Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

February 12, 2021Episode 103
Overview
This week we take a deep dive look at 2 recent vulnerabilities in the
popular application containerisation frameworks, snapd and flatpak, plus we
cover security updates for MiniDLNA, PHP-PEAR, the Linux kernel and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4720-2] Apport vulnerabilities [00:53]
3 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2021-25684
CVE-2021-25683
CVE-2021-25682
Episode 102
[USN-4721-1] Flatpak vulnerability [01:06]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-21261
Flatpak sandbox escape - Flatpak isolates applications inside their own
mount / user / etc namespaces - allows sandboxed applications to
communicate with the host via various portals - ie. open a file via a
file chooser portal (aka powerbox)
Portal D-Bus service provides the ability to launch other subprocesses in
a new sandbox instance, following a NNP model (ie same or less privileges
as caller) (eg. used by sandboxed webbrowers to process untrusted content
inside less privileged subprocesses)
Would previous allow a confined process to specify various environment
variables which would then get passed to the `flatpak run` command to
launch the new subprocess in its own sandbox - so fix is to sanitize
environment variables
[USN-4722-1] ReadyMedia (MiniDLNA) vulnerabilities [01:11]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-28926
CVE-2020-12695
Possible RCE via malicious UPnP requests - could send with chunked
encoding, this would exploit a signdness bug leading to a heap buffer
overflow
Episode 91 - “CallStranger” - UPnP spec didn’t forbid subscription
requests with a URL on a different network segment - could allow an
attacker to cause a miniDLNA server to DoS a different endpoint
[USN-4723-1] PEAR vulnerability [02:30]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-36193
Improper handling of symlinks in archives could result in arbitrary file
overwrite via directory traversal - since PHP PEAR runs installer as
root, could then overwrite arbitrary files as root and priv esc / code
execution etc
[USN-4724-1] OpenLDAP vulnerabilities [03:14]
10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-36230
CVE-2020-36229
CVE-2020-36228
CVE-2020-36227
CVE-2020-36223
CVE-2020-36226
CVE-2020-36225
CVE-2020-36224
CVE-2020-36222
CVE-2020-36221
Various issues
[USN-4725-1] QEMU vulnerabilities [03:20]
6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-20181
CVE-2020-29443
CVE-2020-28916
CVE-2020-27821
CVE-2020-15859
CVE-2020-11947
Usual sorts of issues in device emulation etc resulting in info
disclosure from host to guest or a crash of qemu host process etc
[USN-4717-2] Firefox regression [03:55]
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Upstream Firefox regression - 85.0.1
[USN-4726-1] OpenJDK vulnerability [04:04]
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Not much info from upstream on this one - “incorrectly handled direct
buffering of characters” -> DoS or other unspecified impact
[USN-4713-2] Linux kernel vulnerability [04:22]
1 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS)
CVE-2020-28374
Episode 102 - LIO SCSI XCOPY issue
[USN-4727-1] Linux kernel vulnerability [04:36]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-26708
AF_VSOCK race conditions - local user could get code execution as root via memory corruption
[USN-4728-1] snapd vulnerability [05:11]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-27352
Gilad Reti & Nimrod Stoler from CyberArk
Thanks to Ian Johnson from snapd team for working on the fix
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
14min
February 05, 2021Episode 102
Overview
This week we discuss the recent high profile vulnerability found in
libcrypt 1.9.0, plus we look at updates for the Linux kernel, XStream,
Django, Apport and more.
This week in Ubuntu Security Updates
66 unique CVEs addressed
[USN-4705-2] Sudo vulnerability [00:48]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2021-3156
Episode 101
[USN-4708-1] Linux kernel vulnerabilities
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-27777
CVE-2020-25669
CVE-2019-19816
CVE-2019-19813
CVE-2018-13093
[USN-4709-1] Linux kernel vulnerabilities
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-25669
CVE-2019-19816
CVE-2019-19813
CVE-2018-13093
CVE-2020-28374
[USN-4710-1] Linux kernel vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-25704
[USN-4711-1] Linux kernel vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-25704
CVE-2020-28374
[USN-4712-1] Linux kernel regression
Affecting Focal (20.04 LTS), Groovy (20.10)
[USN-4713-1] Linux kernel vulnerability [01:31]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-28374
XCOPY requests in the LIO SCSI target would not properly check
permissions of the requester and so could allow an attacker to access
backing stores to which they did not have permission. If using iSCSI,
this could then be exploited over the network to access other LUNs
etc. Also affected tcmu-runner which is the userspace daemon for handling
requests in userspace and can be used for HA setups etc.
