Ubuntu Security Podcast

Episode 88

Listen Later
Overview

This week we talk antivirus scanners and false positives in the Ubuntu

archive, plus we look at security updates for QEMU, Bind, Net-SNMP,
sane-backends and more.

This week in Ubuntu Security Updates

56 unique CVEs addressed

[USN-4467-1] QEMU vulnerabilities [00:52]
  • 13 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
    • CVE-2020-16092
    • CVE-2020-15863
    • CVE-2020-14415
    • CVE-2020-13800
    • CVE-2020-13765
    • CVE-2020-13754
    • CVE-2020-13659
    • CVE-2020-13362
    • CVE-2020-13361
    • CVE-2020-13253
    • CVE-2020-12829
    • CVE-2020-10761
    • CVE-2020-10756
    • OOB read in SLiRP networking implementation when replying to a ICMP ping
      • echo request -> malicious guest could leak host memory -> info leak
    • Network Block Device server assertion failure able to be triggered via a
      • remote NBD client -> DoS
    • Malicious guest could cause a OOB write / read in SM501 graphic driver on
      • host -> crash / code exec
      [USN-4466-2] curl vulnerability [01:58]
      • 1 CVEs addressed in Trusty ESM (14.04 ESM)
        • CVE-2020-8231
        • Episode 87 - connect_only option -> could connect to wrong destination
          • -> info leak
          [USN-4468-1, USN-4468-2] Bind vulnerabilities [02:16]
          • 5 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
            • CVE-2020-8624
            • CVE-2020-8623
            • CVE-2020-8622
            • CVE-2020-8621
            • CVE-2020-8620
            • Assertion failures when handling:
              • queries for zones signed by RSA signature
              • truncated response to a TSIG-signed request
              • queries when QNAME minimazation and forward first are enabled
              • specially crafted large TCP payload on most recent versions (focal
                • only)
                [USN-4471-1] Net-SNMP vulnerabilities [03:10]
                • 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
                  • CVE-2020-15862
                  • CVE-2020-15861
                  • Would cache MIBs in a directory on the host - an attacker who has
                    • read-write access to the SNMP service could use the NET-SNMP-EXTEND-MIB
                    extension to modify an existing MIB to add a command to be executed when
                    the MIB attribute is read, and this would be cached for future. In
                    general net-snmp server runs as a low privileged user, so any
                    command-exec is not privileged, except at startup when it runs as root
                    and loads the cached MIBs - these could then contain commands to change
                    the configuration of net-snmp to instead run as root and not drop
                    privileges. Then subsequent runs of net-snmp will run as root and so any
                    command-exec can be done as root. Fix is to both disable the EXTEND-MIB
                    extension by default and to not cache MIBs.
                    [USN-4469-1] Ghostscript vulnerabilities [04:47]
                    • 25 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
                      • CVE-2020-17538
                      • CVE-2020-16310
                      • CVE-2020-16309
                      • CVE-2020-16308
                      • CVE-2020-16307
                      • CVE-2020-16306
                      • CVE-2020-16305
                      • CVE-2020-16304
                      • CVE-2020-16303
                      • CVE-2020-16302
                      • CVE-2020-16301
                      • CVE-2020-16300
                      • CVE-2020-16299
                      • CVE-2020-16298
                      • CVE-2020-16297
                      • CVE-2020-16296
                      • CVE-2020-16295
                      • CVE-2020-16294
                      • CVE-2020-16293
                      • CVE-2020-16292
                      • CVE-2020-16291
                      • CVE-2020-16290
                      • CVE-2020-16289
                      • CVE-2020-16288
                      • CVE-2020-16287
                      • Fixes for various buffer overflows etc found via fuzzing with address
                        • sanitizer enabled - crafted PDF files -> crash / RCE
                        [USN-4470-1] sane-backends vulnerabilities [05:17]
                        • 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
                          • CVE-2020-12867
                          • CVE-2020-12866
                          • CVE-2020-12865
                          • CVE-2020-12864
                          • CVE-2020-12863
                          • CVE-2020-12862
                          • CVE-2020-12861
                          • CVE-2017-6318
                          • Heap buffer overflows when accessing network attached scanners - could
                            • happen automatically when starting a scanning app which then scans the
                            local network -> crash / code exec - found by GitHub security team
                          • https://securitylab.github.com/research/last-orders-at-the-house-of-force
                          • https://youtu.be/EGiQ-0pCcwc
                            • [USN-4472-1] PostgreSQL vulnerabilities [06:25]
                            • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
                              • CVE-2020-14350
                              • CVE-2020-14349
                              • 2 issues in the mishandling of the search path, allowing a remote
                                • attacker to execute arbitrary SQL code - one when using logical
                                replication and the other with CREATE EXTENSION command.
                                Goings on in Ubuntu Security Community
                                Windows Defender and other AVs flagging jq as possibly malicious [06:54]
                                • https://discourse.ubuntu.com/t/several-av-engines-are-hating-on-usr-bin-jq-from-jq-1-6-1-false-positive-imo/18030
                                • https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1892843
                                • https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1892552
                                • Windows Defender flags as Trojan:Linux/CoinMiner.N!MTB whilst Trend Micro
                                  • flags as Trojan.SH.HADGLIDER.TSE - false positives, possible hash
                                  collision?
                                  sudo apt install jq
                                  xdg-open "https://www.virustotal.com/gui/file/$(sha256sum /usr/bin/jq | cut -f1 -d' ')"
                                  Get in contact
                                  • [email protected]
                                  • #ubuntu-security on the Libera.Chat IRC network
                                  • ubuntu-hardened mailing list
                                  • Security section on discourse.ubuntu.com
                                  • @ubuntu_sec on twitter
                                    • ...more
                                    View all episodesView all episodes
                                    Download on the App Store
                                    Ubuntu Security PodcastBy Ubuntu Security Team
                                    • 4.8
                                    • 4.8
                                    • 4.8
                                    • 4.8
                                    • 4.8

                                    4.8

                                    10 ratings