Overview
First episode of 2019! This week we look “System Down” in systemd, as well as updates for the Linux kernel, GnuPG, PolicyKit and more, and discuss a recent cache-side channel attack using the mincore() system call.
This week in Ubuntu Security Updates
51 unique CVEs addressed across the supported Ubuntu releases.
[USN-3846-1, USN-3847-1, USN-3847-2, USN-3847-3] Linux kernel vulnerabilities
Kernel updates as part of normal 3-weekly SRU cycle - includes various fixes across the supported releasesCVE-2018-18710 (Cosmic, Bionic, Bionic HWE, Xenial, Xenial HWE, Trusty, Trusty HWE)CVE-2018-18690 (Bionic, Bionic HWE, Xenial, Xenial HWE, Trusty, Trusty HWE)CVE-2018-18445 (Bionic, Bionic HWE)CVE-2018-16276 (Bionic, Bionic HWE)CVE-2018-14734 (Bionic, Bionic HWE)CVE-2018-12896 (Bionic, Bionic HWE, Xenial, Xenial HWE, Trusty, Trusty HWE)CVE-2017-18174 (Xenial, Xenial HWE)CVE-2018-10902 (Trusty, Trusty HWE)CVE-2017-2647 (Trusty, Trusty HWE)Info leak in CDROM driver, XFS DoS via writing of extended attributes causing an error condition that leaves the fs in an error state until next mountBounds check bypass in BPF verifier (mentioned in Episode 15)Incorrect bounds checking in Yurex USB driver (Episode 7)UAF in infiniband -> Crash -> DoSInteger overflow in POSIX timers overrun accounting due to type confusion (int vs 64-bit signed)Double free in AMD GPIO pinctrl driver - DoS / privilege escalationRace condition in midi driver - double free -> privilege escalationNULL pointer dereference in kernel keyring -> crash -> DoS[LSN-0046-1] Linux kernel livepatch for vulnerabilities
10 CVEs addressed inCVE-2018-16658CVE-2018-16276CVE-2017-5753CVE-2018-9363CVE-2018-18690CVE-2018-10880CVE-2018-14734CVE-2018-18445CVE-2018-10902CVE-2018-18710[USN-3850-1] NSS vulnerabilities
3 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-12404CVE-2018-12384CVE-2018-0495Cache side-channel variant of Bleichenbacher attack (http://cat.eyalro.net/)Responds to SSLv2 ClientHello with a ServerHello with all zero randomCache side-channel attack on ECDSA signatures (Trusty only)[USN-3851-1] Django vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-3498Attacker could craft a malicious URL to make spoofed content appear on the generated 404 page[USN-3852-1] Exiv2 vulnerabilities
9 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-17581CVE-2018-16336CVE-2017-17669CVE-2017-14864CVE-2017-14862CVE-2017-14859CVE-2017-11683CVE-2017-11591CVE-2017-9239Infinite recursion leading to stack exhaustion -> crash -> DoSMultiple heap based buffer out-of-bounds reads -> crash -> DoSMultiple invalid pointer dereferences -> crash -> DoSInvalid assertion, NULL pointer dereference -> crash -> DoS[USN-3853-1] GnuPG vulnerability
1 CVEs addressed in Bionic, CosmicCVE-2018-1000858GnuPG includes support for Web Key Directories (WKD) to allow easy discovery of public keys via HTTPSAllows a key to be imported from a webserver -> first need to lookup hostname via DNS SRVFails to sanitize response - so performs an attacker controlled, arbitrary HTTPS GET requestAttacker needs to construct a malicious SRV record for the domain in questionPossible CSRF, content injection etcThunderbird will automatically use WKD via GnuPG to lookup missing keys so allows easy exploitation[USN-3854-1] WebKitGTK+ vulnerabilities
1 CVEs addressed in Bionic, CosmicCVE-2018-4437Possible RCE via invalid processing of crafted web content (as usual limited details on WebKitGTK vulnerabilities…)[USN-3855-1] systemd vulnerabilities
3 CVEs addressed in Xenial, Bionic, CosmicCVE-2018-16866CVE-2018-16865CVE-2018-16864“System Down” systemd vulnerabilitiesChris Coulson put in a heroic effort and patched quickly - Ubuntu first affected distro to release patched systemdDue to use of variable length arrays on the stack, allows various fields which are attacker controlled to be overflowedIf overflow far enough can bypass kernel stack guard pages, and hence corrupt the heapPossible code execution as a result (original advisory contained a PoC for i386 which gained control of the instruction pointer)Can be mitigated via use of the gcc flag -fstack-clash-protection - this is now under review to be used by default in forthcoming Ubuntu releases[USN-3856-1] GNOME Bluetooth vulnerability
