September 12, 2019

Episode 46

25 minutes

Overview

A massive 85 CVEs addressed this week, including updates for Exim, the

Linux Kernel, Samba, systemd and more, plus we discuss hacking BMCs via

remote USB devices and password stashes.

This week in Ubuntu Security Updates

85 unique CVEs addressed

[USN-4124-1] Exim vulnerability [00:49]

1 CVEs addressed in Xenial, Bionic, Disco

CVE-2019-15846

When doing TLS negotiation, parses the Server Name Indication

headers - would try and handle escape sequences in this string.

Does so by looking at the character after a backslash to determine

what escape sequence is (\b etc) and then returns that actual value

(in string_interpret_escape())

This gets called by the function string_unprinting() which is used to

translate escaped characters into their proper form in a new string -

and this will run over the bounds of the original string if it ends

with a backslash - since string_interpret_escape() would assume there

was contents afterwards to interpret

Qualsys were able to develop a PoC which leverages this OOB behaviour

into a remote root exploit (since this part of the code runs as root

and they were able to use a combination of heap corruption and OOB

writes to get code execution)

Fixed to first check if reached end of string (NUL) before trying to

handle the escaped character

Able to be mitigated by setting ACLs to deny connections which contain

a trailing backslash in the SNI field - see CVE-2019-15846 in the Ubuntu CVE Tracker

Lots of press coverage:

https://www.zdnet.com/article/millions-of-exim-servers-vulnerable-to-root-granting-exploit/

https://threatpost.com/critical-exim-flaw-opens-millions-of-servers-to-takeover/148108/

https://www.theregister.co.uk/2019/09/06/exim_vulnerability_patch/

https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/

[USN-4114-1] Linux kernel vulnerabilities [03:49]

5 CVEs addressed in Bionic (HWE), Disco

CVE-2019-3900

Infinite loop in virtio network driver - guest VM cause host DoS by stalling vhost_net kernel thread

CVE-2019-14284

Divide by zero in floppy driver ioctl() handler (created by default by qemu)

CVE-2019-14283

Integer overflow and OOB read in floppy driver

CVE-2019-13648

DoS for PowerPC if user calls sigreturn() with crafted signal stack

frame - exception and system crash (requires transactional memory to

be disabled)

CVE-2019-10638

Kernel tries to randomise IP ID values (used for de-fragmentation of

IP packets) for connection-less protocols to avoid tracking

Is meant to be random across source + dest address + protocol

But if an attacker can observe traffic to multiple hosts, can infer

the hashing key used to generate the ID values

And then can associate different streams of packets back to the same

source host and hence can track devices

Fixed to used an actual random value for the base of the hash and use

a better hashing algorithm (siphash) for ID generation

[USN-4115-1] Linux kernel vulnerabilities [06:42]

28 CVEs addressed in Xenial (HWE), Bionic

5 negligible (not enabled by default), 11 low (very unlikely to trigger -

module unload after proc initialization failure etc), 12 medium

CVE-2019-3819

CVE-2019-3701

CVE-2019-15221

CVE-2019-15218

CVE-2019-15216

CVE-2019-9506

Bluetooth KNOB attack

CVE-2019-3900

Infinite loop in virtio net driver (guest VM cause host DoS)

CVE-2019-15292

CVE-2019-15220

CVE-2019-15215

CVE-2019-15214

CVE-2019-15212

CVE-2019-15211

CVE-2019-15090

OOB read in debug functions of QLogic QEDI iSCSI Initiator Driver

(allows to read kernel memory - KASLR defeat?)

