities [05:05]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Thanks to Christian Ehrhardt from the Ubuntu Server team for preparing these updates
- Latest upstream point-releases
- 10.17 - 18.04
- 12.7 - 20.04 LTS, 20.10
- 13.3 - 21.04
[USN-4973-1] Python vulnerability [05:44]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- ipaddress library in the python stdlib mishandled leading zero characters in octets of an IP address - could allow bypass of access controls that are based on IP addresses. Now treats leading zeros as invalid input (before would try and treat them as octal… but could end up confused as a result)
[USN-4974-1] Lasso vulnerability [06:40]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- SAML protocol library
- Reported by Akamai (uses Lasso in their Enterprise Application Access product) - and coordinated between affected distros and vendors etc
- Could allow unauthenticated access to applications that use SAMLv2 (Security Assertion Markup Language v2) for authentication
- If a SAML response contained both a signed and valid assertion, plus additional unsigned assertions appened to this, these unsigned assertions would be treated as valid as well.
- So could allow an authenticated user to take their own signed SAML assertion and append assertions for other users to the end to then impersonate those other users.
- https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
[USN-4975-1] Django vulnerabilities [08:19]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- URLValidator failed to properly handle newlines, tabs - could be used to inject other headers into responses etc
- Paths not properly sanitized in the admindocs module - could be used to probe for the existence of files or possibly obtain their contents
- Leading zeros in IPv4 addresses - basically identical to the Python issue above
[USN-4976-1] Dnsmasq vulnerability [08:56]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Failed to properly randomise source port (ie used a fixed port) when forwarding queries when configured to use a specific server for a given network interface - could then allow a remote attacker to more easily perform cache poisoning attacks (ie just need to guess the transmission ID once know the source port to get a forged reply accepted)
- Very similar to the issues that were discovered back in 2008 by Dan Kaminsky - the whole reason source port randomisation was introduced as part of the DNS protocol
Goings on in Ubuntu Security Community
Ubuntu user’s DMCA violation [09:58]
- Last week was reported that a user downloading Ubuntu 20.04.2 iso via bittorrent received a DMCA violation notice from their ISP (Comcast)
- Clearly absurd given Ubuntu is free (beer & freedom/libre)
- Also the hash of the iso in question was legit too
- Sent by “OpSec Online Antipiracy” not Canonical
- OpSec responded saying their notice sending program was “spoofed” by unknown parties across multiple streaming platforms
- Not clear then if the user spoofed it directly or if someone else spoofed the notice and sent it to the user…
- Still being investigated by OpSec apparently - our legal team is also looking into it as well
- Not the first time this sort of thing has happened - back in 2016 Paramount Pictures used the DMCA to send a takedown request to Google to remove a search result linking to the Ubuntu 12.04.2 alternate ISO at extratorrent.cc - this was listed as apparently being a link to the Transformers: Age of Extinction movie…
- Google did follow through on this - likely an automated system due to the sheer volume of such requests they get per day (3 million p/d pirate URLs to be removed from search results)
Get in contact
230 つのエピソード
シェア
Manage episode 294113250 series 2423058
コンテンツは Alex Murray and Ubuntu Security Team によって提供されます。エピソード、グラフィック、ポッドキャストの説明を含むすべてのポッドキャスト コンテンツは、Alex Murray and Ubuntu Security Team またはそのポッドキャスト プラットフォーム パートナーによって直接アップロードされ、提供されます。誰かがあなたの著作権で保護された作品をあなたの許可なく使用していると思われる場合は、ここで概説されているプロセスに従うことができますhttps://ja.player.fm/legal。
Overview
This week we look at DMCA notices sent against Ubuntu ISOs plus security updates for nginx, DHCP, Lasso, Django, Dnsmasq and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4967-1, USN-4967-2] nginx vulnerability [00:50]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 1 byte buffer overflow, able to be trigged by a crafted DNS response - UDP so could possibly be more easily forged than TCP (less state) - crash, RCE
[USN-4968-1, USN-4968-2] LZ4 vulnerability [01:27]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- integer overflow -> OOB write -> crash, RCE - crafted lz4 archive
[USN-4969-1, USN-4969-2] DHCP vulnerability [01:52]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Crafted lease file could trigger an OOB read - could be triggered against both dhclient and dhcpd - DoS. In case of dhcpd could also cause that lease to be deleted (and the one that follows it in the lease database). ISC claim impact is LESS is using compiler hardening (stack-protector-strong) - since in this case will trigger an abort - but if not used it will keep running…
[USN-4970-1] GUPnP vulnerability [03:15]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- DNS rebinding attack - able to be exploited by a remote web server - cause the local web browser into triggering actions against local UPnP services that use gupnp library as it would not check that the Host header specified the expected IP address. Could then be used for data exfil / tampering etc.