1 CVEs addressed in BionicCVE-2018-10910BlueZ doesn’t necessarily make bluetooth device undiscoverable automatically after timeoutHence after enabling discovery would then still be discoverable even though user expectation is that is not anymoreActual bug then is really in BlueZ but now added a workaround in GNOME bluetooth to manually disable discovery[USN-3857-1] PEAR vulnerability
1 CVEs addressed in Xenial, Bionic, CosmicCVE-2018-1000888PHP Extension and Application Repository - possible RCE when deserialising via PHP object injectionTriggered when unpacking a PHAR (PHP ARchive) - also possible to sneak one into a JPEG so easy to exploit - just need image upload (Wordpress etc)[USN-3858-1] HAProxy vulnerabilities
3 CVEs addressed in Xenial, Bionic, CosmicCVE-2018-20615CVE-2018-20103CVE-2018-20102Popular load balancing reverse proxy (used in OpenStack etc.)Infinite recursion from a pointer referencing itself or from long chains of pointers -> stack exhaustion -> crash -> DoSOut-of-bounds read when validating DNS responses - information disclosure of 16 bytesFail to ensure valid length of H2 HEADERS when decoding - out-of-bounds read -> crash -> DoS[USN-3859-1] libarchive vulnerabilities
4 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2017-14502CVE-2018-1000878CVE-2018-1000877CVE-2018-1000880Out-of-bounds read for UTF-16 names in RAR archivesUAF and double free in RAR decoder - crash -> DoS, possible RCEQuasi-infinite runtime and disk usage from a tiny crafted WARC file (Web Archive format for storing results of crawling websites)[USN-3860-1, USN-3860-2] libcaca vulnerabilities
7 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2018-20549CVE-2018-20547CVE-2018-20546CVE-2018-20549CVE-2018-20548CVE-2018-20545CVE-2018-20544Library and utils for handling colour ASCII art (used by various media players to show videos in a terminal etc)Various issues - OOB reads, writes and a floating point exception -> crash -> DoS[USN-3861-1, USN-3861-2] PolicyKit vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2018-19788Invalid handling of UID > INT_MAX - would allow a user to bypass policy and execute any systemctl command[USN-3862-1] Irssi vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-5882UAF when expiring hidden lines from the scroll bufferGoings on in Ubuntu and Linux Security Community
New page cache side-channel attack via mincore()
Discovered by a team of researchers including some of those who found Spectre / Meltdownhttps://arxiv.org/pdf/1901.01161.pdfUses mincore() system call on Linux to determine if pages exist in the page cache or notmincore() returns a bitmask of which pages are mapped in the cache for the requested rangeCan use this side-channel to either:determine when a process calls a given function in a shared library (since the library will be mapped at the same address in both the attack and victim process)need to first evict the given page from the cache which is difficult but authors propose a new efficient mechanism to do thiscan then do things like UI redressing etc in responseOr can use this is a covert channel to leak information from one process to anotherCan even use over the network to leak information via an innocent webserver etcPaper also describes an efficient cache eviction strategyLinus directly applied a fix (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e)This changes the behaviour of mincore() to only report pages which have been faulted into the cache by the calling processSo at best can now observe when a page is evicted from the cache but can’t see when another process faults in a pageBreaks user-space API of mincore() and hence some existing programs (as noted in the commit)Linus’ primary rule is to never break userspace BUT in this case as is a security vulnerability this is okayThis might also likely affect other programs that use mincore in Ubuntu etc (fincore, e4defrag, qemu etc)Fix is not in the stable upstream kernel yet as waiting to see what fallout there is and so also has not been applied to Ubuntu kernels yetAlso good discussion on LWN https://lwn.net/Articles/776801/ which highlights other avenues for inferring the contents of the page cache and other possible changes to mincore to protect against this attackWill be interesting to see where this all ends upGet in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
