July 09, 2019

Episode 39

12 minutes

Overview

A look at security updates for Django, Thunderbird, ZNC, Irssi and more,

plus news on the CanonicalLtd GitHub account credentials compromise, SKS

PGP keyservers under attack and Ubuntu 18.10 Cosmic Cuttlefish reaches EOL.

This week in Ubuntu Security Updates

7 unique CVEs addressed

[USN-4043-1] Django vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-12781

CVE-2019-12308

If using django via a reverse proxy, which itself would connect to django

over HTTPS, if accessing HTTP resources they would not be redirected to

HTTPS even if configured to do so on the django server.

XSS via the ‘Current URL’ link as this was not validated as a safe URL

before display - so possible to inject javascript etc via a URL query

payload parameter etc - such that when the user clicks the link it would

be executed (RCE bug with user interaction)

[USN-4045-1] Thunderbird vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-11708

CVE-2019-11707

Latest upstream 60.7.2 release

Mentioned in the context of Firefox in Episode 37 and Episode 38 (sandbox

escape and RCE)

By default scripting is disabled in TB so not as high an impact

[USN-4044-1] ZNC vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-12816

ZNC provides support for plugin modules

These can be loaded by autenticated, non-admin users

i - The name of this is checked in various places to ensure control

characters and other means of code execution are blocked, but not on

all code-paths using modules

Would allow to execute code as the ZNC server via an authenticated user

Fixed to validate module name on all code paths which use it

[USN-4038-3, USN-4038-4] bzip2 regression

Affecting Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco

Episode 38 mentioned bzip2 update - we also mentioned this breaks

decompression of some archives built by lbzip2 etc - this regression

fixes that by introducing a new patch proposed by upstream to accept as

many selectors as specified by to then discard them later

[USN-4046-1] Irssi vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-13045

CVE-2018-7054

2 different UAF’s due to mismanagement of data structures:

One on SASL code-paths - so only affected if using SASL

authentication - would reuse provided username and password

fields after they had been freed

Another in code to handle netsplits (used to handle when servers get

disconnected from the wider network)

This was due to an incomplete fix for previous CVE-2017-7191

Goings on in Ubuntu Security Community

Ubuntu 18.10 (Cosmic Cuttlefish) reaches End of Life on July 18 2019

Released October 18, 2018 - non-LTS so 9 months of support

Past 9 months - no new updates/ security fixes and hence no USNs

Upgrade to Disco (19.04)

https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/004996.html

CanonicalLtd GitHub organisation account compromise

A single account which was part of the CanonicalLtd GitHub organisation

was compromised 6th July

Used to create proof-of-concept repositories and issues to demonstrate

the hack was possible

Investigation is still on-going but at this stage it only appears to be

these actions, not malicious but attention seeking in nature

No code has been altered or PII accessed (nor is any PII stored there)

Account has been removed from the CanonicaLtd organisation, investigation

is still on-going, we will release more details as they become available

https://twitter.com/ubuntu_sec/status/1147675201632473088

SKS keyserver certificate spamming

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

WoT aspect of PGP allows users to sign one-anothers public keys

(certificates) and upload these signatures to the keyservers

SKS keyservers were designed to never delete anything and instead to append

So when downloading a key (certificate) you get it plus all the signatures

SKS supports up to 150k sigs - GnuPG is logarithmic in order of signatures

So can DoS local GnuPG once have downloaded someones key (cert)

Re Ubuntu:

We use GPG for signing the hashes of packages in the repo

This public key is distributed directly inside Ubuntu on install media

and in the archive and does not depend on the SKS keyserver network

Keys for PPAs are fetched from Launchpad, not SKS as well in general

So only exposure for Ubuntu users is if manually fetching keys from SKS

keyservers or if using Enigmail in ThunderBird or other software which

automatically fetches certs from SKS

Mitigation

if using Enigmail, disable auto-fetching / refreshing of public keys

if using GnuPG directly, don’t use SKS keyservers, instead use new

resistant keyserver

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

July 09, 2019

Episode 39

12 minutes

Overview

A look at security updates for Django, Thunderbird, ZNC, Irssi and more,

plus news on the CanonicalLtd GitHub account credentials compromise, SKS

PGP keyservers under attack and Ubuntu 18.10 Cosmic Cuttlefish reaches EOL.

