Overview
This week we look at some details of the 33 unique CVEs addressed across the
supported Ubuntu releases, including some significant updates for systemd and
the kernel, plus we talk about even more Intel side-channel vulnerabilities and
This week in Ubuntu Security Updates
[USN-3814-1] libmspack vulnerabilities
2 CVEs addressed in Xenial, Bionic, CosmicCVE-2018-18585CVE-2018-18584Out of bounds write of 1 byte when a CAB file uses the maximum Quantum block size - buffer overflow, DoS -> crash, possible code executionFailure to validate filenames properly - could accept a filename with embedded NUL bytes - possible DoS -> crash[USN-3815-1, USN-3815-2] gettext vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2018-18751Double free for specially crafted translations file, DoS -> crash, possible code execution via heap corruption etc.PoC’s on github[USN-3816-1] systemd vulnerabilities
3 CVEs addressed in Xenial, Bionic, CosmicCVE-2018-6954CVE-2018-15687CVE-2018-15686Large backport of multiple patch seriesJann Horn (GPZ) reported two issues to Ubuntu regarding systemdpossible to inject / alter state across re-execution of systemd itself (since serialized state) - but fails to deserialize it correctlyInsecure use of fgets() when parsing long linesPossible root privilege escalationWhen changing ownership of files in a directory via systemd (useful for executing a systemd unit as a given user for example to ensure files it needs are owned by that user)Would try and handle symlinks specially BUT this is racy (since could change where pointed to during check of symlink and then actual work of chown() after)So for instance, could convince systemd to possible change the ownership of a root owned file to that of another userSo could allow to change arbitrary files ownerships or even permissionsThird issue - older one, systemd-tmpfiles could be used to obtain ownership of arbitrary filesWould follow symlinks in non-terminal path components, and then operate on the resulting fileCan tell it to set permissions / ownership of given filesSo could race it to replace path components with symlinks to root-owned files and get it to change their ownership to that of the user (or whomeever)Original patch series (March) didn’t completely fix this - required much more invasive patching laterWe waited to fix it until the complete fix was available and accepted upstream (August) to then start backporting[USN-3814-2, USN-3814-3] ClamAV vulnerabilities
2 CVEs addressed in Precise ESM & TrustyCVE-2018-18585CVE-2018-18584Same issues as for libmspack earlier (since clamav in Trusty and Precise ESM embeds libmspack, later releases use the system libmspack package instead)[USN-3811-2] SpamAssassin vulnerability
1 CVEs addressed in Precise ESMCVE-2017-15705One of the CVEs for SpamAssassin in Episode 7[USN-3817-1, USN-3817-2] Python vulnerabilities
5 CVEs addressed in Precise ESM, Trusty, Xenial, BionicCVE-2018-14647CVE-2018-1061CVE-2018-1060CVE-2018-1000802CVE-2018-1000030Failure to initialize hash salt for PRNG in hash tables for elementtree (XML parser)Could relatively easily cause hash-collisions on specially crafted documentHigh CPU and memory usage -> DoSPossible command injection when using Python to create a ZIP file archiveUsed spawn() which is vulnerable to shell command injection -> subprocess()3 lower priority issuesRace condition in when reading from multiple threads on same file - possible heap buffer overflow or UAFDoS via CPU usage due to regexes in mail server response handling with backtracking - could be triggered by a malicious mail serverSimilar but in regexes in difflib (catastrophic backtracking)[USN-3818-1] PostgreSQL vulnerability
1 CVEs addressed in Bionic, CosmicCVE-2018-16850Possible to inject arbitrary SQL with superuser privileges during dump/restore cycleCan be triggered by regular users in default config since they can trigger as have CREATE privilege on the public schema[USN-3819-1] Linux kernel vulnerability
1 CVEs addressed in CosmicCVE-2018-15471[USN-3820-1, USN-3820-2, USN-3820-3] Linux kernel vulnerabilities
4 CVEs addressed in Bionic, Xenial (Bionic HWE kernel) and Trusty (Azure)CVE-2018-9363CVE-2018-16658CVE-2017-13168CVE-2018-15471Bluetooth HID integer overflow and info leak in CDROM ioctl (covered in Episode 9 for Xenial kernel)Possible privilege escalation via SCSI subsystemXen virtual network driver didn’t check supplied parameters -> integer overflow -> OOB read -> possible OOB write -> privilege escalation, DoS etc[USN-3821-1] Linux kernel vulnerabilities
7 CVEs addressed in Xenial and Trusty (Xenial HWE kernel)CVE-2018-18021CVE-2018-17972CVE-2018-14617CVE-2018-14609CVE-2018-13096CVE-2018-13053CVE-2018-10880Potential host system crash / code execution from malicious guest for KVM on ARM64Stack unwinding in procfs didn’t check caller was root - anyone could race stack unwinder to read stack of arbitrary kernel processesNULL pointer dereferences in various file-system drivers -> triggered by mounting malicious fs imageHFS+, btrfs, f2fsOOB stack write in ext4 with malicious imageInteger overflow in alarmtimer handling[USN-3822-1] Linux kernel vulnerabilities
5 CVEs addressed in Trusty and Precise ESM (Trusty HWE kernel)CVE-2018-9363CVE-2018-16658CVE-2017-16649CVE-2017-13168CVE-2016-9588Same bluetooth HID, CDROM and SCSI vulns as for Bionic earlierPossible divide by zero in CDC USB ethernet driver for specially crafted deviceKVM guest user could cause guest OS crash due to mismanagement of emulated exception handling[USN-3823-1] Linux kernel vulnerabilities
2 CVEs addressed in Precise ESMCVE-2018-3620CVE-2018-3646L1TF fixes for Precise ESM (see Episode 1 for more details)[LSN-0045-1] Linux kernel vulnerability
Live patch covering Bionic, Xenial and TrustyCVE-2017-13168CVE-2018-10880CVE-2018-9363CVE-2018-16658Same bluetooth HID, CDROM, SCSI and ext4 vulnerabilities mentioned earlier[USN-3824-1] OpenJDK 7 vulnerabilities
5 CVEs addressed in TrustyCVE-2018-3180CVE-2018-3169CVE-2018-3149CVE-2018-3139CVE-2018-3136All covered in the previous openjdk-8 update in Episode 10 (that includedmore as this is just those fixes which also apply to openjdk-7)
Goings on in Ubuntu Security Community
New Intel Side Channel Attacks (again…)
A Systematic Evaluation of Transient Execution Attacks and DefensesReclassifies existing Meltdown and Spectre attacks with a new nomenclatureie. original Meltdown is now Meltdown-US (US = User/Supervisor)Identifies a bunch of other possible variants for both Meltdown and SpectreMeltdown-PK - bypass restrictions on Intel memory protection keysMeltdown-BR - Spectre-like attack but using bounds-range exceeded exception to trigger5 new Spectre variants based on existing ones but targetting differentmicroarchitectural elements (ie targetting the Branch Target Buffer when
doing a Spectre-RSB attack since some processors fallback to BTB when RSB
is empty)
Compares existing mitigations for each existing and newly identified attackVery comprehensive, demonstrates the utility of such a complete analysis compared to existing approach where different researchers have looked at a single aspectStill an active area of research with new vulnerabilities turning upHiring
Ubuntu Security Engineer
https://boards.greenhouse.io/canonical/jobs/1158266Get in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