CVE-2019-14763

CVE-2019-14284

See above (Divide by zero in floppy driver)

CVE-2019-14283

See above (Integer overflow and OOB read in floppy driver)

CVE-2019-13648

See above (PowerPC DoS on sigreturn())

CVE-2019-13631

CVE-2019-11810

CVE-2019-11599

Core dump race (Episode 41)

CVE-2019-11487

CVE-2019-10639

Related to CVE-2019-10638 - since used base address of kernel

structure in memory as hash base, could allow attacker to infer this

address and so defeat KASLR

CVE-2019-10638

See above (IP ID randomisation)

CVE-2019-10207

NULL pointer address execution (call function pointer which is NULL

since is not initializated) - Ubuntu defaults to a non-zero

mmap_min_addr value which means can’t map a page at 0 address so this

is just a NULL pointer dereference in default config (otherwise is

arbitrary kernel code execution)

CVE-2019-0136

Intel Wifi Driver Tunneled Direct Link Setup (allows devices to

communicate directly with one-another on the same network without

going via AP) - flaw allows a peer to cause wifi disconnection (DoS)

CVE-2018-20784

Infinite loop in CFS schedular - DoS

CVE-2018-19985

[USN-4116-1] Linux kernel vulnerabilities [09:12]

6 CVEs addressed in Xenial

CVE-2019-3900

Infinite loop in virtio net driver (guest VM cause host DoS)

CVE-2019-14284

See above (Divide by zero in floppy driver)

CVE-2019-14283

See above (Integer overflow and OOB read in floppy driver)

CVE-2019-13648

See above (PowerPC DoS on sigreturn())

CVE-2019-10638

See above (IP ID randomisation)

CVE-2018-20856

UAF in block-layer under particular failure conditions

[USN-4117-1] Linux kernel (AWS) vulnerabilities [09:43]

9 CVEs addressed in Disco

CVE-2019-3900

Infinite loop in virtio net driver (guest VM cause host DoS)

CVE-2019-3846

Marvell Wifi OOB write (Episode 43)

CVE-2019-10126

Marvell Wifi OOB write (Episode 43)

CVE-2019-14284

See above (Divide by zero in floppy driver)

CVE-2019-14283

See above (Integer overflow and OOB read in floppy driver)

CVE-2019-13272

ptrace race (Episode 43)

CVE-2019-13233

UAF in handling of x86 LDT entries (Episode 43)

CVE-2019-12984

NULL ptr dereference in NFC subsystem (Episode 43)

CVE-2019-10638

See above (IP ID randomisation)

[USN-4118-1] Linux kernel (AWS) vulnerabilities [10:17]

61 CVEs addressed in Xenial, Bionic

CVE-2019-3819

CVE-2019-3701

CVE-2019-15221

CVE-2019-15218

CVE-2019-15216

CVE-2018-20511

CVE-2019-9506

CVE-2019-3900

CVE-2019-3846

CVE-2019-2101

CVE-2019-2024

CVE-2019-15292

CVE-2019-15220

CVE-2019-15215

CVE-2019-15214

CVE-2019-15212

CVE-2019-15211

CVE-2019-15090

CVE-2019-14763

CVE-2019-14284

CVE-2019-14283

CVE-2019-13631

CVE-2019-13272

CVE-2019-13233

CVE-2019-12984

CVE-2019-12819

CVE-2019-12818

CVE-2019-11884

CVE-2019-11833

CVE-2019-11815

CVE-2019-11810

CVE-2019-11599

CVE-2019-11487

CVE-2019-11085

CVE-2019-10639

CVE-2019-10638

CVE-2019-10207

CVE-2019-10126

CVE-2019-0136

CVE-2018-5383

CVE-2018-20856

CVE-2018-20784

CVE-2018-20169

CVE-2018-19985

CVE-2018-16862

CVE-2018-14617

CVE-2018-14613

CVE-2018-14612

CVE-2018-14611

CVE-2018-14610

CVE-2018-14609

CVE-2018-14616

CVE-2018-14615

CVE-2018-14614

CVE-2018-13100

CVE-2018-13099

CVE-2018-13098

CVE-2018-13097

CVE-2018-13096

CVE-2018-13093

CVE-2018-13053

[USN-3934-2] PolicyKit vulnerability [10:36]

1 CVEs addressed in Precise ESM

CVE-2019-6133

Episode 27 - PolicyKit could get confused via PID reuse - fix was 2

parts - 1 kernel to ensure can’t race kernel on PID assignment, and

second was in PolicyKit itself to check on PID, UID and start time.