[USN-4707-1] TCMU vulnerability [02:23]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3139
Separate CVE was assigned but is the same issue as for the kernel above
[LSN-0074-1] Linux kernel vulnerability [02:40]
4 CVEs addressed
CVE-2020-28374
CVE-2020-25645
CVE-2020-12352
CVE-2020-0427
[USN-4706-1] Ceph vulnerabilities [02:55]
4 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25660
CVE-2018-1128
CVE-2020-10753
CVE-2020-10736
[USN-4714-1] XStream vulnerabilities [03:02]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-26259
CVE-2020-26258
CVE-2020-26217
Java library to serialise objects to/from XML
Possible RCE by manipulating the processed input stream to inject shell
commands
Similarly could obtain arbitrary file deletion (depending on the rights
of the process which is using XStream)
[USN-4715-1, USN-4715-2] Django vulnerability [03:58]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3281
Directory traversal via archives with absolute paths of relative paths
with dot components - this is used with startapp or startproject via the
–template argument so can be exploited if using an attacker controlled
archive to bootstrap a new django app etc
[USN-4716-1] MySQL vulnerabilities [05:00]
25 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-2122
CVE-2021-2088
CVE-2021-2087
CVE-2021-2081
CVE-2021-2076
CVE-2021-2072
CVE-2021-2070
CVE-2021-2065
CVE-2021-2061
CVE-2021-2060
CVE-2021-2058
CVE-2021-2056
CVE-2021-2048
CVE-2021-2046
CVE-2021-2038
CVE-2021-2036
CVE-2021-2032
CVE-2021-2031
CVE-2021-2024
CVE-2021-2022
CVE-2021-2021
CVE-2021-2014
CVE-2021-2011
CVE-2021-2010
CVE-2021-2002
Latest upstream version: 8.0.23 for 20.10/20.04 LTS and 5.7.33 for 16.04
LTS/18.04 LTS
[USN-4717-1] Firefox vulnerabilities [05:32]
11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-23965
CVE-2021-23964
CVE-2021-23963
CVE-2021-23962
CVE-2021-23961
CVE-2021-23960
CVE-2021-23958
CVE-2021-23956
CVE-2021-23955
CVE-2021-23954
CVE-2021-23953
Latest upstream version: 85.0
[USN-4467-2] QEMU vulnerabilities [05:52]
6 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-14364
CVE-2020-13754
CVE-2020-13659
CVE-2020-13362
CVE-2020-13361
CVE-2020-13253
Episode 88 - subset of these applied for the older release of QEMU in
14.04 ESM, now fixed there
[USN-4718-1] fastd vulnerability [06:12]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Groovy (20.10)
CVE-2020-27638
DoS in popular VPN daemon for embedded systems etc
[USN-4719-1] ca-certificates update [06:28]
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Updated to the latest 2.46 version of the Mozilla certificate authority
bundle
[USN-4720-1] Apport vulnerabilities [06:46]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-25684
CVE-2021-25683
CVE-2021-25682
3 vulns all discovered by Itai Greenhut and reported to us via Launchpad
When a process crashes, Apport reads various files under /proc to obtain
info about the crashed process to prepare a crash report
If an attacker could control the values in the files they could then
cause Apport to misbehave and fail to drop privileges or possibly get
code execution - in this case, they found that Apport failed to properly
handle malformed contents in these files - fixed to parse them more
strictly
Goings on in Ubuntu Security Community
libgcrypt 1.9.0 0-day [08:32]
https://bugs.chromium.org/p/project-zero/issues/detail?id=2145
Discovered by Tavis Ormandy from GPZ - heap buffer overflow, allows to
overwrite a structure on the heap which contains the buffer, followed by
a function pointer - so can relatively easily get code execution by
overwriting the function pointer to an attacker controlled function
(which could be in the initial buffer itself)
Ubuntu not affected since this only exists in 1.9.0 which was released on
19th January this year and even current devel release of Ubuntu 21.04
only contains 1.8.7
So is an interesting thought experiment - if you run the most latest
release of anything, you get both the newest patches automatically BUT
you also get the 0-days since any unknown, unpatched vulns introduced in
new code will be present. However, if you run older releases, they won’t
have this newer code so won’t have 0-days but may have N-days if you
aren’t patching. Worst case is to run old software and never update it
since it has vulns that are unpatched and which have more time to have
been discovered and more time for exploits to have been developed
against it. Whereas if you run the latest code, there is less chance an
exploit exists for any new vulns / 0-days it may contain but it clearly
could have 0-days… Also if you are constantly upgrading to the latest
version that is a lot of churn and introduces the chance for feature
regressions and other breakage etc. So the best option then is to run a
known stable version and apply patches on top just for security
vulnerabilities - this is exactly the approach we take for Ubuntu :)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
January 28, 2021Episode 101
Overview
In the first episode for 2021 we bring back Joe McManus to discuss the
SolarWinds hack plus we look at vulnerabilities in sudo, NVIDIA graphics
drivers and mutt. We also cover some open positions in the team and say
farewell to long-time Ubuntu Security superstar Jamie Strandboge.
This week in Ubuntu Security Updates
22 unique CVEs addressed
[USN-4689-3] NVIDIA graphics drivers vulnerabilities [01:09]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-1056
CVE-2021-1053
CVE-2021-1052
3 different vulns in binary nvidia graphics drivers which could allow
unprivileged users to DoS / info leak or possible priv esc
[USN-4689-4] Linux kernel update [01:42]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-1056
CVE-2021-1053
CVE-2021-1052
Corresponding kernel updates for nvidia dkms driver update
[USN-4697-2] Pillow vulnerabilities [02:00]
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-10177
CVE-2020-35653
[USN-4702-1] Pound vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-21245
CVE-2016-10711
[USN-4703-1] Mutt vulnerability [02:18]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-3181
Memory allocation amplification attack -> a “small” sized email can cause
mutt to allocate a very large amount of memory when processing the email
and cause it to crash as a result of exhausting available memory
If had empty semicolons in an address field, mutt would allocate 40 bytes
for each - so for a 1 byte ; mutt allocates 40 bytes - and so a 25MB
email can cause mutt to allocate 1GB
[USN-4704-1] libsndfile vulnerabilities [03:52]
12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2019-3832
CVE-2018-19758
CVE-2018-19662
CVE-2018-19661
CVE-2018-19432
CVE-2018-13139
CVE-2017-6892
CVE-2017-16942
CVE-2017-14634
CVE-2017-14246
CVE-2017-14245
CVE-2017-12562
[USN-4705-1] Sudo vulnerabilities [04:06]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2021-23239
CVE-2021-3156
https://www.openwall.com/lists/oss-security/2021/01/26/3
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Qualys discovered a heap based buffer overflow in command-line argument
parsing in sudo that has existed since July 2011
sudo is setuid root so anyone who executes it is then running a process
as root - so if a user can exploit a vuln in sudo to get code execution,
can get code execution as root as so escalate privileges to root
Requires to execute sudo as `sudoedit -s` since this then ensures the right
mode is automatically set so that the vulnerability is active
Developed 3 different exploits for this vulnerability against various
Linux distros (Ubuntu 20.04, Debian 10, Fedora 33 etc)
ASLR helps to make this harder to exploit since it randomises the
location of the environment variables in memory etc but assuming an
unprivileged user can run the exploit multiple times they can eventually
exploit it
Goings on in Ubuntu Security Community
Alex discusses the SolarWinds hack with special guest Joe McManus [07:03]
Joe is now CISO at Drizly
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
https://srslyriskybiz.substack.com/p/newsletter38
Private home directories for Ubuntu 21.04
Episode 98
Hiring
Engineering Director - Ubuntu Security
https://canonical.com/careers/2439068
Engineering Manager - Ubuntu Security
https://canonical.com/careers/2439058
AppArmor Security Engineer
https://canonical.com/careers/2114847
Ubuntu Security Engineer
https://canonical.com/careers/2085468
Farewells
Jamie Strandboge (jdstrand)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
28min
December 11, 2020Episode 100
Overview
For the last episode of 2020, we look back at the most “popular”
packages on this podcast for this year as well as the biggest
vulnerabilities from 2020, plus a BootHole presentation at Ubuntu Masters
as well as vulnerability fixes from the past week too.
