July 17, 2020

Episode 82

24 minutes

Overview

With Ubuntu 19.10 going EOL, we have a special interview by Joe with Chris

Coulson and Steve Beattie from the Ubuntu Security Team to talk TPMs and

Ubuntu Core 20, plus Alex looks at some of the 71 CVEs addressed by the

team and more.

This week in Ubuntu Security Updates

71 unique CVEs addressed

[USN-4407-1] LibVNCServer vulnerabilities [01:02]

5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2017-18922

CVE-2019-20788

CVE-2019-15690

CVE-2019-15681

CVE-2019-15680

Used by gnome-remote-desktop, virtualbox and others

Provides both a server and client libraries

So some issues affect clients when connecting to a malicious server,

others could be from a malicious client to the server

Issues when handling WebSocket frames, cursor shape updates,

ServerCutText messages and decompression of zlib compressed data - crash ->

DoS, info leak, RCE etc

[USN-4408-1] Firefox vulnerabilities [01:57]

11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-12421

CVE-2020-12426

CVE-2020-12425

CVE-2020-12424

CVE-2020-12422

CVE-2020-12420

CVE-2020-12419

CVE-2020-12418

CVE-2020-12417

CVE-2020-12416

CVE-2020-12415

78.0.1

Would reject certificate chains for addons which did not terminate in a

built-in root certificate - could cause some add-ons to become outdated

as it would reject updates for them

Usual web browser issues -> crafted website DoS, info leak, bypass

permission prompts or RCE

[USN-4409-1] Samba vulnerabilities [03:00]

3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-10760

CVE-2020-10745

CVE-2020-10730

2 separate issues when handling LDAP queries -> both UAF -> crash -> DoS

or RCE

CPU based DoS when processing NetBIOS over TCP/IP

[USN-4410-1] Net-SNMP vulnerability [03:44]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2019-20892

Double free -> heap memory corruption -> crash / RCE

[USN-4411-1] Linux kernel vulnerabilities [04:02]

5 CVEs addressed in Focal (20.04 LTS)

CVE-2020-12768

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

CVE-2020-10732

5.4 kernel

Various low impact issues - info leak due to failure to initialise memory

when handling ELF code, SELinux network label handling NULL ptr deref,

SCSI driver OOB read, USB gadget OOB read via configfs etc

[USN-4412-1] Linux kernel vulnerabilities [04:57]

5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)

CVE-2020-12768

CVE-2020-10751

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

5.3 kernel (bionic HWE)

Most of above plus an SELinux failure to validate all parts of a

multi-part netlink message - could then possibly bypass SELinux access

controls - SELinux is not the default LSM in Ubuntu - AppArmor

[USN-4413-1] Linux kernel vulnerabilities [05:58]

5 CVEs addressed in Bionic (18.04 LTS)

CVE-2020-12768

CVE-2020-10751

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

5.0 kernel (gke/oem)

[USN-4414-1] Linux kernel vulnerabilities [06:10]

12 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-19039

CVE-2019-12380

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

CVE-2019-19462

CVE-2019-19377

CVE-2019-19816

CVE-2019-19813

CVE-2019-19318

CVE-2019-19036

CVE-2019-16089

4.15 kernel (bionic / xenial hwe)

Some of above, plus others and a kernel->user space relay bug where

local user could trigger a crash -> DoS via improper return values to the

kernel

[USN-4419-1] Linux kernel vulnerabilities [06:49]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2020-8992

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

CVE-2020-10690

4.4 kernel (xenial / trusty hwe)

ptp race condition during device allocation and removal due to a dangling

pointer to free’d memory

[USN-4415-1] coTURN vulnerabilities [07:33]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-6062

CVE-2020-6061

CVE-2020-4067

TURN / STUN server used to traverse VoIP media traffic over NAT with a

telnet / HTTPS management interface

Info leak due to failure to zero memory used for response buffers

Improper handling of HTTP POST requests to the web interface -> DoS /

info-leak etc

[USN-4416-1] GNU C Library vulnerabilities [08:04]

11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10)

CVE-2020-1752

CVE-2020-1751

CVE-2020-10029

CVE-2019-9169

CVE-2019-19126

CVE-2018-6485

CVE-2018-19591

CVE-2018-11237

CVE-2018-11236

CVE-2017-18269

CVE-2017-12133

Failure to handle regex/s, bit patters, path tilde expansion, hostname

lookups, memalign & AVX-512 optimised memcpy() etc -> memory corruption

-> crash / RCE

Possible ASLR bypass for setuid() programs since would not respect the

LD_PREFER_MAP_32BIT_EXEC environment variable after security transition

and so a local attcker could use this to restrict the range of memory

addresses used when loading libraries

[USN-4417-1, USN-4417-2] NSS vulnerability [09:38]