[USN-4119-1] Irssi vulnerability [11:23]

1 CVEs addressed in Disco

CVE-2019-15717

UAF if server sends two CAP commands (used by client and server to negotiate

capabilities - ie sasl support etc)

[USN-4121-1] Samba vulnerability [11:52]

1 CVEs addressed in Disco

CVE-2019-10197

Possible directory share escape by unauthenticated users - allows

attackers to gain access to the host filesystem outside the share

root (limited as per underlying file-system permissions)

Needs the server to have explicitly enabled ‘wide links’ and not be

using ‘unix extensions’ OR to have also set ‘allow insecure wide

links’

[USN-4120-1] systemd vulnerability [12:40]

1 CVEs addressed in Bionic, Disco

CVE-2019-15718

systemd-resolved failed to properly setup access controls on its DBus

server socket, whic allows unprivileged users to execute DBus methods

that should only be executable by privileged users - such as changing

the systems DNS resolver settings

[USN-4122-1] Firefox vulnerabilities [13:10]

17 CVEs addressed in Xenial, Bionic, Disco

CVE-2019-11747

CVE-2019-11741

CVE-2019-9812

CVE-2019-11752

CVE-2019-11750

CVE-2019-11749

CVE-2019-11748

CVE-2019-11746

CVE-2019-11744

CVE-2019-11743

CVE-2019-11742

CVE-2019-11740

CVE-2019-11738

CVE-2019-11737

CVE-2019-11735

CVE-2019-11734

CVE-2019-5849

Upstream Firefox 69.0 release

https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

[USN-4123-1] npm/fstream vulnerability [13:29]

1 CVEs addressed in Bionic, Disco

CVE-2019-13173

Goings on in Ubuntu Security Community

Joe and Alex discuss hacking BMCs via a remote USN attack [13:53]

https://thehackernews.com/2019/09/hacking-bmc-server.html

Joe and Alex also discuss password stashes [20:33]

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

September 12, 2019

Episode 46

25 minutes

Overview

A massive 85 CVEs addressed this week, including updates for Exim, the

Linux Kernel, Samba, systemd and more, plus we discuss hacking BMCs via

remote USB devices and password stashes.

This week in Ubuntu Security Updates

85 unique CVEs addressed

[USN-4124-1] Exim vulnerability [00:49]

1 CVEs addressed in Xenial, Bionic, Disco

CVE-2019-15846

When doing TLS negotiation, parses the Server Name Indication

headers - would try and handle escape sequences in this string.

Does so by looking at the character after a backslash to determine

what escape sequence is (\b etc) and then returns that actual value

(in string_interpret_escape())

This gets called by the function string_unprinting() which is used to

translate escaped characters into their proper form in a new string -

and this will run over the bounds of the original string if it ends

with a backslash - since string_interpret_escape() would assume there

was contents afterwards to interpret

Qualsys were able to develop a PoC which leverages this OOB behaviour

into a remote root exploit (since this part of the code runs as root

and they were able to use a combination of heap corruption and OOB

writes to get code execution)

Fixed to first check if reached end of string (NUL) before trying to

handle the escaped character

Able to be mitigated by setting ACLs to deny connections which contain

a trailing backslash in the SNI field - see CVE-2019-15846 in the Ubuntu CVE Tracker

Lots of press coverage:

https://www.zdnet.com/article/millions-of-exim-servers-vulnerable-to-root-granting-exploit/

https://threatpost.com/critical-exim-flaw-opens-millions-of-servers-to-takeover/148108/

https://www.theregister.co.uk/2019/09/06/exim_vulnerability_patch/

https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/

[USN-4114-1] Linux kernel vulnerabilities [03:49]

5 CVEs addressed in Bionic (HWE), Disco

CVE-2019-3900

Infinite loop in virtio network driver - guest VM cause host DoS by stalling vhost_net kernel thread

CVE-2019-14284

Divide by zero in floppy driver ioctl() handler (created by default by qemu)