This week in Ubuntu Security Updates

7 unique CVEs addressed

[USN-4043-1] Django vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-12781

CVE-2019-12308

If using django via a reverse proxy, which itself would connect to django

over HTTPS, if accessing HTTP resources they would not be redirected to

HTTPS even if configured to do so on the django server.

XSS via the ‘Current URL’ link as this was not validated as a safe URL

before display - so possible to inject javascript etc via a URL query

payload parameter etc - such that when the user clicks the link it would

be executed (RCE bug with user interaction)

[USN-4045-1] Thunderbird vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-11708

CVE-2019-11707

Latest upstream 60.7.2 release

Mentioned in the context of Firefox in Episode 37 and Episode 38 (sandbox

escape and RCE)

By default scripting is disabled in TB so not as high an impact

[USN-4044-1] ZNC vulnerability

1 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-12816

ZNC provides support for plugin modules

These can be loaded by autenticated, non-admin users

i - The name of this is checked in various places to ensure control

characters and other means of code execution are blocked, but not on

all code-paths using modules

Would allow to execute code as the ZNC server via an authenticated user

Fixed to validate module name on all code paths which use it

[USN-4038-3, USN-4038-4] bzip2 regression

Affecting Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco

Episode 38 mentioned bzip2 update - we also mentioned this breaks

decompression of some archives built by lbzip2 etc - this regression

fixes that by introducing a new patch proposed by upstream to accept as

many selectors as specified by to then discard them later

[USN-4046-1] Irssi vulnerabilities

2 CVEs addressed in Xenial, Bionic, Cosmic, Disco

CVE-2019-13045

CVE-2018-7054

2 different UAF’s due to mismanagement of data structures:

One on SASL code-paths - so only affected if using SASL

authentication - would reuse provided username and password

fields after they had been freed

Another in code to handle netsplits (used to handle when servers get

disconnected from the wider network)

This was due to an incomplete fix for previous CVE-2017-7191

Goings on in Ubuntu Security Community

Ubuntu 18.10 (Cosmic Cuttlefish) reaches End of Life on July 18 2019

Released October 18, 2018 - non-LTS so 9 months of support

Past 9 months - no new updates/ security fixes and hence no USNs

Upgrade to Disco (19.04)

https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/004996.html

CanonicalLtd GitHub organisation account compromise

A single account which was part of the CanonicalLtd GitHub organisation

was compromised 6th July

Used to create proof-of-concept repositories and issues to demonstrate

the hack was possible

Investigation is still on-going but at this stage it only appears to be

these actions, not malicious but attention seeking in nature

No code has been altered or PII accessed (nor is any PII stored there)

Account has been removed from the CanonicaLtd organisation, investigation

is still on-going, we will release more details as they become available

https://twitter.com/ubuntu_sec/status/1147675201632473088

SKS keyserver certificate spamming

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

WoT aspect of PGP allows users to sign one-anothers public keys

(certificates) and upload these signatures to the keyservers

SKS keyservers were designed to never delete anything and instead to append

So when downloading a key (certificate) you get it plus all the signatures

SKS supports up to 150k sigs - GnuPG is logarithmic in order of signatures

So can DoS local GnuPG once have downloaded someones key (cert)

Re Ubuntu:

We use GPG for signing the hashes of packages in the repo

This public key is distributed directly inside Ubuntu on install media

and in the archive and does not depend on the SKS keyserver network

Keys for PPAs are fetched from Launchpad, not SKS as well in general

So only exposure for Ubuntu users is if manually fetching keys from SKS

keyservers or if using Enigmail in ThunderBird or other software which

automatically fetches certs from SKS

Mitigation

if using Enigmail, disable auto-fetching / refreshing of public keys

if using GnuPG directly, don’t use SKS keyservers, instead use new

resistant keyserver

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 39

Sign up to save your podcasts

Episode 39

Episode 39