/srv/irclogs.ubuntu.com/2023/10/10/#ubuntu-security.txt

=== JanC is now known as Guest7641
=== JanC_ is now known as JanC
ahasenackI have a systemd service unit that starts a process, oneshot (not a daemon). It's python, so it's called like "ExecStart=/usr/bin/python3 /usr/lib/foo/bar.py". How would I apparmor it? Perhaps use systemd's AppArmorProfile= setting? Otherwise, since it's not executing the python script directly, but via /usr/bin/python3 in the cmdline, what would the apparmor profile be called?12:42
ahasenackthinking about the autoattach feature on exec (if that's what it's called)12:43
ahasenackit can't be /usr/bin/python3, as that would confine all python apps, and it calso can't be just /usr/lib/foo/bar.py, as that's not the executable being called (it doesn't even have the +x bit)12:43
ahasenackor can it be just /usr/lib/foo/bar.py?12:44
georgiagahasenack: you could use the not-path-based option "profile bar {}". make sure the profile is loaded, and in the systemd file reference it as "AppArmorProfile=bar"12:59
ahasenackright, it's what I'm testing now13:00
ahasenackbut it won't attach the profile if someone calls it manually via python3 /usr/lib/foo/bar.py13:00
ahasenackright?13:00
georgiagcorrect, unfortunately13:00
ahasenackok13:00
appxprtHow is this not patched by latest updates? https://ubuntu.com/security/CVE-2023-32629 >13:45
-ubottu:#ubuntu-security- Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629>13:45
appxprt?13:45
appxprtthis simple shell script can lpe to root with full updates/pgrades: https://github.com/OllaPapito/gameoverlay13:47
appxprtis this patched in some other Ubuntu repo?13:48
mdeslaurappxprt: what release and which kernel are you running?13:48
mdeslaurappxprt: did you reboot after updating the kernel?13:48
appxprtoh wow, I thought I was on 23.04, but it's apparently 22.04.3 LTS 6.2.0-34-generic #34~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC13:49
appxprtrebooting real quick and will recheck13:49
appxprtbrb13:49
appxprtstill works, checking for further updates after reboot13:53
appxprtnothing13:54
appxprtstill vulnerable13:54
mdeslaurlet me check13:54
appxprtwhat is latest kernel for 23.04.3 and I thought there was .4 out?13:55
appxprterrr 22.04.3 LTS13:55
appxprtI thought there was 22.04.4 or 6 or something by now13:55
appxprtpretty sure I'm compromised13:56
mdeslaurdoesn't work for me...while I appear to become root, I'm not, I'm just in a namespace13:57
mdeslaurtry "cat /etc/shadow"13:57
appxprtahhhh yea Permission denied, the id threw me off uid=013:58
appxprtok thanks, you rock13:58
mdeslaurcool, np!13:58
tewardhas the security team triaged/processed CVE-2023-44487 yet?  If not, mark nginx affected because as of the disclosure today/yesterday I'm seeing that nginx and *all* known HTTP/2 implementations are affected.  Except maybe CloudFlare's because they have done some stupid stuff behind the scenes14:29
-ubottu:#ubuntu-security- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487>14:29
tewardsome information links to add to the tracker - https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ - https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ - https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ (the Cloudflare blog posts give a nice overview of the scope of how hard it was being exploited yesterday and a deep technical deep-dive)14:31
teward(and the nginx one is for the reference that nginx is affected14:31
tewardeslerm: or mdeslaur if you're bored: ^14:31
teward(since nginx is in main)14:31
tewards/stupid stuff/undisclosed tweaks/14:32
tewardalso https://my.f5.com/manage/s/article/K000137106 to the tracker (security advisory from F5 who owns nginx now)14:35
tewardalso, can you update https://ubuntu.com/security/CVE-2017-6519 for upstream to indicate Upstream fixed this with Avahi version 0.8?  (see https://github.com/lathiat/avahi/releases/tag/v0.8) So that the one or two users confused by things on Ask Ubuntu can have a better understanding of things.15:17
-ubottu:#ubuntu-security- avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6519>15:17
=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: leosilva
Habbiehello! I see ubuntu doesn't have entries for https://security-tracker.debian.org/tracker/CVE-2023-44487 yet16:20
-ubottu:#ubuntu-security- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487>16:20
Habbieis that coming?16:20
Habbieif so, please know that the debian list is missing libh2o16:20
Habbie(i have also let them know)16:20
tewardHabbie: i already poked them the tracker has a triage list16:32
tewardand i noted some things for them during their triage process16:32
Habbiegreat, thanks16:32
