April 01, 2019

Episode 26

20 minutes

Overview

This week we look security updates for a heap of packages including

Firefox & Thunderbird, PHP & QEMU, plus we discuss Facebook’s recent

password storage incident as well as some listener hardening tips and

more.

This week in Ubuntu Security Updates

48 unique CVEs addressed

[USN-3919-1] Firefox vulnerabilities

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9813

CVE-2019-9810

Firefox 66.0.1 (mentioned briefly last week) - fixes two vulnerabilities discovered during Pwn2Own

Both in the IonMonkey JIT compiler

Incorrect alias information for the Array.prototype.slice method

leads to missing bounds check and a buffer overflow - code execution

as a result

Type confusion in handling of ,__proto__ mutations - ,__proto__ is

used to modify the Prototype of an object to be mutated - used for

object inheritance in JavaScript - allows arbitrary memory

read/write and therefore code execution as a result

[USN-3918-2] Firefox vulnerabilities

17 CVEs addressed in Trusty

CVE-2019-9803

CVE-2019-9793

CVE-2019-9809

CVE-2019-9808

CVE-2019-9807

CVE-2019-9806

CVE-2019-9805

CVE-2019-9802

CVE-2019-9799

CVE-2019-9797

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9789

CVE-2019-9788

Firefox 66 & 66.0.1 - Episode 25 covered for Xenial, Bionic and Cosmic

[USN-3918-3] Firefox regression

17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9803

CVE-2019-9793

CVE-2019-9809

CVE-2019-9808

CVE-2019-9807

CVE-2019-9806

CVE-2019-9805

CVE-2019-9802

CVE-2019-9799

CVE-2019-9797

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9789

CVE-2019-9788

Firefox 66 & 66.0.1 contained a regression - so upstream released 66.0.2

Broke keyboard handling in Office 365, iCloud and IBM WebMail -

Firefox 66 changed the way keycode handling works so these websites

and others which use older, deprecated methods to get the keycode have

been added to an internal fallback list to use the old method

[USN-3927-1] Thunderbird vulnerabilities

10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9793

CVE-2019-9813

CVE-2019-9810

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9788

CVE-2018-18506

Thunderbird 60.6.1

Rolls in security fixes covered previous for Firefox (66.0, 66.0.1)

Both the Pwn2Own and previous fixes

As for Firefox, listen back to Episode 25 for details of 66.0 fixes

[USN-3921-1] XMLTooling vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9628

Crash due to uncaught DOMException able to be triggered by a malformed

XML document - DoS

Thanks to Etienne Dysli Metref who provided debdiff’s as well as

testing for this update

[USN-3922-1] PHP vulnerabilities

5 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-9641

CVE-2019-9640

CVE-2019-9639

CVE-2019-9638

CVE-2019-9637

Integer overflow on 32-bit archs when processing malformed EXIF image

data - crash, DoS

Failure to check available data length when processing image

thumbnails - OOB read -> crash -> DoS

OOB read of 1 byte when handling EXIF image data - crash -> DoS

During file rename, if file is moved across file-systems, the new file

briefly is world readable allowing anyone to read it - fixed by

ensuring umask is used correctly so that the new file always has

restrictive permissions from the outset

[USN-3923-1] QEMU vulnerabilities

11 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-6778

CVE-2019-3812

CVE-2018-20216

CVE-2018-20191

CVE-2018-20126

CVE-2018-20125

CVE-2018-20124

CVE-2018-20123

CVE-2018-19489

CVE-2018-16872

CVE-2018-16867

Heap-based buffer overflow in TCP emulation

OOB read in i2c handling allowing a local attacker within a guest who

has permission to execute i2c commands could read qemu host process

stack memory

Plan9 FS host-directory sharing race-condition on file rename -> crash

-> DoS

2 issues in USB MTP handling:

time-of-check to time-of-use error allows attacker with write access

to the shared host filesystem can use this to navigate host FS in

context of QEMU host process and read any therefore read any file

which QEMU can on the host

Path traversal flaw due to improper filename sanitisation - allow to

read-write arbitrary host files -> Dos or code execution on the host

Updates for Paravirtualised RDMA subsystem:

