August 06, 2020

Episode 85

31 minutes

Overview

Dr. Levi Perigo is our special guest this week to discuss SDN and NFV with

Joe, plus Alex does the weekly roundup of security updates, including

Ghostscript, Squid, Apport, Whoopsie, libvirt and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-4444-1] WebKitGTK vulnerabilities [00:48]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-9925

CVE-2020-9915

CVE-2020-9895

CVE-2020-9894

CVE-2020-9893

CVE-2020-9862

Various issues in web / JS engines - remote attacker with a malicious

website could cause XSS, DoS, RCE etc

[USN-4445-1] Ghostscript vulnerability [01:22]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-15900

Integer overflow via `rsearch` operator - could allow to override file

access controls and hence get code execution as the user who is viewing /

processing the PS file - only affects most recent versions

[USN-4446-1] Squid vulnerabilities [02:24]

4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-18676

CVE-2019-12524

CVE-2019-12523

CVE-2019-12520

Jeriko One & Kristoffer Danielsson - incorrect cache handling -> cache

injection attacks. Incorrect URN / URL handling -> bypass access / rule

checks. Input validation failure -> crash, DoS

[USN-4298-2] SQLite vulnerabilities [03:07]

6 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2019-19926

CVE-2019-13751

CVE-2019-13753

CVE-2019-13752

CVE-2019-13750

CVE-2019-13734

Episode 66

[USN-4447-1] libssh vulnerability [03:27]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-16135

Under low memory conditions, could fail to allocate a buffer, would

result in a NULL pointer dereference and hence crash

[USN-4448-1] Tomcat vulnerabilities [04:01]

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2020-9484

CVE-2020-1935

CVE-2020-13935

Infinite loop if sent a WebSocket frame with an invalid payload length ->

DoS if then sent multiple requests

[USN-4449-1] Apport vulnerabilities [04:23]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15702

CVE-2020-15701

CVE-2020-11936

2 from Ryota Shiga:

Failed to drop privileges correctly when invoking gdbus to determine if

the user is closing their session -> would be invoked with root group

privileges and using the environement of the user - they could override

the DBUS_SESSION_BUS_ADDRESS environment variable, causing gdbus to

connect to a spoofed dbus server and in the process to read a 16-byte

nonce from a file of their choosing - allows to read arbitrary files

that are 16-bytes of length

TOCTOU issue when handling crash dump - if process PID gets recycled

apport could include the wrong processes details in a crash dump that

is then readable by other users - fixed to check process start time is

at least before the time apport itself was invoked

1 from Seong-Joong Kim

Unhandled exception when parsing users preferences configuration file

-> crash, DoS

[USN-4450-1] Whoopsie vulnerabilities [07:24]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15570

CVE-2020-12135

CVE-2020-11937

All 3 from Seong-Joong Kim

Crash when trying to process a crafted crash file (tries to allocate

too large amount of memory and crashes) -> DoS

Integer overflow in vendored bson library when parsing a crafted crash

dump -> heap overflow -> crash, RCE

Memory leak when parsing crash dumps -> crafted report with many

repeated key / value pairs -> OOM, crash -> DoS

[USN-4451-1] ppp vulnerability [09:18]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15704

Ubuntu specific patch - pppd is setuid() root and would helpfully

modprobe ppp_generic module when needed - but would not clear

MODPROBE_OPTIONS environment module and so this could be used to either

load other modules or read other files as root etc - fixed by removing

this functionality since this has not been needed for a long time as

ppp_generic has been built into the kernel since 2012 (ie there is no

ppp_generic module to even load via modprobe)

[USN-4452-1] libvirt vulnerability [10:31]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-15708

libvirt package sets up the libvirt socket via systemd - systemd unit

specifies a SocketMode=0666 so is world writable :( - fixed to ensure

systemd unit specifies this as only owner/group writable and ensures the

owner is root and group is libvirt

[USN-4432-2] GRUB2 regression [11:10]

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15707

CVE-2020-15705

CVE-2020-14308

CVE-2020-14311

CVE-2020-14310

CVE-2020-14309

CVE-2020-15706

CVE-2020-10713

Legacy BIOS systems - grub core (in MBR) and modules (in file-system)

could get out of sync if grub was not being installed onto the correct

disk (this was the case for some users with manually configured RAID

setups / particular cloud images etc) - fixed to just not do the grub

install on the update to ensure they don’t get out of sync (since these

vulnerabilities only are relevant to UEFI secure boot, no need for the

update in BIOS boot systems).

