Overview
This week we look at updates to the Linux kernel in preparation for the 18.04.2 release, plus updates for Open vSwitch, Firefox, Avahi, LibVNCServer and more. We also revisit and discuss upstream changes to the mincore() system call to thwart page-cache side-channel attacks first discussed in Episode 17.
This week in Ubuntu Security Updates
[USN-3870-1] Spice vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2019-3813Out-of-bounds read - off-by-one - likely crash on segmentation violation but possible code-execution[USN-3871-1] Linux kernel vulnerabilities
13 CVEs addressed in BionicCVE-2018-9516CVE-2018-19407CVE-2018-18281CVE-2018-17972CVE-2018-16882CVE-2018-14625CVE-2018-10883CVE-2018-10880CVE-2018-10882CVE-2018-10878CVE-2018-10877CVE-2018-10879CVE-2018-10876NULL pointer dereference in KVM able to be triggered by a local user (crash -> DoS)mremap() TLB flush leaving stale entries in page cache - covered previously in Episode 15Episode 15 covered CVE-2018-17972 (procfs kernel stack disclosure)UAF in KVM when using nested virtualisation (not enabled by default for Ubuntu kernels) able to be trigered by gust VM to crash host (DoS) or possibly elevate privileges etc.Race condition between connect() and close() in AF_VSOCK (used for communication between guest and host machines) could allow to read 4 bytes of memory (UAF) from host kernel or possibly corrupt other AF_VSOCK messages to other guests - information leak7 ext4 issues discovered by Wen Xu (fuzzing ext4 with KASAN enabled):OOB write during update of journal metadata when mounting specially crafted ext4 image - crash -> DoS (privilege esc?)OOB write to stack when processing xattrs of specially crafted ext4 image - crash -> DoSOOB write when mountingOOB write unmounting specially crafted ext4 imageOOB read when mountingUAF when processing xattrs of renamed file in specially crafted imageGeneral UAF when mouting a specially crafted imageReproducers provided in upstream kernel bug reports[USN-3872-1] Linux kernel (HWE) vulnerabilities
4 CVEs addressed in BionicCVE-2018-19854CVE-2018-19407CVE-2018-16882CVE-2018-14625Info leak from crypto subsystem - regression of CVE-2013-2547 - fail to fully initialise structure members copied to userspace - unlike CVE-2013-2547, able to be exploited by a standard user without any capabilitiesFailure to ensure ioapics were initialised - possible NULL pointer dereference -> crash -> DoSKVM UAF w/ nested virtualisation and AF_VSOCK race condition UAF[USN-3873-1] Open vSwitch vulnerabilities
3 CVEs addressed in Xenial, BionicCVE-2018-17206CVE-2018-17205CVE-2018-17204Remotely triggerable OOB read and 2 different assertion failures -> crash -> DoS[USN-3874-1] Firefox vulnerabilities
7 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-18506CVE-2018-18505CVE-2018-18504CVE-2018-18503CVE-2018-18502CVE-2018-18501CVE-2018-18500Firefox 65 for all supported platformsProxy autoconfig file (PAC) could allow proxy requests to localhost to go via remote proxy - if enabled proxy-autodetection - then possible for remote attacker to conduct attacks against local services etcVarious memory safety issues - crash -> DoS, UAF, code executionSandbox escape via IPC channels due to failure to properly apply authentication to IPC channels in some situationsIPC channels used in new multiprocess architecture etc[USN-3875-1] OpenJDK vulnerability
1 CVEs addressed in Xenial, CosmicCVE-2019-2422Info leak from Java SE VM in OpenJDK library subsystem able to be triggered by a remote attacker - possible sandbox bypass as well[USN-3876-1, USN-3876-2] Avahi vulnerabilities
2 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, CosmicCVE-2018-1000845CVE-2017-6519Both the same vulnerability - duplicate CVETraffic reflection and amplification - possible to leverage for DDoS attack since avahi-daemon would inadvertently respond to unicast IPv6 queries to source addresses which were not on the local link[USN-3877-1] LibVNCServer vulnerabilities
12 CVEs addressed in Trusty, Xenial, Bionic, CosmicCVE-2018-6307CVE-2018-20750CVE-2018-20749CVE-2018-20748CVE-2018-20024CVE-2018-20023CVE-2018-20022CVE-2018-20021CVE-2018-20020CVE-2018-20019CVE-2018-15127CVE-2018-15126Various memory management issues:Heap UAF -> crash -> DoS, possible RCE in server from malicious clientHeap OOB write (incomplete fix for previous CVE-2018-15127) - crash -> DoS, possible RCEMultiple heap OOB writes in client (incomplete fix for previous CVE-2018-20019)NULL pointer dereferences in client -> crash -> DoSFailure to properly initialise structures on stack -> info leak, possible ASLR bypass (disclose stack memory layout)Infinite loop in client -> DoSGoings on in Ubuntu Security Community
An update on mincore()
In Episode 17 discussed changes to mincore() mitigate page cache side-channel attackLinus Torvalds committed a change to change the behaviour of mincore() to mitigate the vulnerabilityRecently reverted that change citing too much breakage to existing users:In particular Netflix have a use-case where they dump page cache across processes to aid in migration of Cassandra workloads across machinesInstead an alternate approach to limit cache residency reporting only to processes which have write access to the particular file in questionie. so if a process has write access to a file which it has open for writing it will be able to read back from mincore() which pages are mapped in the cache and which are not - so will still work for the Netflix and others case of databases wanting to know which pages are mapped or not from diskwill stop the case of being able to know which pages of shared system libraries etc are mapped and hence stop the original side-channel attackpatches not yet submitted for mm tree or others but should be soonGet in contact
#ubuntu-security on the Libera.Chat IRC network@ubuntu_sec on twitter
View all episodes