DoS due to infinite loop

NULL pointer dereference due to missing read method

Fix various memory leaks

Various other NULL pointer dereferences plus a failure to check

parameters leading to possible extreme memory allocation

Fix OOB read triggerable by guest

[USN-3924-1] mod_auth_mellon vulnerabilities

2 CVEs addressed in Bionic, Cosmic

CVE-2019-3878

CVE-2019-3877

Apache module to provide authentication and authorisation via SAML 2.0 IdP

Possible to bypass authorisation checks when also using mod_proxy

Fix an open-redirect via the logout endpoint - could encode an

absolute URL using backward-slashes (\) in place of forward-slashes

(/) and this would be propagated by the endpoint to the client where

the browser would convert these and follow the redirect - due to

mismatch in how browsers will convert these but apache’s own internal

URI parsing does not

[USN-3925-1] FreeImage vulnerability

1 CVEs addressed in Trusty, Xenial

CVE-2016-5684

OOB write in XMP image handling - code execution

[USN-3926-1] GPAC vulnerabilities

8 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2018-7752

CVE-2018-20763

CVE-2018-20762

CVE-2018-20761

CVE-2018-20760

CVE-2018-13006

CVE-2018-13005

CVE-2018-1000100

Various memory safety issues, including OOB buffer reads and writes

due to missing bounds checks (was using strcpy without checking

lengths…)

Goings on in Ubuntu Security Community

Joe McManus on Facebook insecure password storage

https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/

Ubuntu Hardening Tips

Paul Waring got in touch to mention his tips for hardening new Ubuntu installations:

Install and configure unattended-upgrades

Install UFW and block all incoming connections except specific services

Can be done easily via ansible from just a few lines of YAML

For servers:

Install SSHGuard to ban IP addresses with too many failed login attempts

Require TLS for all services via LetsEncrypt + certbot

Configure SSH to permit only key-based authentication

For wordpress installations - install wp-cli to auto-update themes

and plugins

Automate as much of this as possible for automatic hardening

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

April 01, 2019

Episode 26

20 minutes

Overview

This week we look security updates for a heap of packages including

Firefox & Thunderbird, PHP & QEMU, plus we discuss Facebook’s recent

password storage incident as well as some listener hardening tips and

more.

This week in Ubuntu Security Updates

48 unique CVEs addressed

[USN-3919-1] Firefox vulnerabilities

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9813

CVE-2019-9810

Firefox 66.0.1 (mentioned briefly last week) - fixes two vulnerabilities discovered during Pwn2Own

Both in the IonMonkey JIT compiler

Incorrect alias information for the Array.prototype.slice method

leads to missing bounds check and a buffer overflow - code execution

as a result

Type confusion in handling of ,__proto__ mutations - ,__proto__ is

used to modify the Prototype of an object to be mutated - used for

object inheritance in JavaScript - allows arbitrary memory

read/write and therefore code execution as a result

[USN-3918-2] Firefox vulnerabilities

17 CVEs addressed in Trusty

CVE-2019-9803

CVE-2019-9793

CVE-2019-9809

CVE-2019-9808

CVE-2019-9807

CVE-2019-9806

CVE-2019-9805

CVE-2019-9802

CVE-2019-9799

CVE-2019-9797

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9789

CVE-2019-9788

Firefox 66 & 66.0.1 - Episode 25 covered for Xenial, Bionic and Cosmic

[USN-3918-3] Firefox regression

17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9803

CVE-2019-9793

CVE-2019-9809

CVE-2019-9808

CVE-2019-9807

CVE-2019-9806

CVE-2019-9805

CVE-2019-9802

CVE-2019-9799

CVE-2019-9797

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9789

CVE-2019-9788

Firefox 66 & 66.0.1 contained a regression - so upstream released 66.0.2

Broke keyboard handling in Office 365, iCloud and IBM WebMail -

Firefox 66 changed the way keycode handling works so these websites

and others which use older, deprecated methods to get the keycode have

been added to an internal fallback list to use the old method

[USN-3927-1] Thunderbird vulnerabilities

10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9793

CVE-2019-9813

CVE-2019-9810

CVE-2019-9796

CVE-2019-9795

CVE-2019-9792

CVE-2019-9791

CVE-2019-9790

CVE-2019-9788

CVE-2018-18506

Thunderbird 60.6.1

Rolls in security fixes covered previous for Firefox (66.0, 66.0.1)

