June 17, 2019

Episode 36

22 minutes

Overview

Security updates for DBus, vim, elfutils, GLib and more, plus Joe and Alex look at another npm package hijack as well as some wider discussions around the big vim RCE of this week.

This week in Ubuntu Security Updates

43 unique CVEs addressed

[USN-4012-1] elfutils vulnerabilities

9 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-7665

CVE-2019-7150

CVE-2019-7149

CVE-2018-18521

CVE-2018-18520

CVE-2018-18310

CVE-2018-16403

CVE-2018-16402

CVE-2018-16062

Mix of issues found via fuzzing with ASAN - all resulting in crash -> DoS

from crafted input files

multiple heap-based buffer over-reads in various libraries (libelf,

libdw) on crafted ELF input

divide-by-zero on crafted ELF input in arlib (used by ar, ranlib and

other tools to process .a archive files)

multiple invalid pointer dereferences

double-free in libelf on crafted ELF input

[USN-4013-1] libsndfile vulnerabilities

13 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-3832

CVE-2018-19758

CVE-2018-19662

CVE-2018-19661

CVE-2018-19432

CVE-2018-13139

CVE-2017-6892

CVE-2017-17457

CVE-2017-17456

CVE-2017-16942

CVE-2017-14634

CVE-2017-14246

CVE-2017-14245

Range of issues from crashes (DoS) to possible RCE again found via fuzzing with ASAN

Multiple heap-based buffer over-reads on crafted audio files (WAV, ALAW, AIFF) files

NULL pointer dereference

Stack-based buffer overflow - crash -> DoS or possible RCE on crafted

Divide by zeros

[USN-4014-1, USN-4014-2] GLib vulnerability

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco

CVE-2019-12450

GLib contains GIO which is library to abstract file-IO operations

During file copying, would create the new file with default permissions

and then once copy was done would then set the correct permissions (based

on the original files permissions)

Could allow other users to read the file during the copy process

Instead fix to create new file with restrictive permissions (only

accessible by the current user) to avoid this

[USN-4015-1, USN-4015-2] DBus vulnerability

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco

CVE-2019-12749

DBus includes multiple authentication mechanisms - usually would just use

credentials passed via UNIX sockets (is secure as is enforced by the

kernel), but this is not supported on all platforms (Windows etc)

So includes another authentication mechanism - DBUS_COOKIE_SHA1

In this case, the authenticating user has to prove they are who they

say by being able to read and provide a magic value from a keyring file

which dbus drops in the user’s home directory

By abusing symlinks, it would be possible to point the local users

keyring at some other file and cause DBus to read / write to some other

file which was not intended

This could further be abused to point your local dbus keyring to root’s

and cause DBus to eventually confuse the local user’s authentication to

the bus as that of the root user and so allow an unprivileged user to

authenticate as root and so then perform operations as root via DBus

Fixed by simply only allowing DBUS_COOKIE_SHA1 to authenticate as the

same user as the DBus server owner - ie. if running DBus as root you can

only authenticate as root, not as your local user (since this use-case is

not actually used in practice)

[USN-4016-1] Vim vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-12735

CVE-2017-5953

Most over-hyped bug of the week

https://threatpost.com/linux-command-line-editors-high-severity-bug/145569/

https://www.reddit.com/r/netsec/comments/bwrjrx/vimneovim_arbitrary_code_execution_via_modelines/

Will discuss with Joe later in the episode, but briefly:

Vim includes support for ‘modelines’

This allows files to include custom settings such as indentation, file

type etc so that editing is consistent

Only a subset of vim commands can be permitted - ie. set - and then not

everything can be set by modelines - and is meant to be side-effect

free

However, the source! command is still allowed - this reads extra

commands from a file as though typed by the user and is done so outside

the sandbox

So is possible to bypass the sandbox and execute arbitrary commands via

the modeline (since vim supports running external commands from the

editor itself)

PoC included running a reverse shell by just opening a crafted file

However, modelines are disabled by default in Debian (and hence Ubuntu)

so unless a user had specifically enabled it in their own vimrc they are

safe

Patched to disable sourcing a file from the modeline or from within the

sandbox at all

One extra low priority issue when vim could be made to crash via a

crafted spell file (this is used to store locally spelling additions etc)

[USN-4016-2] Neovim vulnerability

1 CVEs addressed in Cosmic, Disco

CVE-2019-12735

See above from vim :)

[USN-3991-3] Firefox regression

17 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-9816

CVE-2019-11698

CVE-2019-11697

CVE-2019-9821

CVE-2019-9820

CVE-2019-9819

CVE-2019-9817

CVE-2019-9814

CVE-2019-9800

CVE-2019-7317

CVE-2019-11701

CVE-2019-11699

CVE-2019-11696

CVE-2019-11695

CVE-2019-11693

CVE-2019-11692

CVE-2019-11691

Episode 33 - Firefox update to version 67.0 - contained a regression so

updated to 67.0.1 (Episode 35) - this also contained another regression

where Firefox would fail to load correctly if run in safe-mode. So

upstream released 67.0.2 which is this new update.

Goings on in Ubuntu Security Community

Alex and Joe talk about another npm package hijack attack and the vim issue

https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm

Hiring

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

June 17, 2019

Episode 36

22 minutes

Overview

Security updates for DBus, vim, elfutils, GLib and more, plus Joe and Alex look at another npm package hijack as well as some wider discussions around the big vim RCE of this week.

