October 24, 2019

Episode 50

23 minutes

Overview

Alex and Joe discuss the big news of this week - the release of Ubuntu

19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt,

UW IMAP and more.

This week in Ubuntu Security Updates

51 unique CVEs addressed

[USN-4156-2] SDL vulnerabilities [00:37]

11 CVEs addressed in Precise ESM, Trusty ESM

CVE-2019-7637

CVE-2019-7636

CVE-2019-7635

CVE-2019-7578

CVE-2019-7577

CVE-2019-7576

CVE-2019-7575

CVE-2019-7574

CVE-2019-7573

CVE-2019-7572

CVE-2019-13616

Covered in Episode 49 and Episode 48

[USN-4160-1] UW IMAP vulnerability [01:04]

1 CVEs addressed in Xenial, Bionic, Disco

CVE-2018-19518

University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)

Used rsh to implement various operations - wouldn’t try and sanitize the

provided hostname - so if attacker could provide a hostname/mailbox to

php’s IMAP without any validation could execute arbitrary commands on the

host

Fixed by turning off the rsh based functionality by default in PHP - if

you still want this you can set imap.enable_insecure_rsh but this is

not advised…

[USN-4158-1] LibTIFF vulnerabilities [02:17]

2 CVEs addressed in Xenial, Bionic, Disco

CVE-2019-17546

CVE-2019-14973

Integer overflow -> heap based buffer overflow -> crash, DoS or code

execution

(Low) Integer overflow due to undefined behaviour in existing overflow

checking code when multiplying various elements -> no known way to

exploit

[USN-4155-2] Aspell vulnerability [03:13]

1 CVEs addressed in Eoan

CVE-2019-17544

Episode 49 covered for older releases - Eoan is now out so updated there too

[USN-4159-1] Exiv2 vulnerability [03:31]

1 CVEs addressed in Xenial, Bionic, Disco, Eoan

CVE-2019-17402

OOB read -> crash, DoS

[USN-4164-1] Libxslt vulnerabilities [03:44]

3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan

CVE-2019-18197

CVE-2019-13118

CVE-2019-13117

OSS-Fuzz found 3 issues

possible heap buffer overflow as a result of a dangling pointer - so

same memory area could be reused for future memory operations -> fixed

to reset the pointer when done

2 low priority issues - both stack memory info disclosures

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

9 CVEs addressed in Bionic (HWE) and Disco

CVE-2019-2181

CVE-2019-16714

CVE-2019-15902

CVE-2019-15505

CVE-2019-15504

CVE-2019-14821

CVE-2019-14816

CVE-2019-14815

CVE-2019-14814

Integer overflow -> buffer overflow -> root privesc in binder

Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad

Spengler - fixed properly in Linus’ tree but not when it got backported

to the stable tree - two lines of code got reordered - so load of

possible speculative value occurred _after_it had been used - so the

speculative load barrier had no effect - Ubuntu regularly backports fixes

from the latest stable tree so we ended up affected as well

https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php

Possible DoS (kernel crash) if users can write to /dev/kvm - by default

on Ubuntu users don’t have this privilege so generally not affected

2 different heap based buffer overflows in Marvell Wifi driver ->

occurred when setting parameters for the driver so could be triggered by

a local users -> crash, DoS or

possible code execution

[USN-4161-1] Linux kernel vulnerability [07:40]

1 CVEs addressed in Eoan

CVE-2019-18198

Eoan kernel “0-day” - will discuss with Joe later

[USN-4162-1] Linux kernel vulnerabilities [07:58]

10 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic

CVE-2019-15918

CVE-2019-15902

CVE-2019-15505

CVE-2019-15118

CVE-2019-15117

CVE-2019-14821

CVE-2019-14816

CVE-2019-14815

CVE-2019-14814

CVE-2018-21008

SMB based buffer overread if try mounting a share with version specified

as 3.0 but the share itself is version 2.10 -> parameter size mismatch ->

read of too much memory -> info disclosure

UAF in RSI 91x Wi-Fi driver -> able to be triggered by a remote network

peer -> crash, DoS or possible RCE

ptrace spectrev1 reissue, KVM crash, Marvell Wifi Driver issues from above

USB audio issues from Episode 48 (Disco kernel -> now fixed in Bionic

kernel as well)