1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-12402

Possible RSA side-channel due to input-dependent code flow - would allow

possible RSA private key extraction via electromagnetic-based

side-channel measurements

[USN-4418-1] OpenEXR vulnerabilities [10:06]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-15306

CVE-2020-15305

Heap buffer overflow and UAF

[USN-4420-1] Cinder and os-brick vulnerability [10:13]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-10755

Possible exposure of credentials when using the Dell EMC ScaleIO or

VxFlex OS backend storage drivers - credentials would be accessible via

the connection_info element in various API calls - instead credentials

get moved to a file on disk so may require some changes on various

deployed environments as a result

[USN-4421-1] Thunderbird vulnerabilities [10:52]

10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-12421

CVE-2020-12399

CVE-2020-12398

CVE-2020-12420

CVE-2020-12419

CVE-2020-12418

CVE-2020-12417

CVE-2020-12410

CVE-2020-12406

CVE-2020-12405

68.10.0

Most firefox issues mentioned earlier, plus a specific TB one where if an

attacker could potentially intercept and modify traffic across a STARTTLS

IMAP server by responding with a PREAUTH.

[USN-4376-2] OpenSSL vulnerabilities [11:33]

3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)

CVE-2019-1563

CVE-2019-1559

CVE-2019-1547

Episode 77

[USN-4422-1] WebKitGTK+ vulnerabilities [11:40]

8 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-9850

CVE-2020-9843

CVE-2020-9807

CVE-2020-9806

CVE-2020-9805

CVE-2020-9803

CVE-2020-9802

CVE-2020-13753

[USN-4423-1] Firefox vulnerability [11:52]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

78.0.2

Possible click-jacking attack via crafted X-Frame-Options bypass when

visiting a specially crafted website (no CVE..)

Goings on in Ubuntu Security Community

Joe talks TPMs and Ubuntu Core 20 with Chris Coulson and Steve Beattie [12:30]

https://forum.snapcraft.io/t/uc20-beta1-released/18631

Ubuntu 19.10 Eoan Ermine goes end-of-life [23:12]

https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-July/005494.html

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

July 17, 2020

Episode 82

24 minutes

Overview

With Ubuntu 19.10 going EOL, we have a special interview by Joe with Chris

Coulson and Steve Beattie from the Ubuntu Security Team to talk TPMs and

Ubuntu Core 20, plus Alex looks at some of the 71 CVEs addressed by the

team and more.

This week in Ubuntu Security Updates

71 unique CVEs addressed

[USN-4407-1] LibVNCServer vulnerabilities [01:02]

5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2017-18922

CVE-2019-20788

CVE-2019-15690

CVE-2019-15681

CVE-2019-15680

Used by gnome-remote-desktop, virtualbox and others

Provides both a server and client libraries

So some issues affect clients when connecting to a malicious server,

others could be from a malicious client to the server

Issues when handling WebSocket frames, cursor shape updates,

ServerCutText messages and decompression of zlib compressed data - crash ->

DoS, info leak, RCE etc

[USN-4408-1] Firefox vulnerabilities [01:57]

11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-12421

CVE-2020-12426

CVE-2020-12425

CVE-2020-12424

CVE-2020-12422

CVE-2020-12420

CVE-2020-12419

CVE-2020-12418

CVE-2020-12417

CVE-2020-12416

CVE-2020-12415

78.0.1

Would reject certificate chains for addons which did not terminate in a

built-in root certificate - could cause some add-ons to become outdated

as it would reject updates for them

Usual web browser issues -> crafted website DoS, info leak, bypass

permission prompts or RCE

[USN-4409-1] Samba vulnerabilities [03:00]

3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-10760

CVE-2020-10745

CVE-2020-10730

2 separate issues when handling LDAP queries -> both UAF -> crash -> DoS

or RCE

CPU based DoS when processing NetBIOS over TCP/IP

[USN-4410-1] Net-SNMP vulnerability [03:44]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2019-20892

Double free -> heap memory corruption -> crash / RCE

[USN-4411-1] Linux kernel vulnerabilities [04:02]

5 CVEs addressed in Focal (20.04 LTS)

CVE-2020-12768

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

CVE-2020-10732

5.4 kernel

Various low impact issues - info leak due to failure to initialise memory

when handling ELF code, SELinux network label handling NULL ptr deref,

SCSI driver OOB read, USB gadget OOB read via configfs etc

[USN-4412-1] Linux kernel vulnerabilities [04:57]

5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)