This week in Ubuntu Security Updates

43 unique CVEs addressed

[USN-4012-1] elfutils vulnerabilities

9 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-7665

CVE-2019-7150

CVE-2019-7149

CVE-2018-18521

CVE-2018-18520

CVE-2018-18310

CVE-2018-16403

CVE-2018-16402

CVE-2018-16062

Mix of issues found via fuzzing with ASAN - all resulting in crash -> DoS

from crafted input files

multiple heap-based buffer over-reads in various libraries (libelf,

libdw) on crafted ELF input

divide-by-zero on crafted ELF input in arlib (used by ar, ranlib and

other tools to process .a archive files)

multiple invalid pointer dereferences

double-free in libelf on crafted ELF input

[USN-4013-1] libsndfile vulnerabilities

13 CVEs addressed in Xenial, Bionic, Cosmic

CVE-2019-3832

CVE-2018-19758

CVE-2018-19662

CVE-2018-19661

CVE-2018-19432

CVE-2018-13139

CVE-2017-6892

CVE-2017-17457

CVE-2017-17456

CVE-2017-16942

CVE-2017-14634

CVE-2017-14246

CVE-2017-14245

Range of issues from crashes (DoS) to possible RCE again found via fuzzing with ASAN

Multiple heap-based buffer over-reads on crafted audio files (WAV, ALAW, AIFF) files

NULL pointer dereference

Stack-based buffer overflow - crash -> DoS or possible RCE on crafted

Divide by zeros

[USN-4014-1, USN-4014-2] GLib vulnerability

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco

CVE-2019-12450

GLib contains GIO which is library to abstract file-IO operations

During file copying, would create the new file with default permissions

and then once copy was done would then set the correct permissions (based

on the original files permissions)

Could allow other users to read the file during the copy process

Instead fix to create new file with restrictive permissions (only

accessible by the current user) to avoid this

[USN-4015-1, USN-4015-2] DBus vulnerability

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco

CVE-2019-12749

DBus includes multiple authentication mechanisms - usually would just use

credentials passed via UNIX sockets (is secure as is enforced by the

kernel), but this is not supported on all platforms (Windows etc)

So includes another authentication mechanism - DBUS_COOKIE_SHA1

In this case, the authenticating user has to prove they are who they

say by being able to read and provide a magic value from a keyring file

which dbus drops in the user’s home directory

By abusing symlinks, it would be possible to point the local users

keyring at some other file and cause DBus to read / write to some other

file which was not intended

This could further be abused to point your local dbus keyring to root’s

and cause DBus to eventually confuse the local user’s authentication to

the bus as that of the root user and so allow an unprivileged user to

authenticate as root and so then perform operations as root via DBus

Fixed by simply only allowing DBUS_COOKIE_SHA1 to authenticate as the

same user as the DBus server owner - ie. if running DBus as root you can

only authenticate as root, not as your local user (since this use-case is

not actually used in practice)

[USN-4016-1] Vim vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-12735

CVE-2017-5953

Most over-hyped bug of the week

https://threatpost.com/linux-command-line-editors-high-severity-bug/145569/

https://www.reddit.com/r/netsec/comments/bwrjrx/vimneovim_arbitrary_code_execution_via_modelines/

Will discuss with Joe later in the episode, but briefly:

Vim includes support for ‘modelines’

This allows files to include custom settings such as indentation, file

type etc so that editing is consistent

Only a subset of vim commands can be permitted - ie. set - and then not

everything can be set by modelines - and is meant to be side-effect

free

However, the source! command is still allowed - this reads extra

commands from a file as though typed by the user and is done so outside

the sandbox

So is possible to bypass the sandbox and execute arbitrary commands via

the modeline (since vim supports running external commands from the

editor itself)

PoC included running a reverse shell by just opening a crafted file

However, modelines are disabled by default in Debian (and hence Ubuntu)

so unless a user had specifically enabled it in their own vimrc they are

safe

Patched to disable sourcing a file from the modeline or from within the

sandbox at all

One extra low priority issue when vim could be made to crash via a

crafted spell file (this is used to store locally spelling additions etc)

[USN-4016-2] Neovim vulnerability

1 CVEs addressed in Cosmic, Disco

CVE-2019-12735

See above from vim :)

[USN-3991-3] Firefox regression

17 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-9816

CVE-2019-11698

CVE-2019-11697

CVE-2019-9821

CVE-2019-9820

CVE-2019-9819

CVE-2019-9817

CVE-2019-9814

CVE-2019-9800

CVE-2019-7317

CVE-2019-11701

CVE-2019-11699

CVE-2019-11696

CVE-2019-11695

CVE-2019-11693

CVE-2019-11692

CVE-2019-11691

Episode 33 - Firefox update to version 67.0 - contained a regression so

updated to 67.0.1 (Episode 35) - this also contained another regression

where Firefox would fail to load correctly if run in safe-mode. So

upstream released 67.0.2 which is this new update.

Goings on in Ubuntu Security Community

Alex and Joe talk about another npm package hijack attack and the vim issue

https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm

Hiring

Robotics Security Engineer

https://boards.greenhouse.io/canonical/jobs/1550997

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 36

Sign up to save your podcasts

Episode 36

Episode 36