December 17, 2018

Episode 16

10 minutes

Overview

Last episode for 2018! This week we look at CVEs in lxml, CUPS, pixman, FreeRDP & more, plus we discuss the security of home routers as evaluated by C-ITL.

This week in Ubuntu Security Updates

21 unique CVEs addressed

[USN-3841-1, USN-3841-2] lxml vulnerability

1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic

CVE-2018-19787

Popular XML/HTML parser for Python

Tries to remove clean input document and remove links (to say embedded

javascript code) - but doesn’t account for links containing escaped

characters - so link could persist

Similar to CVE-2014-3146

In this case tried to account for whitespace in links but didn’t include

all possible whitespace characters

[USN-3842-1] CUPS vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-4700

Session cookies used for authentication to CUPS web interface used only the

current time in seconds as a seed for the relatively predictable PRNG

Easy to bruteforce / guess

Fix ensures to use current time value including microseconds

Still using relatively predictable PRNG - should use /dev/urandom etc

[USN-3837-2] poppler regression

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-19149

CVE-2018-16646

Previous poppler update (Episode 15) - fix missed a previous commit and so

regressed (crash on opening certain PDF files)

[USN-3843-1, USN-3843-2] pixman vulnerability

1 CVEs addressed in Precise ESM, Trusty

CVE-2015-5297

Low level library for pixel manipulation (used by X, Wayland, Qemu etc)

Pointer overflow leading to stack-based buffer overflow in computing bounds of pixel buffers

Did include a check to see if was inside bounds, BUT didn’t account for

possible overflow in arithmetic before the check

Need to check for possible overflow before doing arithmetic and comparison

[USN-3844-1] Firefox vulnerabilities

10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-18497

CVE-2018-18495

CVE-2018-18498

CVE-2018-18494

CVE-2018-18493

CVE-2018-18492

CVE-2018-17466

CVE-2018-12407

CVE-2018-12406

CVE-2018-12405

Firefox 64 - multiple security vulnerabilities fixed

Buffer overflows, UAFs, same-origin-policy violation, webextensions able to

violate restrictions, various memory safety / corruption bugs

https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/

[USN-3845-1] FreeRDP vulnerabilities

6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-8789

CVE-2018-8788

CVE-2018-8787

CVE-2018-8786

CVE-2018-8785

CVE-2018-8784

Eyal Itkin discovered multiple vulnerabilities in FreeRDP - not all affect all releases (some too old to contain affected code)

Various heap-based buffer overflows (crash -> DoS / RCE?)

Out-of-bounds read (crash -> DoS)

Goings on in Linux Security Community

Linux on MIPS and home routers

Cyber-ITL (Independent Testing Lab) analysed a number of home routers for basic security hardening features

ASLR, DEP (non-executable stack), RELRO

Mix of MIPS and ARM devices

Compared against Ubuntu 16.04 LTS x86_64 (general hardening)

Most found to have minimal hardening features enabled

https://cyber-itl.org/assets/papers/2018/build_safety_of_software_in_28_popular_home_routers.pdf

Also found Linux kernel on MIPS either has executable stack (until 2016)

due to FP emulation code, or since then has no executable stack but has a

RWX segment at a fixed location, which can be used to bypass DEP / ASLR

Ubuntu does not support MIPS

Final episode for 2018

This is the last episode for 2018, on leave for the next 3 weeks

Next episode will be from Cape Town in 2019 during week of 14th January with some special guests… :)

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

December 17, 2018

Episode 16

10 minutes

Overview

Last episode for 2018! This week we look at CVEs in lxml, CUPS, pixman, FreeRDP & more, plus we discuss the security of home routers as evaluated by C-ITL.

This week in Ubuntu Security Updates

21 unique CVEs addressed

[USN-3841-1, USN-3841-2] lxml vulnerability

1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic

CVE-2018-19787

Popular XML/HTML parser for Python

Tries to remove clean input document and remove links (to say embedded

javascript code) - but doesn’t account for links containing escaped

characters - so link could persist

Similar to CVE-2014-3146

In this case tried to account for whitespace in links but didn’t include

all possible whitespace characters

[USN-3842-1] CUPS vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-4700

Session cookies used for authentication to CUPS web interface used only the

current time in seconds as a seed for the relatively predictable PRNG

Easy to bruteforce / guess

Fix ensures to use current time value including microseconds

Still using relatively predictable PRNG - should use /dev/urandom etc

[USN-3837-2] poppler regression

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-19149

CVE-2018-16646

Previous poppler update (Episode 15) - fix missed a previous commit and so

regressed (crash on opening certain PDF files)

[USN-3843-1, USN-3843-2] pixman vulnerability

1 CVEs addressed in Precise ESM, Trusty

CVE-2015-5297

Low level library for pixel manipulation (used by X, Wayland, Qemu etc)

Pointer overflow leading to stack-based buffer overflow in computing bounds of pixel buffers

Did include a check to see if was inside bounds, BUT didn’t account for

possible overflow in arithmetic before the check

Need to check for possible overflow before doing arithmetic and comparison

[USN-3844-1] Firefox vulnerabilities

10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-18497

CVE-2018-18495

CVE-2018-18498

CVE-2018-18494

CVE-2018-18493

CVE-2018-18492

CVE-2018-17466

CVE-2018-12407

CVE-2018-12406

CVE-2018-12405

Firefox 64 - multiple security vulnerabilities fixed

Buffer overflows, UAFs, same-origin-policy violation, webextensions able to

violate restrictions, various memory safety / corruption bugs

https://www.mozilla.org/en-US/security/advisories/mfsa2018-29/

[USN-3845-1] FreeRDP vulnerabilities

6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2018-8789

CVE-2018-8788

CVE-2018-8787

CVE-2018-8786

CVE-2018-8785

CVE-2018-8784

Eyal Itkin discovered multiple vulnerabilities in FreeRDP - not all affect all releases (some too old to contain affected code)

Various heap-based buffer overflows (crash -> DoS / RCE?)

Out-of-bounds read (crash -> DoS)

Goings on in Linux Security Community

Linux on MIPS and home routers

Cyber-ITL (Independent Testing Lab) analysed a number of home routers for basic security hardening features

ASLR, DEP (non-executable stack), RELRO

Mix of MIPS and ARM devices

Compared against Ubuntu 16.04 LTS x86_64 (general hardening)

Most found to have minimal hardening features enabled

https://cyber-itl.org/assets/papers/2018/build_safety_of_software_in_28_popular_home_routers.pdf

Also found Linux kernel on MIPS either has executable stack (until 2016)

due to FP emulation code, or since then has no executable stack but has a

RWX segment at a fixed location, which can be used to bypass DEP / ASLR

Ubuntu does not support MIPS

Final episode for 2018

This is the last episode for 2018, on leave for the next 3 weeks

Next episode will be from Cape Town in 2019 during week of 14th January with some special guests… :)

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 16

Sign up to save your podcasts

Episode 16

Episode 16