Both the Pwn2Own and previous fixes

As for Firefox, listen back to Episode 25 for details of 66.0 fixes

[USN-3921-1] XMLTooling vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-9628

Crash due to uncaught DOMException able to be triggered by a malformed

XML document - DoS

Thanks to Etienne Dysli Metref who provided debdiff’s as well as

testing for this update

[USN-3922-1] PHP vulnerabilities

5 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-9641

CVE-2019-9640

CVE-2019-9639

CVE-2019-9638

CVE-2019-9637

Integer overflow on 32-bit archs when processing malformed EXIF image

data - crash, DoS

Failure to check available data length when processing image

thumbnails - OOB read -> crash -> DoS

OOB read of 1 byte when handling EXIF image data - crash -> DoS

During file rename, if file is moved across file-systems, the new file

briefly is world readable allowing anyone to read it - fixed by

ensuring umask is used correctly so that the new file always has

restrictive permissions from the outset

[USN-3923-1] QEMU vulnerabilities

11 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-6778

CVE-2019-3812

CVE-2018-20216

CVE-2018-20191

CVE-2018-20126

CVE-2018-20125

CVE-2018-20124

CVE-2018-20123

CVE-2018-19489

CVE-2018-16872

CVE-2018-16867

Heap-based buffer overflow in TCP emulation

OOB read in i2c handling allowing a local attacker within a guest who

has permission to execute i2c commands could read qemu host process

stack memory

Plan9 FS host-directory sharing race-condition on file rename -> crash

-> DoS

2 issues in USB MTP handling:

time-of-check to time-of-use error allows attacker with write access

to the shared host filesystem can use this to navigate host FS in

context of QEMU host process and read any therefore read any file

which QEMU can on the host

Path traversal flaw due to improper filename sanitisation - allow to

read-write arbitrary host files -> Dos or code execution on the host

Updates for Paravirtualised RDMA subsystem:

DoS due to infinite loop

NULL pointer dereference due to missing read method

Fix various memory leaks

Various other NULL pointer dereferences plus a failure to check

parameters leading to possible extreme memory allocation

Fix OOB read triggerable by guest

[USN-3924-1] mod_auth_mellon vulnerabilities

2 CVEs addressed in Bionic, Cosmic

CVE-2019-3878

CVE-2019-3877

Apache module to provide authentication and authorisation via SAML 2.0 IdP

Possible to bypass authorisation checks when also using mod_proxy

Fix an open-redirect via the logout endpoint - could encode an

absolute URL using backward-slashes (\) in place of forward-slashes

(/) and this would be propagated by the endpoint to the client where

the browser would convert these and follow the redirect - due to

mismatch in how browsers will convert these but apache’s own internal

URI parsing does not

[USN-3925-1] FreeImage vulnerability

1 CVEs addressed in Trusty, Xenial

CVE-2016-5684

OOB write in XMP image handling - code execution

[USN-3926-1] GPAC vulnerabilities

8 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2018-7752

CVE-2018-20763

CVE-2018-20762

CVE-2018-20761

CVE-2018-20760

CVE-2018-13006

CVE-2018-13005

CVE-2018-1000100

Various memory safety issues, including OOB buffer reads and writes

due to missing bounds checks (was using strcpy without checking

lengths…)

Goings on in Ubuntu Security Community

Joe McManus on Facebook insecure password storage

https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/

Ubuntu Hardening Tips

Paul Waring got in touch to mention his tips for hardening new Ubuntu installations:

Install and configure unattended-upgrades

Install UFW and block all incoming connections except specific services

Can be done easily via ansible from just a few lines of YAML

For servers:

Install SSHGuard to ban IP addresses with too many failed login attempts

Require TLS for all services via LetsEncrypt + certbot

Configure SSH to permit only key-based authentication

For wordpress installations - install wp-cli to auto-update themes

and plugins

Automate as much of this as possible for automatic hardening

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 26

Sign up to save your podcasts

Episode 26

Episode 26