November 06, 2020

Episode 95

10 minutes

Overview

This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa

and more, plus we cover some AppArmor related Ubuntu Security community

updates as well.

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4552-3] Pam-python regression [00:40]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-16729

Original update (Episode 92 - bionic), (Episode 94 - xenial) caused was

too restrictive and would disallow PAM modules written in python from

importing python modules from site-specific directories

[USN-4609-1] GOsa vulnerabilities [01:18]

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2018-1000528

CVE-2019-11187

CVE-2019-14466

PHP based LDAP user admin frontend

XSS attacks via the change password form

Could login to any account with a username containing “success” with any

arbitrary password

Cookie mishandling allowed an authenticated user to delete files on the

web server in the context of the user account running the web server

[USN-4610-1] fastd vulnerability [02:11]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-27638

Fast & secure tunnelling daemon

Failed to free rx buffers in certain circumstances - memory leak -> DoS

[USN-4611-1] Samba vulnerabilities [02:29]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14383

CVE-2020-14323

CVE-2020-14318

2 different DoS issues - remote attacker could cause DNS server to crash

by supplying invalid DNS records, or could cause winbind to crash via

crafted winbind requests

Failed to check permissions on ChangeNotify - so an attacker could

subscribe to get notifications on files they did not have permission to

read - and so leaks file info

[USN-4605-2] Blueman update [03:22]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15238

Episode 94 - this includes additional fix so that on focal and groovy

policykit is used to authenticate privileged actions

[USN-4614-1] GDM vulnerability [03:55]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-16125

Kevin Backhouse - discovered 3 vulnerabilities - one in GDM, 2 in

AccountsService

GDM incorrectly launched the initial setup tool if it could not reach the

accountsservice daemon

If could cause accountsservice to be unresponsive, could get GDM to

luanch initial setup tool which then allows a local user to create a

privileged users account

But requires accountsservice to be unresponsive…

[USN-4616-1] AccountsService vulnerabilities [05:00]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2018-14036

CVE-2020-16127

CVE-2020-16126

Drops privileges for certain operations but does so where a local

unprivileged user can send it SIGSTOP signal - is now unresponsive - so

could allow the GDM attack above - or could cause it to crash (send

SIGSEGV etc)

Also would exhaust all memory when reading .pam_environment if it was

really large (ie symlink to /dev/zero) - again could cause it to hang /

crash -> DoS

[USN-4613-1] python-cryptography vulnerability [06:34]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-25659

Bleichenbacher timing oracle attack (form of an adaptive

chosen-ciphertext attack) against RSA decryption could allow a remote

attacker to infer the private key

https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25

[USN-4615-1] Yerase’s TNEF vulnerabilities [07:23]

12 CVEs addressed in Xenial (16.04 LTS)

CVE-2017-6802

CVE-2017-6801

CVE-2017-6800

CVE-2017-6306

CVE-2017-6305

CVE-2017-6304

CVE-2017-6303

CVE-2017-6302

CVE-2017-6301

CVE-2017-6300

CVE-2017-6299

CVE-2017-6298

libtynef - TNEF stream reader library (proprietary format used by MS

Outlook / Exchange Server for email attachments)

Lots of issues - NULL ptr deref, infinite loop, buffer overflows, OOB

reads, directory traversal issues and more :) -> crash / DoS / RCE

Goings on in Ubuntu Security Community

AppArmor 3.0.1 being prepared [08:22]

Includes fixes for various application profiles as well as a fix to stop

aa-notify from exiting after 100s of no activity

Securing Linux Machines with AppArmor Webinar [08:57]

https://www.brighttalk.com/webcast/6793/440491

Currently scheduled for Mon 16th Nov at 16:00 UTC

Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper

Will cover:

Why a ‘defence in depth’ strategy should be employed to mitigate the

potential damage caused by a breach

An explanation of AppArmor, its key features and why the principle of

least privilege is recommended

The use of AppArmor in Ubuntu and snaps

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

View all episodes

By Ubuntu Security Team

4.8

1010 ratings

November 06, 2020

Episode 95

10 minutes

Overview

This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa

and more, plus we cover some AppArmor related Ubuntu Security community

updates as well.