Habbieis this triage list visible somewhere? just curious16:32
tewarddon't think so, and it has to be looked at / triaged in the system before they can poke it into the list, it's also automated so it might not have picked it up yet since that was only published *today* and not yet in the autosync list16:34
Habbieack :)16:35
ahasenackhi security, is there something like aa-logprof to help with restricting systemd service units, and help decide which security isolation features to apply to a unit? From the list that `systemd-analyze security <unit>` gives17:13
ahasenackstuff like CapabilityBoundingSet, SystemCallFilter, etc17:13
ahasenackor should someone just go one by one, with knowledge of that the app should be able to do, and experiment? 17:13
sbeattieahasenack: hrm, good question. I'm not aware of one, but I haven't looked for one, either.17:18
ahasenackok, I'm doing the usual (googling) :)17:18
ahasenackand using common sense17:19
mdeslaurteward: Habbie: I've added the CVE to our tracker now, thanks17:39
Habbiesome caching going on it appears17:40
mdeslaurtakes a while to get published to the interwebz17:41
Habbieack17:41
Habbiei'll wait :)17:41
Habbiethanks17:41
tewardmdeslaur: ack, thanks for poking it, i know it's one of those odd "Huh it's not here or we have to look at it" cases but it's a major 0-day that hit yesterday so17:42
mdeslaurteward: "We do not consider nginx to be affected by this issue." - https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html17:48
tewardmdeslaur: is that dated today or prior to the F5 notice?17:49
tewardbecuase the F5 notice says "not fixed" but mentions that exact workaround17:49
mdeslaurclick on it?17:49
tewardand i do say *workaround* because the proposed patch for secondary limits wasn't in the commit list yet17:49
tewardmdeslaur: "Nevertheless, we've decided to implemented some additional mitigations which will help nginx to detect such attacks and drop connections with misbehaving clients faster.  Hence the patch."17:50
tewardmdeslaur: those mitigations are in the dev tree but not a release yet17:50
tewardso i take Maxim's claim as a grain of salt because "while some mitigations exist, additional mitigations are on the way"17:51
mdeslaurright, not affected, but the patch still improves things17:51
tewardmdeslaur: if i'm dissecting the technical details on this though17:51
tewardPrior to version 1.19.10, the default value was 100.  <-- for keepalive requests this alone wasn't actually *ENOUGH* to protect the infrastructure (CF uses a modified NGINX)17:52
tewardand is why this is a 0-day notice17:52
tewardi'll have to reread the CF dissection but it was my understanding that this wasn't enough17:53
mdeslaurthe default of 100 is better than the current default of 100017:53
mdeslaurit's not enough if someone uses a bigger value than 100017:53
mdeslaur"However, if NGINX is configured with a keepalive that is substantially higher than the default and recommended setting, the attack may deplete system resources."17:54
tewardmdeslaur: agreed, but I would argue that in the strictest interpretation of CVEs, "mitigations exist in default configurations" is not enough to say "we are not affected"17:58
teward(and i just emailed the nginx-devel list with this question/statement)17:58
mdeslaurteward: I'll let the developers know you disagree with their statements :)17:59
tewardi already did ;)17:59
teward(nginx-devel is a public list xD)17:59
mdeslaurwe will release an update with the improved patch, but it's not a world-burning issue atm17:59
tewardyep, just wanted ito make sure the CVE was on the radar though17:59
tewardand whatever other HTTP/2 implementations are in Universe, etc. are almost definitely affected (unless Apache wrote in protections intentionally)17:59
mdeslaurack, thanks18:22
Habbiemdeslaur, https://github.com/nghttp2/nghttp2/pull/196118:52
-ubottu:#ubuntu-security- Pull 1961 in nghttp2/nghttp2 "Rework session management" [Merged]18:52
mdeslaurHabbie: yeah, I just added it, thanks18:53
Habbieyw :)18:53
Habbiegood news, i have a patch for h2o. bad news, ABI.19:00
Habbiemdeslaur, nghttp2 isn't showing up for me yet21:26
mdeslaurHabbie: hrm, it does for me https://ubuntu.com/security/cves?q=CVE-2023-4448722:05
-ubottu:#ubuntu-security- The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.22:05
Habbieit is now for me too22:06
Habbiemore caching than i expected there :)22:06
mdeslauryeah, it's complicated, a script pulls from our CVE tracker git tree, then gets consumed by a cluster of hamsters running around in wheels. Sometimes the hamsters go on strike.22:07
Habbieright22:07

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!