This week in Ubuntu Security Updates
21 unique CVEs addressed
[USN-4660-1] Linux kernel vulnerabilities [01:04]
10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-4788
CVE-2020-28915
CVE-2020-25645
CVE-2020-25643
CVE-2020-25641
CVE-2020-25285
CVE-2020-25284
CVE-2020-25211
CVE-2020-14390
CVE-2020-14351
Episode 99
[USN-4661-1] Snapcraft vulnerability [01:36]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-27348
itszn reported via Launchpad - LD_LIBRARY_PATH as generated by snapcraft
would contain an empty element - so cwd would be included - if an
attacker can drop a malicious library that will be loaded by a snap
(eg. libc.so) into your home dir (and since home plug is used by almost
all snaps - and is autoconnected on non-Ubuntu Core systems) would allow
the attacker to get code-execution in the context of any snap
Fixed in snapcraft - as part of the snap USN notification service -
notified all affected snap publishers just need to rebuild their snaps
and users will get protected via snap refresh
[USN-4656-2] X.Org X Server vulnerabilities [04:20]
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-25712
CVE-2020-14360
Episode 99
[USN-4662-1] OpenSSL vulnerability [04:34]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-1971
NULL pointer dereference when comparing two GENERAL_NAMEs with an
EDIPARTYNAME - so if an attacker can cause this they can cause a crash ->
DoS in any application which uses openssl for TLS handling etc - this can
be done if an attacker can get a client to check a malicious cert against
a malicious CRL - and since some apps auto-download CRLs based on URLs
presented in the cert itself this is not an unreasonable scenario - hence
high priority as the attack complexity is not high in this case
[USN-4663-1] GDK-PixBuf vulnerability [05:53]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2020-29385
infinite loop when handling crafted LZW compression code in gifs -> DoS
[USN-4664-1] Aptdaemon vulnerabilities [06:31]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-27349
CVE-2020-16128
Kevin Backhouse from Github reported via Launchpad
aptdaemon provides dbus API for installing packages - provides an
InstallFile method to install a local .deb - and uses policykit to ensure
that unprivileged users cannot use this to install packages - however,
that check only occurs after the deb has been parsed - so if there were
vulns in the parsing (which is provided by apt itself) - since aptd runs
as root could use these to get RCE - fixed by moving auth checks to occur
before parsing anything
[USN-4665-1] curl vulnerabilities [08:32]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-8286
CVE-2020-8285
CVE-2020-8284
CVE-2020-8231
Various issues:
memory leak in handling of FTP wildcard matchings -> DoS
failure to properly validate OCSP responses
incorrect handling of CONNECT_ONLY option -> could end up connecting to
wrong host -> info leak
incorrect handling of FTP PASV responses - server can respond with
alternate IP address + port to connect to -> could then trick clients
into doing port-scanning on their behalf or other info gathering etc
Goings on in Ubuntu Security Community
Look back over 2020 of the Ubuntu Security Podcast
Top 20 most featured packages [10:09]
81 Linux kernel
16 Firefox
7 PHP
6 Thunderbird
6 Samba
6 NSS
6 Django
5 WebKitGTK+
5 Tomcat
5 Squid
5 QEMU
5 OpenLDAP
5 MySQL
5 ClamAV
4 X.Org X Server
4 SQLite
4 Python
4 ppp
4 OpenSSL
4 OpenJDK
Most high profile vulnerabilities [12:53]
PLATYPUS attack against Intel CPUs (Episode 96)
BleedingTooth attack against bluez (Episode 93)
FreeType being exploited in the wild (Episode 93)
BootHole attack against GRUB2 (Episode 84)
Ubuntu Masters 4 - Together We Sink or Swim: Plugging the BootHole [14:12]
https://www.brighttalk.com/webcast/6793/453235
Chris Coulson + Daniel Kiper (Oracle, upstream grub maintainer) + Jesse
Michael (Eclypsium, discovered original BootHole vuln)
Earlier today / yesterday
Hiring [15:58]
AppArmor Security Engineer
https://canonical.com/careers/2114847
Engineering Director - Ubuntu Security
https://canonical.com/careers/2439068
Engineering Manager - Ubuntu Security
https://canonical.com/careers/2439058
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
18min
December 04, 2020Episode 99
Overview
This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU,
containerd, Linux kernel & more, plus we discuss the 2020 State of the
Octoverse Security Report from Github, Launchpad GPG keyserver migration, a
new AppArmor release & some open positions on the team.
This week in Ubuntu Security Updates
68 unique CVEs addressed
[USN-4645-1] Mutt vulnerability [00:59]
1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-28896
When connecting to an IMAP server, if the first reponse from the server
was invalid, would fail to properly terminate the connection and could
continue trying to authenticate and hence send credentials in the clear.
[USN-4646-1] poppler vulnerabilities [01:44]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-27778
CVE-2019-9959
CVE-2019-13283
CVE-2019-10871
CVE-2018-21009
Various memory corruption issues, all DoS-able, some RCE?
[USN-4646-2] poppler regression
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-10871
Some applications linked against poppler would fail - backed out this
fix for future
[USN-4647-1] Thunderbird vulnerabilities [02:25]
13 CVEs addressed in Groovy (20.10)
CVE-2020-26968
CVE-2020-26965
CVE-2020-26961
CVE-2020-26960
CVE-2020-26959
CVE-2020-26958
CVE-2020-26956
CVE-2020-26953
CVE-2020-26951
CVE-2020-26950
CVE-2020-16012
CVE-2020-15969
CVE-2020-15683
78.5.0
Usual web rendering type vulns - denial of service, obtain sensitive
information across origins, bypass security restrictions, conduct
phishing attacks, conduct cross-site scripting (XSS) attacks, bypass
Content Security Policy (CSP) restrictions, conduct DNS rebinding
attacks, or execute arbitrary code.
[USN-4648-1] WebKitGTK vulnerabilities [03:21]
5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-9983
CVE-2020-9952
CVE-2020-9951
CVE-2020-9948
CVE-2020-13753
dejavu with thunderbird above - latest upstream version (2.30.3) and same sorts of
vulns - including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
[USN-4649-1] xdg-utils vulnerability [03:54]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-27748
Could cause files to be attached by not sanitizing mailto:?attach= -
particularly relevant to TB - so if a user is not paying attention, could
attach say a sensitive local file to the outgoing email
[USN-4382-2] FreeRDP vulnerabilities [05:09]
13 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-13398
CVE-2020-13397
CVE-2020-13396
CVE-2020-11526
CVE-2020-11525
CVE-2020-11523
CVE-2020-11522
CVE-2020-11521
CVE-2020-11058
CVE-2020-11048
CVE-2020-11046
CVE-2020-11045
CVE-2020-11042
Episode 78 - covered this for xenial, now for bionic
[USN-4650-1] QEMU vulnerabilities [05:29]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-27617
CVE-2020-27616
CVE-2020-25723
CVE-2020-25625
CVE-2020-25624
CVE-2020-25085
CVE-2020-25084
CVE-2020-17380
Possible host RCE from guest via incorrect handling of SDHCI device
emulation but mitigated when using libvirt by AppArmor profile
Various issues with USB and other device emulation, crash -> DoS
[USN-4651-1] MySQL vulnerabilities [06:14]
Affecting Focal (20.04 LTS)
Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on
20.04 had the new MySQLX plugin enabled and listenting on all network
interfaces by default -> violates no open ports principle - this update
insteads changes the configuration to bind it to localhost only - if you
were using it you may now need to change your local configuration to
purposefully change this so it is remotely accessible
[USN-4653-1] containerd vulnerability [07:27]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-15257
containerd-shim API exposed from abstract unix socket to host network
containers (in same network namespace) - would validate the effective UID
of a connecting process as 0 but did not apply other access controls - so
a malicious container in same network namespace with effective UID 0 but
otherwise reduced privileges could spawn new processes via
containerd-shim with full root privileges
upstream advise against running containers in the hosts network namespace
docker.io stops on upgrade of containerd
https://discourse.ubuntu.com/t/usn-4653-1-containerd-vulnerability/19607
manual restart
server team working on a fix for this
[USN-4652-1] SniffIt vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2014-5439
[USN-4654-1] PEAR vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-28949
CVE-2020-28948
[USN-4655-1] Werkzeug vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-28724
CVE-2019-14806
[USN-4656-1] X.Org X Server vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25712
CVE-2020-14360
[USN-4657-1] Linux kernel vulnerabilities [09:11]
12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-4788
CVE-2020-28915
CVE-2020-25705
CVE-2020-25645
CVE-2020-25643
CVE-2020-25284
CVE-2020-25211
CVE-2020-14390
CVE-2020-14351
CVE-2020-12352
CVE-2020-10135
CVE-2020-0427
Most interesting is Power 9 processers could end up exposing information
via L1 cache -> spectre-like attack could allow this to be read - fix is
similar to spectre etc - flush L1 cache when transitioning between
privilege boundaries
Thanks to Daniel Axtens from IBM for doing a lot of the heavy lifting,
working with the kernel team to provide backports etc
[USN-4658-1] Linux kernel vulnerabilities
11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-4788
CVE-2020-28915
CVE-2020-25705
CVE-2020-25645
CVE-2020-25643
CVE-2020-25284
CVE-2020-25211
CVE-2020-14390
CVE-2020-14351
CVE-2020-10135
CVE-2020-0423
[USN-4659-1] Linux kernel vulnerabilities
7 CVEs addressed in Groovy (20.10)
CVE-2020-4788
CVE-2020-28915
CVE-2020-27152
CVE-2020-25705
CVE-2020-14351
CVE-2020-10135
CVE-2020-0423
Goings on in Ubuntu Security Community
GitHub state of open source security report 2020 [10:43]
https://octoverse.github.com/static/2020-security-report.pdf
Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET),
PyPI and RubyGems
Found 94% of projects on GitHub relied on open source components - JS
packages have a median of nearly 700 transitive dependencies - cf Python
with 19
17% of advisories sampled related to explicitly malicious behaviour
(almost all in npm packages) - but most are just mistakes
Vulns go undetected for just over 4 years (218 weeks) before disclosure,
fixes though then come quick in ~4.4 weeks and then 10 weeks to alert
users of the fix
A line of code written today is just as likely to contain a vulnerability
today as 4 years ago - so we are not getting more secure over time
Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03]
https://ubuntu.com/blog/migrating-the-launchpad-keyservers-from-sks-to-hockeypuck
AppArmor 3.0.1 Released [16:27]
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1
cap checkpoint_restore for 5.9 kernels onwards plus bug fixes etc
Hiring [16:52]
AppArmor Security Engineer
https://canonical.com/careers/2114847
Engineering Director - Ubuntu Security
https://canonical.com/careers/2439068
Engineering Manager - Ubuntu Security
https://canonical.com/careers/2439058
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
19min
November 27, 2020Episode 98
Overview
This week we look at updates for c-ares, PulseAudio, phpMyAdmin and more,
plus we cover security news from the Ubuntu community including planning
for 16.04 LTS to transition to ESM, libgcrypt FIPS cerified for 18.04 LTS
and a proposal for making home directories more secure for upcoming Ubuntu
releases as well.
