Overview
This week we look at some details of the 46 unique CVEs addressed across the supported Ubuntu releases and take a deep dive into the recent apt security bug.
This week in Ubuntu Security Updates
[USN-3863-1, USN-3863-2] APT vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2019-3462MITM allowing RCE as root in the context of aptDue to mishandling of HTTP redirect which would allow malicious mirror / MITM to inject content and then could allow arbitrary command executionFixed by simply disallowing control characters in HTTP redirect responsesSee detailed discussion later in show[USN-3864-1] LibTIFF vulnerabilities
7 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-8905CVE-2018-7456CVE-2018-18661CVE-2018-18557CVE-2018-17101CVE-2018-17100CVE-2018-10963Multiple NULL pointer dereferences and assertion failures (crash -> DoS)Multiple heap-based buffer overflows and an integer overflow (crash -> DoS / possible RCE)[USN-3865-1] poppler vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-20650CVE-2018-20481Assertion failure and NULL pointer dereference triggered by crafted PDFs (crash -> DoS)[USN-3707-2] NTP vulnerabilities
9 CVEs addressed in Precise ESMCVE-2018-7185CVE-2018-7183CVE-2017-6463CVE-2017-6462CVE-2016-9311CVE-2016-9310CVE-2016-7428CVE-2016-7427CVE-2016-7426NTP updated for Bionic, Artful, Xenial and Trusty in July 2018 - this is the corresponding update for Precise ESMMultiple issues including: RCE in ntpq from a crafted response fromthe server, various DoS at both protocol level between client and
server (disrupt a client talking to server) and at application level
(to crash the application)
[USN-3866-1] Ghostscript vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-6116Another week, another Ghostscript vulnerability courtesy of Tavis Ormandy (GPZ) (after a random look at the latest GS release 9.26)See Episodes 5, 7, 10, 14 for moreCode execution via subroutine operatorsPatches to fix quite invasiveGhostscript is included in evince, ImageMagick, nautilus, GIMP, even less so able to target various commands to exploit[USN-3867-1] MySQL vulnerabilities
15 CVEs addressed in Xenial, Bionic, CosmicCVE-2019-2537CVE-2019-2534CVE-2019-2532CVE-2019-2531CVE-2019-2529CVE-2019-2528CVE-2019-2510CVE-2019-2507CVE-2019-2503CVE-2019-2486CVE-2019-2482CVE-2019-2481CVE-2019-2455CVE-2019-2434CVE-2019-2420Updated to latest MySQL version (5.7.25) in all releases to fix numerous issues including:Multiple DoS via low privileged attacker, multiple unauthorized access to complete MySQL server data etc[USN-3869-1] Subversion vulnerability
1 CVEs addressed in CosmicCVE-2018-11803DoS against Subversion server (mod_dav_svn) (only affects 1.10.0+ -> Cosmic)Triggered by listing remote recursive directory contents BUT notproviding the path to list - NULL pointer dereference -> crash
[USN-3868-1] Thunderbird vulnerabilities
10 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-18498CVE-2018-18494CVE-2018-18493CVE-2018-18492CVE-2018-17466CVE-2018-12405CVE-2018-12393CVE-2018-12392CVE-2018-12390CVE-2018-12389Latest Thunderbird release (60.4) to resolve multiple issuesGoings on in Ubuntu Security Community
apt / apt-get RCE (CVE-2019-3462)
Discovered by Max Justicz (provides a detailed write-up on his blog)apt uses worker processes which communicate back to the main process when fetching contentworkers get told what to download and where to put it and communicate back with parent via stdin/stdoutprotocol is like HTTP, human readable textcan include directives from workers regarding redirects, completion (DONE) etcwhen handling a HTTP Redirect from the server, apt http worker would append this contents in message sent back to parentexpect just a URI as the redirect content but could be anything - so could contain directives in the apt worker protocol which then get interpreted by the main apt processso could signal DONE to parent as well as follow-up directives such as reporting false hashes for debs or even falsifying the location of the deb on the filesystemSo could use the Releases.gpg file as the location of the package on the filesystem - and actually inject our malicious package into the start of Releases.gpg - with trusted Releases.gpg content afterwardsReleases.gpg will still validate (since it ignores junk at the start) AND apt will still use the package since it will ignore the signature at the endSo can get malicious package installed - which due to debian packaging can run scripts on install etc and hence get RCE as root :(Fixed by simply disallowing control characters in HTTP redirect responsesIf we assume the mirrors are trusted, could have been mitigated via HTTPSSince HTTPS would stop MITM attacksSome Ubuntu mirrors offer HTTPS but this is not enabled by default since not all mirrors offer HTTPSOfficial mirrors do not currently offer HTTPS - this is being reevaluated but is difficult for a number of reasonsUsers can still easily enable HTTPS themselves by choosing an appropriate mirror with a HTTPS URIIf assume mirrors are untrusted then they could still have exploited thisSo whilst HTTPS could help in this case is not a panaceaGet in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
