Ubuntu Security Podcast

Episode 62

Listen Later
Overview

This week Alex and Joe take an indepth look at the recent Sudo

vulnerability CVE-2019-18634 plus we look at security updates for
OpenSMTPD, systemd, Mesa, Yubico PIV tool and more. We also look at a
recent job opening for a Robotics Security Engineer to join the Ubuntu
Security team.

This week in Ubuntu Security Updates

33 unique CVEs addressed

[USN-4263-2] Sudo vulnerability [00:41]
  • 1 CVEs addressed in Precise ESM, Trusty ESM
    • CVE-2019-18634
    • See Episode 61 and discussion later in episode
      • [USN-4268-1] OpenSMTPD vulnerability [01:02]
      • 1 CVEs addressed in Bionic, Eoan
        • CVE-2020-7247
        • Logic bug caused existing sanity checks on MAIL FROM field to be skipped
          • under certain scenarios - so by failing to perform this validation, could
          allow an attacker to input shell metacharacters to obtain command
          execution in smtpd (which runs as root) -> remote root command execution.
        • Fixed to always perform sanity checks on MAIL FROM
          • [USN-4269-1] systemd vulnerabilities [02:06]
          • 5 CVEs addressed in Xenial, Bionic, Eoan
            • CVE-2020-1712
            • CVE-2019-3844
            • CVE-2019-3843
            • CVE-2019-20386
            • CVE-2018-16888
            • Heap UAF when handing asynchronous policykit queries and dbus messages -
              • could allow possible root privesc
            • Possible sandbox escape through DynamicUser property on services via
              • setuid binaries to gain new privileges or created setgid binaries
            • Also DynamicUser services can create setuid/setgid binaries which could
              • then be used to escalate privileges after
              • Both low priority since not many users of DynamicUser services plus
                • requires cooperation between the service and a helper so can’t be
                directly exploited
              • Memory leak in logind when executing udevadm trigger command
              • Possible to get systemd to kill the wrong process if can write to it’s
                • PIDFile since the pid specified here is not validated
                [USN-4267-1] ARM mbed TLS vulnerabilities [03:26]
                • 5 CVEs addressed in Xenial
                  • CVE-2018-0498
                  • CVE-2018-0497
                  • CVE-2018-0488
                  • CVE-2018-0487
                  • CVE-2017-18187
                  • lightweight crypto / TLS library
                  • integer overflow -> heap overflow -> RCE / DoS
                  • read buffer overflow in handling of certificate chains -> DOS
                  • 2 different cache side-channel attacks which could allow a remote
                    • attacker to recover partial plaintext for CBC modes
                    [USN-4270-1] Exiv2 vulnerability [04:22]
                    • 1 CVEs addressed in Xenial, Bionic, Eoan
                      • CVE-2019-20421
                      • Infinite loop in JP2 image metadata parser -> CPU DoS
                        • [USN-4271-1] Mesa vulnerability [04:38]
                        • 1 CVEs addressed in Bionic, Eoan
                          • CVE-2019-5068
                          • Created a shared memory segment with world readable and writable
                            • permissions - so any local user could interfere with or access shared
                            memory buffers which are often used for back buffers to improve
                            performance - changed to open as only user readable / writable
                            [USN-4272-1] Pillow vulnerabilities [05:24]
                            • 6 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan
                              • CVE-2020-5313
                              • CVE-2020-5311
                              • CVE-2020-5310
                              • CVE-2020-5312
                              • CVE-2019-19911
                              • CVE-2019-16865
                              • Python Image Library
                              • Various errors in handling image formats -> Crash -> DoS, RCE etc
                                • [USN-4273-1] ReportLab vulnerability [05:48]
                                • 1 CVEs addressed in Xenial, Bionic, Eoan
                                  • CVE-2019-17626
                                  • Python library used for creating PDFs
                                  • RCE via a crafted XML document - would eval() an argument which comes
                                    • from a document and so would execute arbitrary python code from the
                                    document as a result
                                    [USN-4250-2] MariaDB vulnerability [06:21]
                                    • 1 CVEs addressed in Bionic, Eoan
                                      • CVE-2020-2574
                                      • Episode 60 for MySQL - similar update for MariaDB - unfortunately no
                                        • details from upstream
                                        [USN-4275-1] Qt vulnerabilities [06:45]
                                        • 4 CVEs addressed in Xenial, Bionic, Eoan
                                          • CVE-2020-0570
                                          • CVE-2020-0569
                                          • CVE-2019-18281
                                          • CVE-2018-19872
                                          • 2 possible code execution bugs where Qt would search for plugins and
                                            • libraries in incorrect locations, allowing a local attacker to get code
                                            execution
                                          • 2 different buffer overflow vulnerabilities in handling PPM images and in
                                            • text files with many unicode directional characters
                                            [USN-4274-1] libxml2 vulnerabilities [07:20]
                                            • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
                                              • CVE-2020-7595
                                              • CVE-2019-19956
                                              • Infinite loop for crafted XML documents -> CPU DoS
                                              • Memory leak
                                                • [USN-4276-1] Yubico PIV Tool vulnerabilities [07:41]
                                                • 2 CVEs addressed in Bionic
                                                  • CVE-2018-14780
                                                  • CVE-2018-14779
                                                  • Yubico PIV (personal identity verificatiion) smart card driver - can be
                                                    • used with a Yubikey to do authentication
                                                  • 2 different buffer overflows able to be triggered by a malicious USB
                                                    • device - could lead to possible code execution
                                                    [USN-4277-1] libexif vulnerabilities [08:14]
                                                    • 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
                                                      • CVE-2019-9278
                                                      • CVE-2017-7544
                                                      • CVE-2016-6328
                                                      • Buffer overflow (crash or RCE) and 2 buffer over reads (crash / info
                                                        • disclosure)
                                                        Goings on in Ubuntu Security Community
                                                        Alex and Joe discuss the recent sudo vulnerability (CVE-2019-18634) [08:46]
                                                        • https://threatpost.com/docker-registries-malware-data-theft/152734/
                                                          • Hiring [22:07]
                                                          Robotics Security Engineer
                                                          • https://canonical.com/careers/1550997
                                                            • Get in contact
                                                            • [email protected]
                                                            • #ubuntu-security on the Libera.Chat IRC network
                                                            • ubuntu-hardened mailing list
                                                            • Security section on discourse.ubuntu.com
                                                            • @ubuntu_sec on twitter
                                                              • ...more
                                                              View all episodesView all episodes
                                                              Download on the App Store
                                                              Ubuntu Security PodcastBy Ubuntu Security Team
                                                              • 4.8
                                                              • 4.8
                                                              • 4.8
                                                              • 4.8
                                                              • 4.8

                                                              4.8

                                                              10 ratings