Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

October 23, 2020Episode 93
Overview
This week we cover security updates for NTP, Brotli, Spice, the Linux
kernel (including BleedingTooth) and a FreeType vulnerability which is
being exploited in-the-wild, plus we talk about the NSAs report into the
most exploited vulnerabilities as well as the release of Ubuntu 20.10
Groovy Gorilla.
This week in Ubuntu Security Updates
74 unique CVEs addressed
[USN-4559-1] Samba update [01:04]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-1472
Follow up to USN-4510-1 for “ZeroLogon” - that updated changed default to
enable secure channel - this one adds support for specifying per-machine
insecure netlogon usage plus additional hardening to check for possible
attacks from the client-specified challenge if have manually enabled
insecure channel in configuration
[USN-4563-1] NTP vulnerability [01:48]
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-8936
CVE-2018-7182
Fix for previous CVE-2018-7182 introduced a possible NULL ptr deref that
could be triggered by a malicious client -> DoS
[USN-4568-1] Brotli vulnerability [02:12]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-8927
Compression library / tool from Google designed for text compression,
especially for web fonts etc
Buffer overflow due to an integer overflow when using the one-shot
decompression option on attacker controlled data
[USN-4570-1] urllib3 vulnerability [03:00]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-26137
Possible CRLF injection if an attacker can control the request method
used in a call to urllib3 - can specify additional parameters such as
Host and Remainder after an injected CRLF to cause the request to
misbehave
[USN-4572-1, USN-4572-2] Spice vulnerability [03:41]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14355
Protocol for doing remote VM access - multiple buffer overflows in
decoding of QUIC image compression algorithm - and this affected both the
client and server side - DoS, RCE etc
[USN-4576-1] Linux kernel vulnerabilities [04:36]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-25641
CVE-2020-25285
CVE-2020-16120
CVE-2020-14385
CVE-2020-14314
CVE-2020-16119
[USN-4577-1] Linux kernel vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-16120
CVE-2020-16119
[USN-4578-1] Linux kernel vulnerabilities
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-26088
CVE-2020-25212
CVE-2020-16120
CVE-2020-14314
CVE-2019-19448
CVE-2018-10322
CVE-2020-16119
[USN-4579-1] Linux kernel vulnerabilities
4 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-25285
CVE-2020-14314
CVE-2018-10322
CVE-2020-16119
[USN-4580-1] Linux kernel vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-16119
DCCP protocol mishandled reuse of sockets, leading to a UAF - since can
be done by a local user could lead to root code execution, priv esc etc -
was reported to Canonical and we worked with upstream kernel devs on
resolving this etc
[LSN-0072-1] Linux kernel vulnerability
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-16120
CVE-2020-16119
CVE-2020-14386
CVE-2020-12114
CVE-2020-11935
CVE-2020-11494
CVE-2020-0067
DCCP UAF
AF_PACKET buffer overflow (Episode 90)
Livepatched in the following kernels:
Ubuntu 18.04 LTS
aws - 72.1
generic - 72.1
lowlatency - 72.1
oem - 72.1
Ubuntu 20.04 LTS
aws - 72.1
aws - 72.2
azure - 72.1
azure - 72.2
gcp - 72.1
gcp - 72.2
generic - 72.1
generic - 72.2
lowlatency - 72.1
lowlatency - 72.2
Ubuntu 16.04 LTS
aws - 72.1
generic - 72.1
lowlatency - 72.1
Ubuntu 14.04 ESM
generic - 72.1
lowlatency - 72.1
[USN-4591-1] Linux kernel vulnerabilities [06:20]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-12352
CVE-2020-12351
[USN-4592-1] Linux kernel vulnerabilities
3 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-24490
CVE-2020-12352
CVE-2020-12351
BleedingTooth vulnerability
Announced by Intel, discovered by a security researcher at Google - not
much heads up to distros, kernel team worked quickly to respin affected
kernels (>= 4.8) over the weekend
Originally was mention on twitter that Google were going to publish a
blog post with more details but this got held back to give time for
distros etc to patch
[USN-4593-1] FreeType vulnerability [07:30]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15999
Integer overflow -> heap buffer overflow
Reported by Google to Freetype upstream with the comment that it was
being exploited in the wild
The patch simply moves a check that was added originally to fix another
CVE a few lines higher since it still provided the chance of an integer
overflow -> heap buffer overflow
Update released for Ubuntu within 16h of the original report to the
upstream FreeType developers
[USN-4558-1] libapreq2 vulnerabilities
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-12412
[USN-4557-1] Tomcat vulnerabilities
7 CVEs addressed in Xenial (16.04 LTS)
CVE-2016-8735
CVE-2016-6816
CVE-2016-6797
CVE-2016-6796
CVE-2016-6794
CVE-2016-5018
CVE-2016-0762
[USN-4560-1] Gon gem vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-25739
[USN-4561-1] Rack vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-8184
CVE-2020-8161
[USN-4562-1] kramdown vulnerability
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-14001
[USN-4569-1] Yaws vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-24916
CVE-2020-24379
[USN-4571-1] rack-cors vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-18978
[USN-4564-1] Apache Tika vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-1951
CVE-2020-1950
[USN-4565-1] OpenConnect vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-16239
[USN-4566-1] Cyrus IMAP Server vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-19783
CVE-2019-11356
[USN-4567-1] OpenDMARC vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-16378
[USN-4573-1] Vino vulnerabilities
7 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14404
CVE-2020-14403
CVE-2020-14402
CVE-2020-14397
CVE-2019-15681
CVE-2018-7225
CVE-2014-6053
[USN-4574-1] libseccomp-golang vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2017-18367
[USN-4575-1] dom4j vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-10683
[USN-4581-1] Python vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-26116
[USN-4582-1] Vim vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-20807
CVE-2017-17087
[USN-4583-1] PHP vulnerabilities
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-7070
CVE-2020-7069
[USN-4589-1] containerd vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-15157
[USN-4589-2] Docker vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15157
[USN-4585-1] Newsbeuter vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS)
CVE-2017-14500
CVE-2017-12904
[USN-4584-1] HtmlUnit vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-5529
[USN-4546-2] Firefox regressions
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4590-1] