Ubuntu Security Podcast

Episode 1

Listen Later
Overview
  • Security fixes for 39 CVEs this week including L1TF and FragmentSmack
    • This week in Ubuntu Security Updates
    GDM (USN-3737-1) (CVE-2018-14424)
    • Found by Ubuntu Security Team member Chris Coulson during audit of gdm3 source code
    • Local user can exploit via DBus to crash GDM via use-after-free (create a transient display which is automatically cleaned up, then try to query info for the previously created display)
    • Bionic only so far
      • libarchive (USN-3736-1)
      • 6 CVEs addressed across Bionic, Xenial and Trusty
        • CVE-2016-10209
        • CVE-2016-10349
        • CVE-2016-10350
        • CVE-2017-14166
        • CVE-2017-14501
        • CVE-2017-14503
        • All local crashes / DoS / unspecified impact via specially crafted archives in various formats
          • Samba (USN-3738-1)
          • 4 CVEs addressed across Bionic, Xenial and Trusty
            • CVE-2018-10858
            • CVE-2018-10918
            • CVE-2018-10919
            • CVE-2018-1139
            • Includes vulnerabilities in both the samba client and server
              • Likely to affect most Ubuntu users
                • libxml2 (USN-3739-1) (USN-3739-2)
                • XML parsing library used across lots of different software packages
                • 5 CVEs fixed across releases for Bionic, Xenial and Trusty
                  • 2 CVEs fixed for Precise ESM
                  • CVE-2016-9318
                  • CVE-2017-16932
                  • CVE-2017-18258
                  • CVE-2018-14404
                  • CVE-2018-14567
                  • Includes information disclosure and DoS
                    • L1TF and FragmentSmack vulnerabilities in Linux Kernel (USN-3740-1) (USN-3740-2) (USN-3741-1) (USN-3741-2) (USN-3742-1) (USN-3742-2)
                    L1TF (CVE-2018-3620) (CVE-2018-3646)
                    • Latest speculative execution cache side channel attack affecting Intel processors
                    • Allows to access contents from L1 Data Cache via speculative execution, can then be read by cache side channel
                    • 3 variants, SGX, SMM and VMM but only 2 affect Ubuntu
                    • Processors access virtual addresses which need to be translated to physical addresses
                    • Page Table Entries map from one to the other (contains metadata of page including offset and present bit)
                    • Pages can be swapped in our out of memory (Present or not) - so if not present then need to do a full page table walk to look up physical address
                    • But Intel processor will use offset value from PTE even on non-present pages speculatively
                    • For non-present pages, this value is usually junk so can essentially speculatively read arbitrary memory from L1D cache depending on PTE value
                    • SGX doesn’t affect Ubuntu since not used
                    • SMM fixed via ensuring PTEs of not present pages always refer to non-cacheable memory and hence can’t be used for this
                    • VMM is trickier
                      • VMs maintain their own PTEs so also need to ensure they are doing the right thing
                      • OR if running untrusted VMs need to do a full L1D flush on switching from host to VM
                      • Made more trickier by Hyper Threading since sibling hyper-threads share the L1D cache
                      • So if have different trust domains on sibling hyper-threads may have to disable HT in certain circumstances
                        • FragmentSmack (CVE-2018-5391)
                        • Last week was SegmentSmack in TCP fragment reassembly, this week is FragmentSmack
                        • Similar but for IP fragmentation reassembly
                          • Exploiting high algorithmic complexity of IP fragment reassembly code paths to cause DoS
                            • GnuPG (USN-3733-2) (CVE-2017-7526)
                            • Last week GnuPG was fixed for Xenial and Trusty for RSA cache side-channel issue
                            • This is corresponding fix for Precise ESM
                              • WebKitGTK+ vulnerabilities (USN-3743-1)
                              • 14 CVEs fixed in web content renderer used in many desktop apps
                                • CVE-2018-12911
                                • CVE-2018-4246
                                • CVE-2018-4261
                                • CVE-2018-4262
                                • CVE-2018-4263
                                • CVE-2018-4264
                                • CVE-2018-4265
                                • CVE-2018-4266
                                • CVE-2018-4267
                                • CVE-2018-4270
                                • CVE-2018-4272
                                • CVE-2018-4273
                                • CVE-2018-4278
                                • CVE-2018-4284
                                • Fixes for Bionic and Xenial
                                  • PostgreSQL (USN-3744-1) (CVE-2018-10915) (CVE-2018-10925)
                                  • 2 CVEs fixed in popular relational database across Bionic, Xenial and Trusty
                                    • procps-ng (USN-3658-3)
                                    • 3 CVEs fixed in Precise ESM procps-ng package
                                      • CVE-2018-1122
                                      • CVE-2018-1123
                                      • CVE-2018-1125
                                        • Linux kernel livepatch (LSN-0042-1)
                                        • No Livepatch possible for L1TF so a LSN to advise to do an update and reboot
                                          • Goings on in Ubuntu Security Community
                                          Hiring
                                          Ubuntu Security Manger
                                          • https://boards.greenhouse.io/canonical/jobs/1278287
                                            • Ubuntu Security Engineer
                                            • https://boards.greenhouse.io/canonical/jobs/1158266
                                              • Get in contact
                                              • [email protected]
                                              • #ubuntu-security on the Libera.Chat IRC network
                                              • @ubuntu_sec on twitter
                                                • Special thanks
                                                • Thanks to Emily Ratliff - a great manager of the team (and a good friend too)
                                                • We will miss you :)
                                                  • ...more
                                                  View all episodesView all episodes
                                                  Download on the App Store
                                                  Ubuntu Security PodcastBy Ubuntu Security Team
                                                  • 4.8
                                                  • 4.8
                                                  • 4.8
                                                  • 4.8
                                                  • 4.8

                                                  4.8

                                                  10 ratings