April 15, 2019

Episode 28

21 minutes

Overview

This week we look at updates for vulnerabilities in wpa_supplicant, Samba, systemd, wget and more and we talk to Joe about IoT security (or the prevailing lack-thereof).

This week in Ubuntu Security Updates

27 unique CVEs addressed

[USN-3939-1, USN-3939-2] Samba vulnerability

1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic

CVE-2019-3880

Symlink path traversal vulnerability in the Windows Registry service emulation RPC API end-point

Allows a local user to create a new registry file anywhere they have Unix

permissions to do so within the Samba share

Bypasses share restrictions such as read-only and share ACLs

Also allows to create the file outside the share itself if there is

already a symlink pointing outside the shared areas

Fixed by removing the ability to save or restore registry keys at all via

this RPC API end-point

[USN-3940-1, USN-3940-2] ClamAV vulnerabilities

3 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic

CVE-2019-1789

CVE-2019-1788

CVE-2019-1787

3 file-handling issues

2 OOB heap read when handling PE (Windows EXE and DLL) and PDF files ->

crash -> DoS

OOB heap write when scanning OLE2 files (old format Microsoft Office

documents), crash -> DoS or possible code execution

[USN-3941-1] Lua vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-6706

UAF if calling debug.upvaluejoin() with the same function for both function parameters

[USN-3938-1] systemd vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-3842

Failure to properly sanitize environment before using XDG_SEAT

Attacker could set XDG_SEAT such that they can have actions checked

against the wrong PolicyKit policy

Allows a remotely logged in attacker (SSH) to run commands which should

be restricted to only physically present users

Fixed by using secure_getenv() rather than just getenv() - so that if

running via su the existing value is effectively scrubbed from the

environment and ignored

[USN-3942-1] OpenJDK 7 vulnerability

1 CVEs addressed in Trusty

CVE-2019-2422

Information leak allows a remote attacker to possibly leverage this to

bypass the Java sandbox

[USN-3943-1, USN-3943-2] Wget vulnerabilities

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic (1 in Precise ESM)

CVE-2019-5953

CVE-2018-20483

Heap buffer overflow due to improper memory management - crash -> DoS or possible code execution

By default wget would store the origin URL in an extended attribute on the downloaded file

Could include username / password

getfattr -d to dump

changed to NOT store extended attributes by default AND to strip out

any credentials when doing so

doesn’t effect Precise ESM

[USN-3937-2] Apache vulnerabilities

4 CVEs addressed in Precise ESM

CVE-2018-1312

CVE-2018-1301

CVE-2017-15710

CVE-2019-0217

Episode 27 covered mod_auth_digest bypass for other supported releases

Also includes 3 other issues:

Nonce generated to prevent reply attacks for HTTP digest authentication

challenenge wasn’t sufficiently random

Could allow and attacker to reply across a cluster of servers with

the same common digest authentication configuration

changed to actually use a proper random source

Possible OOB read -> crash -> DoS

Possible one-byte memory corruption if specify a character encoding of

only 1 byte (since assumes is at least 2 bytes and so writes a NULL at

index +2 which could be past the end of the header) - crash, DoS

[USN-3944-1] wpa_supplicant and hostapd vulnerabilities

5 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2016-10743

CVE-2019-9499

CVE-2019-9498

CVE-2019-9497

CVE-2019-9495

Fix fallback to low-quality PRNG if failed to get an actual random value for a WPS pin

Multiple vulnerabilities discovered in the implementation of WPA3 in

hostapd and wpa_supplicant (aka Dragonblood)

2 apply to SAE (Simultaneous Authentication of Equals , also known as

Dragonfly Key Exchange) not relevant since we don’t enable SAE support

in our builds (this is used for initial key exchange instead of PSK)

4 apply to the use of EAP-PWD - Extensible Authentication Protocol

Password

cache side channel attack

reflection attack

may allow an attacker to authenticate without the password but

likely not derive session key or complete the key exchange so no

loss of confidentiality

2 failure to validate crypto components

could allow attacker to authenticate AND gain access to session key

and get network access

[USN-3945-1] Ruby vulnerabilities

6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-8325

CVE-2019-8324

CVE-2019-8323

CVE-2019-8322

CVE-2019-8321

CVE-2019-8320

Symlink directory traversal issue - gem would delete the target

destination before creating any new directories or files when extracting

a Gem - as this is often run via sudo could allow to delete anything on

target system

Fixed to check target paths are symlinks

5 different code-injection attacks:

4 via injection of terminal escape sequences in debug code paths to stdout

one via eval() of the stub line in a gemspec file

[USN-3946-1] rssh vulnerabilities

3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-3464

CVE-2019-3463

CVE-2019-1000018

Possible to execute arbitrary shell commands since failed to properly

sanitize environment variables and command-line arguments when executing

rsync or scp

Removed from archive in disco since dead upstream

Goings on in Ubuntu Security Community

IoT Security discussion with Joe McManus

https://arstechnica.com/information-technology/2019/04/new-variants-of-mirai-botnet-detected-targeting-more-iot-devices/

https://www.ubuntu.com/core

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

April 15, 2019

Episode 28

21 minutes

Overview

This week we look at updates for vulnerabilities in wpa_supplicant, Samba, systemd, wget and more and we talk to Joe about IoT security (or the prevailing lack-thereof).