- Can be mitigated against by using a DNS resolver that prevents DNS rebinding
[USN-4971-1] libwebp vulnerabilities [04:11]
- 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Google’s image format to relace both jpg/png and be faster (like vp8 video codec using predictive encoding - uses neighboring pixels to predict values in a block and then encodes only the difference)
- C library :( - memory unsafe
- OOB reads, heap buffer overflow, UAF, excessive memory allocation etc
- DoS, RCE etc
[USN-4972-1] PostgreSQL vulnerabilities [05:05]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Thanks to Christian Ehrhardt from the Ubuntu Server team for preparing these updates
- Latest upstream point-releases
- 10.17 - 18.04
- 12.7 - 20.04 LTS, 20.10
- 13.3 - 21.04
[USN-4973-1] Python vulnerability [05:44]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- ipaddress library in the python stdlib mishandled leading zero characters in octets of an IP address - could allow bypass of access controls that are based on IP addresses. Now treats leading zeros as invalid input (before would try and treat them as octal… but could end up confused as a result)
[USN-4974-1] Lasso vulnerability [06:40]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- SAML protocol library
- Reported by Akamai (uses Lasso in their Enterprise Application Access product) - and coordinated between affected distros and vendors etc
- Could allow unauthenticated access to applications that use SAMLv2 (Security Assertion Markup Language v2) for authentication
- If a SAML response contained both a signed and valid assertion, plus additional unsigned assertions appened to this, these unsigned assertions would be treated as valid as well.
- So could allow an authenticated user to take their own signed SAML assertion and append assertions for other users to the end to then impersonate those other users.
- https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
[USN-4975-1] Django vulnerabilities [08:19]
- 3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- URLValidator failed to properly handle newlines, tabs - could be used to inject other headers into responses etc
- Paths not properly sanitized in the admindocs module - could be used to probe for the existence of files or possibly obtain their contents
- Leading zeros in IPv4 addresses - basically identical to the Python issue above
[USN-4976-1] Dnsmasq vulnerability [08:56]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Failed to properly randomise source port (ie used a fixed port) when forwarding queries when configured to use a specific server for a given network interface - could then allow a remote attacker to more easily perform cache poisoning attacks (ie just need to guess the transmission ID once know the source port to get a forged reply accepted)
- Very similar to the issues that were discovered back in 2008 by Dan Kaminsky - the whole reason source port randomisation was introduced as part of the DNS protocol
Goings on in Ubuntu Security Community
Ubuntu user’s DMCA violation [09:58]
- Last week was reported that a user downloading Ubuntu 20.04.2 iso via bittorrent received a DMCA violation notice from their ISP (Comcast)
- Clearly absurd given Ubuntu is free (beer & freedom/libre)
- Also the hash of the iso in question was legit too
- Sent by “OpSec Online Antipiracy” not Canonical
- OpSec responded saying their notice sending program was “spoofed” by unknown parties across multiple streaming platforms
- Not clear then if the user spoofed it directly or if someone else spoofed the notice and sent it to the user…
- Still being investigated by OpSec apparently - our legal team is also looking into it as well
- Not the first time this sort of thing has happened - back in 2016 Paramount Pictures used the DMCA to send a takedown request to Google to remove a search result linking to the Ubuntu 12.04.2 alternate ISO at extratorrent.cc - this was listed as apparently being a link to the Transformers: Age of Extinction movie…
- Google did follow through on this - likely an automated system due to the sheer volume of such requests they get per day (3 million p/d pirate URLs to be removed from search results)
Get in contact
230 つのエピソード
All episodes
×
プレーヤーFMへようこそ!
Player FMは今からすぐに楽しめるために高品質のポッドキャストをウェブでスキャンしています。 これは最高のポッドキャストアプリで、Android、iPhone、そしてWebで動作します。 全ての端末で購読を同期するためにサインアップしてください。
Ubuntu Security Podcastに似ているもの
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Daily update on current cyber security threats
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
An open show powered by community LINUX Unplugged takes the best attributes of open collaboration and turns it into a weekly show about Linux.
…
continue reading
Player FM -ポッドキャストアプリ
Player FMアプリでオフラインにしPlayer FMう!
Player FMアプリでオフラインにしPlayer FMう!