CVE-2019-14283

Integer overflow and OOB read in floppy driver

CVE-2019-13648

DoS for PowerPC if user calls sigreturn() with crafted signal stack

frame - exception and system crash (requires transactional memory to

be disabled)

CVE-2019-10638

Kernel tries to randomise IP ID values (used for de-fragmentation of

IP packets) for connection-less protocols to avoid tracking

Is meant to be random across source + dest address + protocol

But if an attacker can observe traffic to multiple hosts, can infer

the hashing key used to generate the ID values

And then can associate different streams of packets back to the same

source host and hence can track devices

Fixed to used an actual random value for the base of the hash and use

a better hashing algorithm (siphash) for ID generation

[USN-4115-1] Linux kernel vulnerabilities [06:42]

28 CVEs addressed in Xenial (HWE), Bionic

5 negligible (not enabled by default), 11 low (very unlikely to trigger -

module unload after proc initialization failure etc), 12 medium

CVE-2019-3819

CVE-2019-3701

CVE-2019-15221

CVE-2019-15218

CVE-2019-15216

CVE-2019-9506

Bluetooth KNOB attack

CVE-2019-3900

Infinite loop in virtio net driver (guest VM cause host DoS)

CVE-2019-15292

CVE-2019-15220

CVE-2019-15215

CVE-2019-15214

CVE-2019-15212

CVE-2019-15211

CVE-2019-15090

OOB read in debug functions of QLogic QEDI iSCSI Initiator Driver

(allows to read kernel memory - KASLR defeat?)

CVE-2019-14763

CVE-2019-14284

See above (Divide by zero in floppy driver)

CVE-2019-14283

See above (Integer overflow and OOB read in floppy driver)

CVE-2019-13648

See above (PowerPC DoS on sigreturn())

CVE-2019-13631

CVE-2019-11810

CVE-2019-11599

Core dump race (Episode 41)

CVE-2019-11487

CVE-2019-10639

Related to CVE-2019-10638 - since used base address of kernel

structure in memory as hash base, could allow attacker to infer this

address and so defeat KASLR

CVE-2019-10638

See above (IP ID randomisation)

CVE-2019-10207

NULL pointer address execution (call function pointer which is NULL

since is not initializated) - Ubuntu defaults to a non-zero

mmap_min_addr value which means can’t map a page at 0 address so this

is just a NULL pointer dereference in default config (otherwise is

arbitrary kernel code execution)

CVE-2019-0136

Intel Wifi Driver Tunneled Direct Link Setup (allows devices to

communicate directly with one-another on the same network without

going via AP) - flaw allows a peer to cause wifi disconnection (DoS)

CVE-2018-20784

Infinite loop in CFS schedular - DoS

CVE-2018-19985

[USN-4116-1] Linux kernel vulnerabilities [09:12]

6 CVEs addressed in Xenial

CVE-2019-3900

Infinite loop in virtio net driver (guest VM cause host DoS)

CVE-2019-14284

See above (Divide by zero in floppy driver)

CVE-2019-14283

See above (Integer overflow and OOB read in floppy driver)

CVE-2019-13648

See above (PowerPC DoS on sigreturn())

CVE-2019-10638

See above (IP ID randomisation)

CVE-2018-20856

UAF in block-layer under particular failure conditions

[USN-4117-1] Linux kernel (AWS) vulnerabilities [09:43]

9 CVEs addressed in Disco

CVE-2019-3900

Infinite loop in virtio net driver (guest VM cause host DoS)

CVE-2019-3846

Marvell Wifi OOB write (Episode 43)

CVE-2019-10126

Marvell Wifi OOB write (Episode 43)

CVE-2019-14284

See above (Divide by zero in floppy driver)

CVE-2019-14283

See above (Integer overflow and OOB read in floppy driver)

CVE-2019-13272

ptrace race (Episode 43)

CVE-2019-13233

UAF in handling of x86 LDT entries (Episode 43)

CVE-2019-12984

NULL ptr dereference in NFC subsystem (Episode 43)

CVE-2019-10638

See above (IP ID randomisation)