This week in Ubuntu Security Updates
48 unique CVEs addressed
[USN-4638-1] c-ares vulnerability [01:00]
1 CVEs addressed in Groovy (20.10)
CVE-2020-8277
C library for performing async DNS requests and name resolution - a fork
of the ares library with additional support for IPv6, and 64-bit/cross
platform support
In particular is used by Node.js for DNS support - reported as a DoS via
a remote attacker who could cause a Node.js application to perform a DNS
request to a chosen host where a large number of DNS records - internally
is a buffer-over-read - c-ares would return data of length N but with a
purported length of >N - only in more recent releases so only affected
groovy
[USN-4639-1] phpMyAdmin vulnerabilities [02:37]
13 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-26935
CVE-2020-26934
CVE-2020-10803
CVE-2020-10802
CVE-2019-6799
CVE-2020-5504
CVE-2020-10804
CVE-2019-6798
CVE-2019-12616
CVE-2019-11768
CVE-2018-7260
CVE-2018-19970
CVE-2018-19968
Various issues - multiple different instances of each of the following:
XSS, SQL injection, CSRF, sensitive info leaks etc
[USN-4637-2] Firefox vulnerabilities [03:08]
15 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-26969
CVE-2020-26968
CVE-2020-26967
CVE-2020-26965
CVE-2020-26963
CVE-2020-26962
CVE-2020-26961
CVE-2020-26960
CVE-2020-26959
CVE-2020-26958
CVE-2020-26956
CVE-2020-26953
CVE-2020-26952
CVE-2020-26951
CVE-2020-16012
Episode 97
Xenial takes longer usually due to toolchain issues between old versions
in xenial vs newer things used in Firefox (ie rust etc)
[USN-4634-2] OpenLDAP vulnerabilities [03:57]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-25710
CVE-2020-25709
Episode 97 - 2 DoS issues
[USN-4640-1] PulseAudio vulnerability [04:13]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-16123
Discovered and resolved by James Henstridge from the Ubuntu Desktop Team
Race condition in snap policy module could allow a confined snap to
bypass snap pulseaudio restrictions - ie. could record audio when only
authorised to playback audio
https://twitter.com/JamesHenstridge/status/1331161130740248580
[USN-4641-1] libextractor vulnerabilities [06:20]
12 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-20431
CVE-2018-14347
CVE-2018-14346
CVE-2017-17440
CVE-2017-15922
CVE-2017-15602
CVE-2017-15601
CVE-2018-20430
CVE-2018-16430
CVE-2017-15600
CVE-2017-15267
CVE-2017-15266
Used to extract metadata from various file formats (HTML, PS, MS Office,
audio, images, video, archives, packages etc)
NULL ptr deref, divide by zero, OOB read, infinite loop, stack buffer
overflows, heap buffer overflows etc
[USN-4642-1] PDFResurrect vulnerability [07:28]
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-9549
Extract / manipulate revision info in PDFs
OOB write
[USN-4643-1] atftp vulnerabilities [07:56]
2 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-11366
CVE-2019-11365
TFTP server / client
NULL ptr deref due to race condition from missing mutex lock - different
threads can race on the same data -> DoS
stack buffer overflow due to unsafe calls to strncpy -> DoS / RCE
[USN-4644-1] igraph vulnerability [08:35]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2018-20349
NULL ptr deref
Goings on in Ubuntu Security Community
Ubuntu 16.04 LTS moving to ESM webinar [08:52]
https://www.brighttalk.com/webcast/6793/453617
8th December 2020, 4pm UTC
Security Certifications - libgcrypt on Ubuntu 18.04 is FIPS 140-2 certified [10:13]
https://discourse.ubuntu.com/t/security-certifications-libgcrypt-on-ubuntu-18-04-is-fips-140-2-certified/19511
Ubuntu 18.04 LTS can now provide FIPS certified full disk encryption as via libgcrypt which is now FIPS certified
Certified for 5 years until 2025
Private home directories for Ubuntu 21.04 onwards? [10:45]
https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2020-November/018842.html
https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/19533
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
14min
November 21, 2020Episode 97
Overview
This week we look at vulnerabilities in MoinMoin, OpenLDAP, Kerberos,
Raptor (including a discussion of CVE workflows and the oss-security
mailing list) and more, whilst in community news we talk about the upcoming
AppArmor webinar, migration of Ubuntu CVE information to ubuntu.com and
reverse engineering of malware by the Canonical Sustaining Engineering
team.
This week in Ubuntu Security Updates
45 unique CVEs addressed
[USN-4629-1] MoinMoin vulnerabilities [00:50]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-15275
CVE-2020-25074
RCE via attachment upload - can upload an attachment which is then
cached - a subsequent crafted request can exploit a vulnerability in the
cache handling code to achieve directory traversal and a subsequent RCE
[USN-4630-1] Raptor vulnerability [01:40]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2017-18926
https://www.openwall.com/lists/oss-security/2017/06/07/1
Old vulnerability, recently rediscovered that triggered various
discussions on oss-security mailing list
https://www.openwall.com/lists/oss-security/2020/11/13/1
Discussion covered value of CVEs, how distros try and stay on top of
the constant stream of CVEs etc
Shows the value of a CVE - many distros use these as essentially work
items - if a CVE doesn’t exist, the vulnerability won’t get patched
[USN-4622-2] OpenLDAP vulnerability [03:43]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-25692
Episode 96 - NULL ptr deref for a remote unauthenticated user in slapd
Upstream dispute this as a real CVE - say that only unintended info
disclosure is a security issue (what about RCE?)