[USN-4441-2] MySQL regression [12:58]

Affecting Focal (20.04 LTS)

Compiler options changed upstream and this could affect other libraries /

apps which link against libmysqlclient - reverted this change since is

not security relevant anyway

Goings on in Ubuntu Security Community

Joe talks SDN & NFV with Dr. Levi Perigo of the University of Colorado [13:28]

https://www.colorado.edu/cs/levi-perigo

https://www.raveninnovation.com/our-team

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

August 06, 2020

Episode 85

31 minutes

Overview

Dr. Levi Perigo is our special guest this week to discuss SDN and NFV with

Joe, plus Alex does the weekly roundup of security updates, including

Ghostscript, Squid, Apport, Whoopsie, libvirt and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-4444-1] WebKitGTK vulnerabilities [00:48]

6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-9925

CVE-2020-9915

CVE-2020-9895

CVE-2020-9894

CVE-2020-9893

CVE-2020-9862

Various issues in web / JS engines - remote attacker with a malicious

website could cause XSS, DoS, RCE etc

[USN-4445-1] Ghostscript vulnerability [01:22]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-15900

Integer overflow via `rsearch` operator - could allow to override file

access controls and hence get code execution as the user who is viewing /

processing the PS file - only affects most recent versions

[USN-4446-1] Squid vulnerabilities [02:24]

4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-18676

CVE-2019-12524

CVE-2019-12523

CVE-2019-12520

Jeriko One & Kristoffer Danielsson - incorrect cache handling -> cache

injection attacks. Incorrect URN / URL handling -> bypass access / rule

checks. Input validation failure -> crash, DoS

[USN-4298-2] SQLite vulnerabilities [03:07]

6 CVEs addressed in Trusty ESM (14.04 ESM)

CVE-2019-19926

CVE-2019-13751

CVE-2019-13753

CVE-2019-13752

CVE-2019-13750

CVE-2019-13734

Episode 66

[USN-4447-1] libssh vulnerability [03:27]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-16135

Under low memory conditions, could fail to allocate a buffer, would

result in a NULL pointer dereference and hence crash

[USN-4448-1] Tomcat vulnerabilities [04:01]

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2020-9484

CVE-2020-1935

CVE-2020-13935

Infinite loop if sent a WebSocket frame with an invalid payload length ->

DoS if then sent multiple requests

[USN-4449-1] Apport vulnerabilities [04:23]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15702

CVE-2020-15701

CVE-2020-11936

2 from Ryota Shiga:

Failed to drop privileges correctly when invoking gdbus to determine if

the user is closing their session -> would be invoked with root group

privileges and using the environement of the user - they could override

the DBUS_SESSION_BUS_ADDRESS environment variable, causing gdbus to

connect to a spoofed dbus server and in the process to read a 16-byte

nonce from a file of their choosing - allows to read arbitrary files

that are 16-bytes of length

TOCTOU issue when handling crash dump - if process PID gets recycled

apport could include the wrong processes details in a crash dump that

is then readable by other users - fixed to check process start time is

at least before the time apport itself was invoked

1 from Seong-Joong Kim

Unhandled exception when parsing users preferences configuration file

-> crash, DoS

[USN-4450-1] Whoopsie vulnerabilities [07:24]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15570

CVE-2020-12135

CVE-2020-11937

All 3 from Seong-Joong Kim

Crash when trying to process a crafted crash file (tries to allocate

too large amount of memory and crashes) -> DoS

Integer overflow in vendored bson library when parsing a crafted crash

dump -> heap overflow -> crash, RCE

Memory leak when parsing crash dumps -> crafted report with many

repeated key / value pairs -> OOM, crash -> DoS

[USN-4451-1] ppp vulnerability [09:18]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15704

Ubuntu specific patch - pppd is setuid() root and would helpfully

modprobe ppp_generic module when needed - but would not clear

MODPROBE_OPTIONS environment module and so this could be used to either

load other modules or read other files as root etc - fixed by removing

this functionality since this has not been needed for a long time as

ppp_generic has been built into the kernel since 2012 (ie there is no

ppp_generic module to even load via modprobe)

[USN-4452-1] libvirt vulnerability [10:31]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-15708

libvirt package sets up the libvirt socket via systemd - systemd unit

specifies a SocketMode=0666 so is world writable :( - fixed to ensure

systemd unit specifies this as only owner/group writable and ensures the

owner is root and group is libvirt

[USN-4432-2] GRUB2 regression [11:10]

8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

CVE-2020-15707

CVE-2020-15705

CVE-2020-14308

CVE-2020-14311

CVE-2020-14310

CVE-2020-14309

CVE-2020-15706

CVE-2020-10713

Legacy BIOS systems - grub core (in MBR) and modules (in file-system)

could get out of sync if grub was not being installed onto the correct

disk (this was the case for some users with manually configured RAID

setups / particular cloud images etc) - fixed to just not do the grub

install on the update to ensure they don’t get out of sync (since these

vulnerabilities only are relevant to UEFI secure boot, no need for the

update in BIOS boot systems).

[USN-4441-2] MySQL regression [12:58]

Affecting Focal (20.04 LTS)

Compiler options changed upstream and this could affect other libraries /

apps which link against libmysqlclient - reverted this change since is

not security relevant anyway

Goings on in Ubuntu Security Community

Joe talks SDN & NFV with Dr. Levi Perigo of the University of Colorado [13:28]

https://www.colorado.edu/cs/levi-perigo

https://www.raveninnovation.com/our-team

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 85

Sign up to save your podcasts

Episode 85

Episode 85