CVE-2020-12768

CVE-2020-10751

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

5.3 kernel (bionic HWE)

Most of above plus an SELinux failure to validate all parts of a

multi-part netlink message - could then possibly bypass SELinux access

controls - SELinux is not the default LSM in Ubuntu - AppArmor

[USN-4413-1] Linux kernel vulnerabilities [05:58]

5 CVEs addressed in Bionic (18.04 LTS)

CVE-2020-12768

CVE-2020-10751

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

5.0 kernel (gke/oem)

[USN-4414-1] Linux kernel vulnerabilities [06:10]

12 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-19039

CVE-2019-12380

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

CVE-2019-19462

CVE-2019-19377

CVE-2019-19816

CVE-2019-19813

CVE-2019-19318

CVE-2019-19036

CVE-2019-16089

4.15 kernel (bionic / xenial hwe)

Some of above, plus others and a kernel->user space relay bug where

local user could trigger a crash -> DoS via improper return values to the

kernel

[USN-4419-1] Linux kernel vulnerabilities [06:49]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)

CVE-2020-8992

CVE-2020-13143

CVE-2020-12770

CVE-2020-10711

CVE-2020-10690

4.4 kernel (xenial / trusty hwe)

ptp race condition during device allocation and removal due to a dangling

pointer to free’d memory

[USN-4415-1] coTURN vulnerabilities [07:33]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-6062

CVE-2020-6061

CVE-2020-4067

TURN / STUN server used to traverse VoIP media traffic over NAT with a

telnet / HTTPS management interface

Info leak due to failure to zero memory used for response buffers

Improper handling of HTTP POST requests to the web interface -> DoS /

info-leak etc

[USN-4416-1] GNU C Library vulnerabilities [08:04]

11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10)

CVE-2020-1752

CVE-2020-1751

CVE-2020-10029

CVE-2019-9169

CVE-2019-19126

CVE-2018-6485

CVE-2018-19591

CVE-2018-11237

CVE-2018-11236

CVE-2017-18269

CVE-2017-12133

Failure to handle regex/s, bit patters, path tilde expansion, hostname

lookups, memalign & AVX-512 optimised memcpy() etc -> memory corruption

-> crash / RCE

Possible ASLR bypass for setuid() programs since would not respect the

LD_PREFER_MAP_32BIT_EXEC environment variable after security transition

and so a local attcker could use this to restrict the range of memory

addresses used when loading libraries

[USN-4417-1, USN-4417-2] NSS vulnerability [09:38]

1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-12402

Possible RSA side-channel due to input-dependent code flow - would allow

possible RSA private key extraction via electromagnetic-based

side-channel measurements

[USN-4418-1] OpenEXR vulnerabilities [10:06]

2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-15306

CVE-2020-15305

Heap buffer overflow and UAF

[USN-4420-1] Cinder and os-brick vulnerability [10:13]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-10755

Possible exposure of credentials when using the Dell EMC ScaleIO or

VxFlex OS backend storage drivers - credentials would be accessible via

the connection_info element in various API calls - instead credentials

get moved to a file on disk so may require some changes on various

deployed environments as a result

[USN-4421-1] Thunderbird vulnerabilities [10:52]

10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-12421

CVE-2020-12399

CVE-2020-12398

CVE-2020-12420

CVE-2020-12419

CVE-2020-12418

CVE-2020-12417

CVE-2020-12410

CVE-2020-12406

CVE-2020-12405

68.10.0

Most firefox issues mentioned earlier, plus a specific TB one where if an

attacker could potentially intercept and modify traffic across a STARTTLS

IMAP server by responding with a PREAUTH.

[USN-4376-2] OpenSSL vulnerabilities [11:33]

3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)

CVE-2019-1563

CVE-2019-1559

CVE-2019-1547

Episode 77

[USN-4422-1] WebKitGTK+ vulnerabilities [11:40]

8 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

CVE-2020-9850

CVE-2020-9843

CVE-2020-9807

CVE-2020-9806

CVE-2020-9805

CVE-2020-9803

CVE-2020-9802

CVE-2020-13753

[USN-4423-1] Firefox vulnerability [11:52]

Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)

78.0.2

Possible click-jacking attack via crafted X-Frame-Options bypass when

visiting a specially crafted website (no CVE..)

Goings on in Ubuntu Security Community

Joe talks TPMs and Ubuntu Core 20 with Chris Coulson and Steve Beattie [12:30]

https://forum.snapcraft.io/t/uc20-beta1-released/18631

Ubuntu 19.10 Eoan Ermine goes end-of-life [23:12]

https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-July/005494.html

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 82

Sign up to save your podcasts

Episode 82

Episode 82