[USN-4628-2] Intel Microcode regression [04:29]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-8698
CVE-2020-8696
CVE-2020-8695
Episode 96 - Failed to boot on new Tiger Lake platforms
We took the decision to remove this MCU once we saw the regression and
had updates out within 24h of initial release
Intel have now reverted this themselves upstream in a fixup release
20201118
[USN-4171-6] Apport regression [05:40]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2019-15790
CVE-2019-11485
CVE-2019-11483
CVE-2019-11482
CVE-2019-11481
Previous update could possibly be used to crash Apport itself due to
mishandling of dropping permissions when reading the user’s config file
(note these don’t normally exist unless you manually create one so in
general is not an issue) - this fixes that and introduces some more
hardening measures to try and ensure permissions are always dropped
correctly and this is more robust overall
[USN-4631-1] libmaxminddb vulnerability [06:50]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2020-28241
Heap based buffer overread -> DoS
[USN-4632-1] SLiRP vulnerabilities [07:03]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-8608
CVE-2020-7039
2 different buffer overflows - 1 due to improper use of return value from
snprintf() - the other due to mishandling of pointer arithmetic -> DoS,
RCE?
[USN-4607-2] OpenJDK regressions
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-14803
CVE-2020-14798
CVE-2020-14797
CVE-2020-14796
CVE-2020-14792
CVE-2020-14782
CVE-2020-14781
CVE-2020-14779
[USN-4633-1] PostgreSQL vulnerabilities [07:42]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25696
CVE-2020-25695
CVE-2020-25694
1 RCE, 1 arbitrary SQL execution but need to be an authenticated user and
1 DoS via dropping of connection
[USN-4634-1] OpenLDAP vulnerabilities [08:03]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25710
CVE-2020-25709
2 more DoS bugs against OpenLDAP - both assertion failures able to be
triggered by a remote attacker
[USN-4635-1] Kerberos vulnerability [08:29]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-28196
DoS via unbounded recursion in parsing of ASN.1 encoded message - BER can
specify an indefinite length - so this was parsed recursively but since
it never placed any limit on this if the nesting was deep enough, could
overrun the stack an trigger an abort.
[USN-4636-1] LibVNCServer, Vino vulnerability [09:05]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25708
Divide by zero -> DoS
[USN-4637-1] Firefox vulnerabilities [09:18]
15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-26969
CVE-2020-26968
CVE-2020-26967
CVE-2020-26965
CVE-2020-26963
CVE-2020-26962
CVE-2020-26961
CVE-2020-26960
CVE-2020-26959
CVE-2020-26958
CVE-2020-26956
CVE-2020-26953
CVE-2020-26952
CVE-2020-26951
CVE-2020-16012
83.0
Goings on in Ubuntu Security Community
Migration of Ubuntu CVE information from people.canonical.com to ubuntu.com [09:37]
Long time in the making - worked with the design team at Canonical to
design and prototype display of CVEs in a more human friendly format (for
machine friendly we have OVAL etc)
ubuntu.com/security/CVE-XXXX-XXXX
Still includes CVE description, priority, status per-release and other
details - but focusses on the most salient ones rather than the more
engineering style of the old ones
Redirects in place for old people.canonical.com URLs
Securing Linux Machines with AppArmor Webinar [11:18]
https://www.brighttalk.com/webcast/6793/440491/securing-linux-machines-with-apparmor
2020-11-24 16:00 UTC
Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper
Will cover:
Why a ‘defence in depth’ strategy should be employed to mitigate the
potential damage caused by a breach
An explanation of AppArmor, its key features and why the principle of
least privilege is recommended
The use of AppArmor in Ubuntu and snaps
Good overview of why and how to apply AppArmor as well as a demo of how
to generate a profile to confine an application with `aa-genprof`
Analysis of the dovecat and hy4 Linux Malware [12:36]
https://ruffell.nz/reverse-engineering/writeups/2020/10/27/analysis-of-the-dovecat-and-hy4-linux-malware.html
By Matthew Ruffell from the Sustaining Engineering team at Canonical
Previously maintained his own Linux distro (Dapper Linux) where he
manually forward-ported the grsecurity patch set - topic of his LCA 2019
talk Maintaining the Unmaintainable: Picking up the Baton of a Secure
Kernel Patchset
Walks through how he root-caused strange behaviour on a system down to
some suspicious processes, and then reverse engineering those to
demonstrate they were malware, and explaining what the malware did, how
it operated etc - great teardown
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
16min
November 13, 2020Episode 96
Overview
This week we look at results from the Tianfu Cup 2020, the PLATYPUS attack
against Intel CPUs, a detailed writeup of the GDM/accountsservice
vulnerabilities covered in Episode 95 and more.