[USN-4118-1] Linux kernel (AWS) vulnerabilities [10:17]

61 CVEs addressed in Xenial, Bionic

CVE-2019-3819

CVE-2019-3701

CVE-2019-15221

CVE-2019-15218

CVE-2019-15216

CVE-2018-20511

CVE-2019-9506

CVE-2019-3900

CVE-2019-3846

CVE-2019-2101

CVE-2019-2024

CVE-2019-15292

CVE-2019-15220

CVE-2019-15215

CVE-2019-15214

CVE-2019-15212

CVE-2019-15211

CVE-2019-15090

CVE-2019-14763

CVE-2019-14284

CVE-2019-14283

CVE-2019-13631

CVE-2019-13272

CVE-2019-13233

CVE-2019-12984

CVE-2019-12819

CVE-2019-12818

CVE-2019-11884

CVE-2019-11833

CVE-2019-11815

CVE-2019-11810

CVE-2019-11599

CVE-2019-11487

CVE-2019-11085

CVE-2019-10639

CVE-2019-10638

CVE-2019-10207

CVE-2019-10126

CVE-2019-0136

CVE-2018-5383

CVE-2018-20856

CVE-2018-20784

CVE-2018-20169

CVE-2018-19985

CVE-2018-16862

CVE-2018-14617

CVE-2018-14613

CVE-2018-14612

CVE-2018-14611

CVE-2018-14610

CVE-2018-14609

CVE-2018-14616

CVE-2018-14615

CVE-2018-14614

CVE-2018-13100

CVE-2018-13099

CVE-2018-13098

CVE-2018-13097

CVE-2018-13096

CVE-2018-13093

CVE-2018-13053

[USN-3934-2] PolicyKit vulnerability [10:36]

1 CVEs addressed in Precise ESM

CVE-2019-6133

Episode 27 - PolicyKit could get confused via PID reuse - fix was 2

parts - 1 kernel to ensure can’t race kernel on PID assignment, and

second was in PolicyKit itself to check on PID, UID and start time.

[USN-4119-1] Irssi vulnerability [11:23]

1 CVEs addressed in Disco

CVE-2019-15717

UAF if server sends two CAP commands (used by client and server to negotiate

capabilities - ie sasl support etc)

[USN-4121-1] Samba vulnerability [11:52]

1 CVEs addressed in Disco

CVE-2019-10197

Possible directory share escape by unauthenticated users - allows

attackers to gain access to the host filesystem outside the share

root (limited as per underlying file-system permissions)

Needs the server to have explicitly enabled ‘wide links’ and not be

using ‘unix extensions’ OR to have also set ‘allow insecure wide

links’

[USN-4120-1] systemd vulnerability [12:40]

1 CVEs addressed in Bionic, Disco

CVE-2019-15718

systemd-resolved failed to properly setup access controls on its DBus

server socket, whic allows unprivileged users to execute DBus methods

that should only be executable by privileged users - such as changing

the systems DNS resolver settings

[USN-4122-1] Firefox vulnerabilities [13:10]

17 CVEs addressed in Xenial, Bionic, Disco

CVE-2019-11747

CVE-2019-11741

CVE-2019-9812

CVE-2019-11752

CVE-2019-11750

CVE-2019-11749

CVE-2019-11748

CVE-2019-11746

CVE-2019-11744

CVE-2019-11743

CVE-2019-11742

CVE-2019-11740

CVE-2019-11738

CVE-2019-11737

CVE-2019-11735

CVE-2019-11734

CVE-2019-5849

Upstream Firefox 69.0 release

https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

[USN-4123-1] npm/fstream vulnerability [13:29]

1 CVEs addressed in Bionic, Disco

CVE-2019-13173

Goings on in Ubuntu Security Community

Joe and Alex discuss hacking BMCs via a remote USN attack [13:53]

https://thehackernews.com/2019/09/hacking-bmc-server.html

Joe and Alex also discuss password stashes [20:33]

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

@ubuntu_sec on twitter

...more

Share Episode 46

Sign up to save your podcasts

Episode 46

Episode 46