This week in Ubuntu Security Updates

27 unique CVEs addressed

[USN-3939-1, USN-3939-2] Samba vulnerability

1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic

CVE-2019-3880

Symlink path traversal vulnerability in the Windows Registry service emulation RPC API end-point

Allows a local user to create a new registry file anywhere they have Unix

permissions to do so within the Samba share

Bypasses share restrictions such as read-only and share ACLs

Also allows to create the file outside the share itself if there is

already a symlink pointing outside the shared areas

Fixed by removing the ability to save or restore registry keys at all via

this RPC API end-point

[USN-3940-1, USN-3940-2] ClamAV vulnerabilities

3 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic

CVE-2019-1789

CVE-2019-1788

CVE-2019-1787

3 file-handling issues

2 OOB heap read when handling PE (Windows EXE and DLL) and PDF files ->

crash -> DoS

OOB heap write when scanning OLE2 files (old format Microsoft Office

documents), crash -> DoS or possible code execution

[USN-3941-1] Lua vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-6706

UAF if calling debug.upvaluejoin() with the same function for both function parameters

[USN-3938-1] systemd vulnerability

1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-3842

Failure to properly sanitize environment before using XDG_SEAT

Attacker could set XDG_SEAT such that they can have actions checked

against the wrong PolicyKit policy

Allows a remotely logged in attacker (SSH) to run commands which should

be restricted to only physically present users

Fixed by using secure_getenv() rather than just getenv() - so that if

running via su the existing value is effectively scrubbed from the

environment and ignored

[USN-3942-1] OpenJDK 7 vulnerability

1 CVEs addressed in Trusty

CVE-2019-2422

Information leak allows a remote attacker to possibly leverage this to

bypass the Java sandbox

[USN-3943-1, USN-3943-2] Wget vulnerabilities

2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic (1 in Precise ESM)

CVE-2019-5953

CVE-2018-20483

Heap buffer overflow due to improper memory management - crash -> DoS or possible code execution

By default wget would store the origin URL in an extended attribute on the downloaded file

Could include username / password

getfattr -d to dump

changed to NOT store extended attributes by default AND to strip out

any credentials when doing so

doesn’t effect Precise ESM

[USN-3937-2] Apache vulnerabilities

4 CVEs addressed in Precise ESM

CVE-2018-1312

CVE-2018-1301

CVE-2017-15710

CVE-2019-0217

Episode 27 covered mod_auth_digest bypass for other supported releases

Also includes 3 other issues:

Nonce generated to prevent reply attacks for HTTP digest authentication

challenenge wasn’t sufficiently random

Could allow and attacker to reply across a cluster of servers with

the same common digest authentication configuration

changed to actually use a proper random source

Possible OOB read -> crash -> DoS

Possible one-byte memory corruption if specify a character encoding of

only 1 byte (since assumes is at least 2 bytes and so writes a NULL at

index +2 which could be past the end of the header) - crash, DoS

[USN-3944-1] wpa_supplicant and hostapd vulnerabilities

5 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2016-10743

CVE-2019-9499

CVE-2019-9498

CVE-2019-9497

CVE-2019-9495

Fix fallback to low-quality PRNG if failed to get an actual random value for a WPS pin

Multiple vulnerabilities discovered in the implementation of WPA3 in

hostapd and wpa_supplicant (aka Dragonblood)

2 apply to SAE (Simultaneous Authentication of Equals , also known as

Dragonfly Key Exchange) not relevant since we don’t enable SAE support

in our builds (this is used for initial key exchange instead of PSK)

4 apply to the use of EAP-PWD - Extensible Authentication Protocol

Password

cache side channel attack

reflection attack

may allow an attacker to authenticate without the password but

likely not derive session key or complete the key exchange so no

loss of confidentiality

2 failure to validate crypto components

could allow attacker to authenticate AND gain access to session key

and get network access

[USN-3945-1] Ruby vulnerabilities

6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-8325

CVE-2019-8324

CVE-2019-8323

CVE-2019-8322

CVE-2019-8321

CVE-2019-8320

Symlink directory traversal issue - gem would delete the target

destination before creating any new directories or files when extracting

a Gem - as this is often run via sudo could allow to delete anything on

target system

Fixed to check target paths are symlinks

5 different code-injection attacks:

4 via injection of terminal escape sequences in debug code paths to stdout

one via eval() of the stub line in a gemspec file

[USN-3946-1] rssh vulnerabilities

3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic

CVE-2019-3464

CVE-2019-3463

CVE-2019-1000018

Possible to execute arbitrary shell commands since failed to properly

sanitize environment variables and command-line arguments when executing

rsync or scp

Removed from archive in disco since dead upstream

Goings on in Ubuntu Security Community

IoT Security discussion with Joe McManus

https://arstechnica.com/information-technology/2019/04/new-variants-of-mirai-botnet-detected-targeting-more-iot-devices/

https://www.ubuntu.com/core

Hiring

Ubuntu Security Generalist

https://boards.greenhouse.io/canonical/jobs/1548812

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 28

Sign up to save your podcasts

Episode 28

Episode 28