Goings on in Ubuntu Security Community
Tianfu Cup 2020 [00:37]
https://www.zdnet.com/article/windows-10-ios-chrome-and-many-others-fall-at-chinas-top-hacking-contest/
QEMU on Ubuntu, Firefox and docker all pwned (as well as Chrome, Safari,
VMWare ESXi, CentOS 8, iPhone etc)
qemu-kvm on Ubuntu - used a UAF and an info-leak to escape VM and get
root code exec on host - by Xiao Wei from 360 ESG Vuln Research Institute
who has previously found lots of QEMU bugs - $60k
Still waiting on upstream qemu / docker to release details - Firefox
already patched in CVE-2020-26950
Github writeup of GDM/accountsservice vulnerabilities [02:53]
We covered the vulns in last week’s Episode 95
Kevin Backhouse provides a great amount of detail and a cool demo video
of the attack -
https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE
https://portswigger.net/daily-swig/vulnerabilities-in-ubuntu-desktop-enabled-root-access-in-two-simple-steps
PLATYPUS attack against Intel CPUs [03:41]
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Platypus
https://platypusattack.com/
https://www.zdnet.com/article/new-platypus-attack-can-steal-data-from-intel-cpus/
This week in Ubuntu Security Updates [05:27]
23 unique CVEs addressed
[USN-4617-1] SPICE vdagent vulnerabilities
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25653
CVE-2020-25652
CVE-2020-25651
CVE-2020-25650
[USN-4616-2] AccountsService vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2018-14036
CVE-2020-16126
[USN-4618-1] tmux vulnerability
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2020-27347
[USN-4619-1] dom4j vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-1000632
[USN-4599-3] Firefox regressions
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Episode 94
[USN-4620-1] phpLDAPadmin vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2017-11107
[USN-4621-1] netqmail vulnerabilities
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-3812
CVE-2020-3811
CVE-2005-1515
CVE-2005-1514
CVE-2005-1513
[USN-4622-1] OpenLDAP vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25692
[USN-4623-1] Pacemaker vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25654
[USN-4624-1] libexif vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-0452
[USN-4625-1] Firefox vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-26950
[USN-4626-1] Linux kernel vulnerabilities
2 CVEs addressed in Groovy (20.10)
CVE-2020-8694
CVE-2020-27194
[USN-4627-1] Linux kernel vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-8694
[USN-4628-1] Intel Microcode vulnerabilities
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-8698
CVE-2020-8696
CVE-2020-8695
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
8min
November 06, 2020Episode 95
Overview
This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa
and more, plus we cover some AppArmor related Ubuntu Security community
updates as well.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4552-3] Pam-python regression [00:40]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-16729
Original update (Episode 92 - bionic), (Episode 94 - xenial) caused was
too restrictive and would disallow PAM modules written in python from
importing python modules from site-specific directories
[USN-4609-1] GOsa vulnerabilities [01:18]
3 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-1000528
CVE-2019-11187
CVE-2019-14466
PHP based LDAP user admin frontend
XSS attacks via the change password form
Could login to any account with a username containing “success” with any
arbitrary password
Cookie mishandling allowed an authenticated user to delete files on the
web server in the context of the user account running the web server
[USN-4610-1] fastd vulnerability [02:11]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-27638
Fast & secure tunnelling daemon
Failed to free rx buffers in certain circumstances - memory leak -> DoS
[USN-4611-1] Samba vulnerabilities [02:29]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-14383
CVE-2020-14323
CVE-2020-14318
2 different DoS issues - remote attacker could cause DNS server to crash
by supplying invalid DNS records, or could cause winbind to crash via
crafted winbind requests
Failed to check permissions on ChangeNotify - so an attacker could
subscribe to get notifications on files they did not have permission to
read - and so leaks file info
[USN-4605-2] Blueman update [03:22]
1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
CVE-2020-15238
Episode 94 - this includes additional fix so that on focal and groovy
policykit is used to authenticate privileged actions
[USN-4614-1] GDM vulnerability [03:55]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-16125
Kevin Backhouse - discovered 3 vulnerabilities - one in GDM, 2 in
AccountsService
GDM incorrectly launched the initial setup tool if it could not reach the
accountsservice daemon
If could cause accountsservice to be unresponsive, could get GDM to
luanch initial setup tool which then allows a local user to create a
privileged users account
But requires accountsservice to be unresponsive…
[USN-4616-1] AccountsService vulnerabilities [05:00]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2018-14036
CVE-2020-16127
CVE-2020-16126
Drops privileges for certain operations but does so where a local
unprivileged user can send it SIGSTOP signal - is now unresponsive - so
could allow the GDM attack above - or could cause it to crash (send
SIGSEGV etc)
Also would exhaust all memory when reading .pam_environment if it was
really large (ie symlink to /dev/zero) - again could cause it to hang /
crash -> DoS
[USN-4613-1] python-cryptography vulnerability [06:34]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-25659
Bleichenbacher timing oracle attack (form of an adaptive
chosen-ciphertext attack) against RSA decryption could allow a remote
attacker to infer the private key
https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25
[USN-4615-1] Yerase’s TNEF vulnerabilities [07:23]
12 CVEs addressed in Xenial (16.04 LTS)
CVE-2017-6802
CVE-2017-6801
CVE-2017-6800
CVE-2017-6306
CVE-2017-6305
CVE-2017-6304
CVE-2017-6303
CVE-2017-6302
CVE-2017-6301
CVE-2017-6300
CVE-2017-6299
CVE-2017-6298
libtynef - TNEF stream reader library (proprietary format used by MS
Outlook / Exchange Server for email attachments)
Lots of issues - NULL ptr deref, infinite loop, buffer overflows, OOB
reads, directory traversal issues and more :) -> crash / DoS / RCE
Goings on in Ubuntu Security Community
AppArmor 3.0.1 being prepared [08:22]
Includes fixes for various application profiles as well as a fix to stop
aa-notify from exiting after 100s of no activity
Securing Linux Machines with AppArmor Webinar [08:57]
https://www.brighttalk.com/webcast/6793/440491
Currently scheduled for Mon 16th Nov at 16:00 UTC
Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper
Will cover:
Why a ‘defence in depth’ strategy should be employed to mitigate the
potential damage caused by a breach
An explanation of AppArmor, its key features and why the principle of
least privilege is recommended
The use of AppArmor in Ubuntu and snaps
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
11min
October 30, 2020Episode 94
Overview
This week we cover news of the CITL drop of 7000 “vulnerabilities”, the
Ubuntu Security disclosure and embargo policy plus we look at security
updates for pip, blueman, the Linux kernel and more.