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

10 CVEs addressed in Xenial and Trusty ESM (HWE)

CVE-2019-15902

CVE-2019-15505

CVE-2019-15118

CVE-2019-15117

CVE-2019-14821

CVE-2019-14816

CVE-2019-14814

CVE-2018-21008

CVE-2017-18232

CVE-2016-10906

Spectrev1 reissue, USB Audio, KVM crash, Marvell and RSI 91x WiFi Driver

issues all covered earlier

Serial attached SCSI implementation mishandled error condition leading to

deadlock -> local user could possibly trigger this leading to a DoS

[LSN-0058-1] Linux kernel vulnerability [10:09]

22 CVEs addressed in Bionic and Xenial + Xenial (HWE)

CVE-2019-14835

CVE-2019-14821

CVE-2019-14816

CVE-2019-14815

CVE-2019-14814

CVE-2019-14284

CVE-2019-14283

CVE-2019-12614

CVE-2019-11833

CVE-2019-11478

CVE-2019-11477

CVE-2019-10207

CVE-2019-10126

CVE-2019-3846

CVE-2019-2181

CVE-2019-2054

CVE-2019-0136

CVE-2018-21008

CVE-2018-20976

CVE-2018-20961

CVE-2018-20856

CVE-2016-10905

Most all covered in previous episodes or previously in this episode

2 high priority issues

vhost_net issue from Episode 47

SACKPanic from Episode 37

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

https://twitter.com/sylvia_ritter

https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-19.10-Kernel-Bug

Mitigate by installing the latest eoan kernel update or by disabling

user namspaces:

sysctl user.max_user_namespaces=0

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

October 24, 2019

Episode 50

23 minutes

Overview

Alex and Joe discuss the big news of this week - the release of Ubuntu

19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt,

UW IMAP and more.

This week in Ubuntu Security Updates

51 unique CVEs addressed

[USN-4156-2] SDL vulnerabilities [00:37]

11 CVEs addressed in Precise ESM, Trusty ESM

CVE-2019-7637

CVE-2019-7636

CVE-2019-7635

CVE-2019-7578

CVE-2019-7577

CVE-2019-7576

CVE-2019-7575

CVE-2019-7574

CVE-2019-7573

CVE-2019-7572

CVE-2019-13616

Covered in Episode 49 and Episode 48

[USN-4160-1] UW IMAP vulnerability [01:04]

1 CVEs addressed in Xenial, Bionic, Disco

CVE-2018-19518

University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)

Used rsh to implement various operations - wouldn’t try and sanitize the

provided hostname - so if attacker could provide a hostname/mailbox to

php’s IMAP without any validation could execute arbitrary commands on the

host

Fixed by turning off the rsh based functionality by default in PHP - if

you still want this you can set imap.enable_insecure_rsh but this is

not advised…

[USN-4158-1] LibTIFF vulnerabilities [02:17]

2 CVEs addressed in Xenial, Bionic, Disco

CVE-2019-17546

CVE-2019-14973

Integer overflow -> heap based buffer overflow -> crash, DoS or code

execution

(Low) Integer overflow due to undefined behaviour in existing overflow

checking code when multiplying various elements -> no known way to

exploit

[USN-4155-2] Aspell vulnerability [03:13]

1 CVEs addressed in Eoan

CVE-2019-17544

Episode 49 covered for older releases - Eoan is now out so updated there too

[USN-4159-1] Exiv2 vulnerability [03:31]

1 CVEs addressed in Xenial, Bionic, Disco, Eoan

CVE-2019-17402

OOB read -> crash, DoS

[USN-4164-1] Libxslt vulnerabilities [03:44]