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4552-3] Pam-python regression [00:40]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)

CVE-2019-16729

Original update (Episode 92 - bionic), (Episode 94 - xenial) caused was

too restrictive and would disallow PAM modules written in python from

importing python modules from site-specific directories

[USN-4609-1] GOsa vulnerabilities [01:18]

3 CVEs addressed in Xenial (16.04 LTS)

CVE-2018-1000528

CVE-2019-11187

CVE-2019-14466

PHP based LDAP user admin frontend

XSS attacks via the change password form

Could login to any account with a username containing “success” with any

arbitrary password

Cookie mishandling allowed an authenticated user to delete files on the

web server in the context of the user account running the web server

[USN-4610-1] fastd vulnerability [02:11]

1 CVEs addressed in Focal (20.04 LTS)

CVE-2020-27638

Fast & secure tunnelling daemon

Failed to free rx buffers in certain circumstances - memory leak -> DoS

[USN-4611-1] Samba vulnerabilities [02:29]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-14383

CVE-2020-14323

CVE-2020-14318

2 different DoS issues - remote attacker could cause DNS server to crash

by supplying invalid DNS records, or could cause winbind to crash via

crafted winbind requests

Failed to check permissions on ChangeNotify - so an attacker could

subscribe to get notifications on files they did not have permission to

read - and so leaks file info

[USN-4605-2] Blueman update [03:22]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)

CVE-2020-15238

Episode 94 - this includes additional fix so that on focal and groovy

policykit is used to authenticate privileged actions

[USN-4614-1] GDM vulnerability [03:55]

1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-16125

Kevin Backhouse - discovered 3 vulnerabilities - one in GDM, 2 in

AccountsService

GDM incorrectly launched the initial setup tool if it could not reach the

accountsservice daemon

If could cause accountsservice to be unresponsive, could get GDM to

luanch initial setup tool which then allows a local user to create a

privileged users account

But requires accountsservice to be unresponsive…

[USN-4616-1] AccountsService vulnerabilities [05:00]

3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2018-14036

CVE-2020-16127

CVE-2020-16126

Drops privileges for certain operations but does so where a local

unprivileged user can send it SIGSTOP signal - is now unresponsive - so

could allow the GDM attack above - or could cause it to crash (send

SIGSEGV etc)

Also would exhaust all memory when reading .pam_environment if it was

really large (ie symlink to /dev/zero) - again could cause it to hang /

crash -> DoS

[USN-4613-1] python-cryptography vulnerability [06:34]

1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)

CVE-2020-25659

Bleichenbacher timing oracle attack (form of an adaptive

chosen-ciphertext attack) against RSA decryption could allow a remote

attacker to infer the private key

https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25

[USN-4615-1] Yerase’s TNEF vulnerabilities [07:23]

12 CVEs addressed in Xenial (16.04 LTS)

CVE-2017-6802

CVE-2017-6801

CVE-2017-6800

CVE-2017-6306

CVE-2017-6305

CVE-2017-6304

CVE-2017-6303

CVE-2017-6302

CVE-2017-6301

CVE-2017-6300

CVE-2017-6299

CVE-2017-6298

libtynef - TNEF stream reader library (proprietary format used by MS

Outlook / Exchange Server for email attachments)

Lots of issues - NULL ptr deref, infinite loop, buffer overflows, OOB

reads, directory traversal issues and more :) -> crash / DoS / RCE

Goings on in Ubuntu Security Community

AppArmor 3.0.1 being prepared [08:22]

Includes fixes for various application profiles as well as a fix to stop

aa-notify from exiting after 100s of no activity

Securing Linux Machines with AppArmor Webinar [08:57]

https://www.brighttalk.com/webcast/6793/440491

Currently scheduled for Mon 16th Nov at 16:00 UTC

Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper

Will cover:

Why a ‘defence in depth’ strategy should be employed to mitigate the

potential damage caused by a breach

An explanation of AppArmor, its key features and why the principle of

least privilege is recommended

The use of AppArmor in Ubuntu and snaps

Get in contact

[email protected]

#ubuntu-security on the Libera.Chat IRC network

ubuntu-hardened mailing list

Security section on discourse.ubuntu.com

@ubuntu_sec on twitter

...more

Share Episode 95

Sign up to save your podcasts

Episode 95

Episode 95