This week in Ubuntu Security Updates
117 unique CVEs addressed
[USN-4596-1] Tomcat vulnerabilities [01:01]
4 CVEs addressed in Focal (20.04 LTS)
CVE-2020-9484
CVE-2020-13935
CVE-2020-13934
CVE-2020-11996
[USN-4587-1] iTALC vulnerabilities
19 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-15681
CVE-2018-7225
CVE-2018-20750
CVE-2018-20749
CVE-2018-20748
CVE-2018-20024
CVE-2018-20023
CVE-2018-20022
CVE-2018-20021
CVE-2018-20020
CVE-2018-20019
CVE-2018-15127
CVE-2016-9942
CVE-2016-9941
CVE-2014-6055
CVE-2014-6054
CVE-2014-6053
CVE-2014-6052
CVE-2014-6051
[USN-4588-1] FlightGear vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2016-9956
[USN-4552-2] Pam-python vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-16729
[USN-4597-1] mod_auth_mellon vulnerabilities
3 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-3878
CVE-2019-3877
CVE-2017-6807
[USN-4598-1] LibEtPan vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-15953
[USN-4600-1, USN-4600-2] Netty vulnerabilities
5 CVEs addressed in Bionic (18.04 LTS), 4 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-11612 (bionic only)
CVE-2020-7238
CVE-2019-16869
CVE-2019-20445
CVE-2019-20444
[USN-4601-1] pip vulnerability [01:34]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-20916
Failed to sanitize filenames during pip install if provided a URL in the
install command - could allow a remote attacker to provide a
Content-Disposition header that instructs pip to overwrite arbitrary
files
[USN-4599-1, USN-4599-2] Firefox vulnerabilities [02:42]
7 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-15969
CVE-2020-15684
CVE-2020-15683
CVE-2020-15682
CVE-2020-15681
CVE-2020-15680
CVE-2020-15254
[LSN-0073-1] Linux kernel vulnerability [03:02]
3 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-24490
CVE-2020-12352
CVE-2020-12351
BleedingTooth (Episode 93)
[USN-4593-2] FreeType vulnerability [03:23]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-15999
Episode 93
[USN-4602-1, USN-4602-2] Perl vulnerabilities [03:38]
3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-12723
CVE-2020-10878
CVE-2020-10543
[USN-4562-2] kramdown vulnerability
1 CVEs addressed in Groovy (20.10)
CVE-2020-14001
[USN-4605-1] Blueman vulnerability [04:10]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-15238
Reported to Ubuntu by Vaisha Bernard - worked with upstream blueman devs
& Debian maintainers to get this resolved - thanks :)
Blueman provides a dbus API to spawn DHCP client when doing
bluetooth-based networking
Would not sanitise the provided argument and would pass this directly to
dhcpcd which supports specifying a script file to run - this gets
executed as root so is a simple local root-privesc
Fixed to change the way the argument is provided to dhcpcd so that it
cannot pass arbitrary flags
Should also note, by default on Ubuntu we use isc-dhcp-client not dhcpcd
so unless you have manually installed it, this cannot be exploited
[USN-4583-2] PHP vulnerabilities
2 CVEs addressed in Groovy (20.10)
CVE-2020-7070
CVE-2020-7069
[USN-3081-2] Tomcat vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2016-1240
[USN-4603-1] MariaDB vulnerabilities
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-2814
CVE-2020-2812
CVE-2020-2760
CVE-2020-2752
CVE-2020-15180
CVE-2020-13249
[USN-4604-1] MySQL vulnerabilities
49 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-14893
CVE-2020-14891
CVE-2020-14888
CVE-2020-14878
CVE-2020-14873
CVE-2020-14870
CVE-2020-14869
CVE-2020-14868
CVE-2020-14867
CVE-2020-14866
CVE-2020-14861
CVE-2020-14860
CVE-2020-14853
CVE-2020-14852
CVE-2020-14848
CVE-2020-14846
CVE-2020-14845
CVE-2020-14844
CVE-2020-14839
CVE-2020-14838
CVE-2020-14837
CVE-2020-14836
CVE-2020-14830
CVE-2020-14829
CVE-2020-14828
CVE-2020-14827
CVE-2020-14821
CVE-2020-14814
CVE-2020-14812
CVE-2020-14809
CVE-2020-14804
CVE-2020-14800
CVE-2020-14794
CVE-2020-14793
CVE-2020-14791
CVE-2020-14790
CVE-2020-14789
CVE-2020-14786
CVE-2020-14785
CVE-2020-14777
CVE-2020-14776
CVE-2020-14775
CVE-2020-14773
CVE-2020-14771
CVE-2020-14769
CVE-2020-14765
CVE-2020-14760
CVE-2020-14672
CVE-2019-14775
[USN-4607-1] OpenJDK vulnerabilities
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
CVE-2020-14803
CVE-2020-14798
CVE-2020-14797
CVE-2020-14796
CVE-2020-14792
CVE-2020-14782
CVE-2020-14781
CVE-2020-14779
[USN-4608-1] ca-certificates update [06:41]
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
Updates to the latest from Mozill a - removes some root CAs (expired etc)
and adds some new ones too
Goings on in Ubuntu Security Community
Ubuntu Security disclosure and embargo policy [07:17]
https://ubuntu.com/security/disclosure-policy
How to report an issue to us (LP / [email protected])
Scope (Ubuntu archive + Canonical software / infrastructure -
coordination etc)
What to expect from us
Disclosure timelines (within 1 week after updates provided, prefer
exploits etc kept private for at least 1 week after fixes available)
Safe harbour (welcome research into the software we provide but no active
probing of Canonical infra/services)
CITL releases high level details of 7000 defects [09:06]
https://cyber-itl.org/2020/10/28/citl-7000-defects.html
7000 defects/vulns across 3243 packages from Ubuntu 18.04
Automated static / dynamic analysis system (fuzzing?)
Provide list of binaries / packages and the type of ‘vuln’ (SIG_SEGV
etc) - without reproducers etc
Expect package maintainers to contact them to request full details
Some package maintainers / upstreams will likely contact but we expect
this to be in the minority
Not really possible for @ubuntu_sec to triage and handle all of these but
will likely be a collective effort between distros to try and analyse
these all if CITL are willing to provide details
Without a collective effort unlikely that CVEs will get assigned and so
fixes could be missed if various upstreams just contact and fix these
themselves
Lots of open questions as to how this will play out…
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
14min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.