Ubuntu Security Podcast

Episode 31

Listen Later
Overview

This week we cover security fixes for GNOME Shell, FFmpeg, Sudo, Ghostscript and others, and we talk to Joe McManus about malicious Dockerhub images, Git repos being ransomed more.

This week in Ubuntu Security Updates

14 unique CVEs addressed

[USN-3966-1] GNOME Shell vulnerability
  • 1 CVEs addressed in Bionic, Cosmic
    • CVE-2019-3820
    • Local user could potentially bypass various restrictions of the lock
      • screen - menu items can be activated by keyboard combinations - these
      could then be used to take screenshots (and fill up disk space), close
      windows behind the lock screen or start the screen reader which could
      read out the contents of windows behind the lock screen.
    • Fixed by disabling all menu items when the screen is locked
      • [USN-3965-1] aria2 vulnerability
      • 1 CVEs addressed in Cosmic, Disco
        • CVE-2019-3500
        • CLI download tool (akin to curl / wget but can also do bittorrent and others)
        • When logging would store credentials in log file which could be read by other users
        • Fixed by masking out credentials
          • [USN-3967-1] FFmpeg vulnerabilities
          • 5 CVEs addressed in Bionic, Cosmic, Disco
            • CVE-2019-9721
            • CVE-2019-9718
            • CVE-2019-11339
            • CVE-2019-11338
            • CVE-2018-15822
            • CPU DoS in Matroska and HTML subtitle decoding
            • Various issues discovered by Google’s oss-fuzz project:
              • 2 x OOB read found by Google’s clusterfuzz / oss-fuzz project in MPEG-4 decoder
              • NULL pointer dereference and OOB read in HEVC decoder
              • Assertion failure for missing audio packet size in FLV encoder
                • [USN-3968-1] Sudo vulnerabilities
                • 2 CVEs addressed in Xenial
                  • CVE-2017-1000368
                  • CVE-2016-7076
                  • Fails to properly parse /proc/PID/stat - this is used to determine the
                    • controlling tty - this name could contain newlines - sudo would only read
                    one line of input and so would get a truncated name - when sudo is used
                    with SELinux this allows to confuse sudo as to where the destination for
                    stdout / stderr and so cause sudo to overwrite and arbitrary file by
                    creating a symlink from the supposed tty to the destination file.
                  • Fixed by ensuring to parse the full name including any newlines
                  • sudo contains the ability to restrict users with sudo access to running
                    • further commands via the NOEXEC tag
                    • Does this by LD_PRELOAD to replace exec() and other functions with
                      • versions that return an error
                    • wordexp() performs shell expansion on a string and so can contain shell
                      • directives to run a command and get the output $(foo) - this can run
                      commands and so would not be stopped by LD_PRELOAD lib - so a user can
                      run a binary which does wordexp() they could bypass this restriction
                    • Fixed by adding wordexp() to the LD_PRELOAD wrapper AND by adding a
                      • seccomp filter to stop all execve() entirely
                      [USN-3969-1, USN-3969-2] wpa_supplicant and hostapd vulnerability
                      • 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
                        • CVE-2019-11555
                        • Possible NULL pointer dereference if an attacker could construct out of
                          • sequence EAP message fragments
                        • Fixed by validating and rejecting invalid fragments on both the peer and
                          • server side
                          [USN-3970-1] Ghostscript vulnerability
                          • 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
                            • CVE-2019-3839
                            • Follow up to CVE-2019-6116 (Episode 18)
                              • GS sandbox allowed access to system operators which allowed arbitrary code execution
                              • Missed some protections for pdf related operations which could also allow code execution
                                • [USN-3971-1] Monit vulnerabilities
                                • 2 CVEs addressed in Cosmic, Disco
                                  • CVE-2019-11455
                                  • CVE-2019-11454
                                  • Buffer over-read when decoding URLs could allow a remote authenticated
                                    • attacker to read other memory - information disclosure but could also
                                    cause a crash via reading from an invalid memory location
                                  • Persistent XSS in decoding Authorization header for HTTP Basic
                                    • Authorization could allow an unauthenticated remote attacker to inject
                                    arbitrary JavaScript in the _viewlog operation - fixed by properly
                                    escaping this data
                                    [USN-3956-2] Bind vulnerability
                                    • 1 CVEs addressed in Precise ESM, Trusty ESM
                                      • CVE-2018-5743
                                      • Episode 29 covered for standard support releases - now fixed in ESM
                                        • Discussion with Joe McManus about malicious DockerHub images and Git repo takeover ransoms
                                        • https://threatpost.com/malicious-docker-containers-earn-crypto-miners-90000/132816/
                                        • https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/
                                          • Goings on in Ubuntu Security Community
                                          Robotics Security Engineer
                                          • https://boards.greenhouse.io/canonical/jobs/1550997
                                            • Security Certifications Engineer
                                            • https://boards.greenhouse.io/canonical/jobs/1660658
                                              • Get in contact
                                              • [email protected]
                                              • #ubuntu-security on the Libera.Chat IRC network
                                              • @ubuntu_sec on twitter
                                                • ...more
                                                View all episodesView all episodes
                                                Download on the App Store
                                                Ubuntu Security PodcastBy Ubuntu Security Team
                                                • 4.8
                                                • 4.8
                                                • 4.8
                                                • 4.8
                                                • 4.8

                                                4.8

                                                10 ratings