3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan

CVE-2019-18197

CVE-2019-13118

CVE-2019-13117

OSS-Fuzz found 3 issues

possible heap buffer overflow as a result of a dangling pointer - so

same memory area could be reused for future memory operations -> fixed

to reset the pointer when done

2 low priority issues - both stack memory info disclosures

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

9 CVEs addressed in Bionic (HWE) and Disco

CVE-2019-2181

CVE-2019-16714

CVE-2019-15902

CVE-2019-15505

CVE-2019-15504

CVE-2019-14821

CVE-2019-14816

CVE-2019-14815

CVE-2019-14814

Integer overflow -> buffer overflow -> root privesc in binder

Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad

Spengler - fixed properly in Linus’ tree but not when it got backported

to the stable tree - two lines of code got reordered - so load of

possible speculative value occurred _after_it had been used - so the

speculative load barrier had no effect - Ubuntu regularly backports fixes

from the latest stable tree so we ended up affected as well

https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php

Possible DoS (kernel crash) if users can write to /dev/kvm - by default

on Ubuntu users don’t have this privilege so generally not affected

2 different heap based buffer overflows in Marvell Wifi driver ->

occurred when setting parameters for the driver so could be triggered by

a local users -> crash, DoS or

possible code execution

[USN-4161-1] Linux kernel vulnerability [07:40]

1 CVEs addressed in Eoan

CVE-2019-18198

Eoan kernel “0-day” - will discuss with Joe later

[USN-4162-1] Linux kernel vulnerabilities [07:58]

10 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic

CVE-2019-15918

CVE-2019-15902

CVE-2019-15505

CVE-2019-15118

CVE-2019-15117

CVE-2019-14821

CVE-2019-14816

CVE-2019-14815

CVE-2019-14814

CVE-2018-21008

SMB based buffer overread if try mounting a share with version specified

as 3.0 but the share itself is version 2.10 -> parameter size mismatch ->

read of too much memory -> info disclosure

UAF in RSI 91x Wi-Fi driver -> able to be triggered by a remote network

peer -> crash, DoS or possible RCE

ptrace spectrev1 reissue, KVM crash, Marvell Wifi Driver issues from above

USB audio issues from Episode 48 (Disco kernel -> now fixed in Bionic

kernel as well)

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

10 CVEs addressed in Xenial and Trusty ESM (HWE)

CVE-2019-15902

CVE-2019-15505

CVE-2019-15118

CVE-2019-15117

CVE-2019-14821

CVE-2019-14816

CVE-2019-14814

CVE-2018-21008

CVE-2017-18232

CVE-2016-10906

Spectrev1 reissue, USB Audio, KVM crash, Marvell and RSI 91x WiFi Driver

issues all covered earlier

Serial attached SCSI implementation mishandled error condition leading to

deadlock -> local user could possibly trigger this leading to a DoS

[LSN-0058-1] Linux kernel vulnerability [10:09]

22 CVEs addressed in Bionic and Xenial + Xenial (HWE)

CVE-2019-14835

CVE-2019-14821

CVE-2019-14816

CVE-2019-14815

CVE-2019-14814

CVE-2019-14284

CVE-2019-14283

CVE-2019-12614

CVE-2019-11833

CVE-2019-11478

CVE-2019-11477

CVE-2019-10207

CVE-2019-10126

CVE-2019-3846

CVE-2019-2181

CVE-2019-2054

CVE-2019-0136

CVE-2018-21008

CVE-2018-20976

CVE-2018-20961

CVE-2018-20856

CVE-2016-10905

Most all covered in previous episodes or previously in this episode

2 high priority issues

vhost_net issue from Episode 47

SACKPanic from Episode 37

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

https://twitter.com/sylvia_ritter

https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-19.10-Kernel-Bug

Mitigate by installing the latest eoan kernel update or by disabling

user namspaces:

sysctl user.max_user_namespaces=0

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 50

Sign up to save your podcasts

Episode 50

Episode 50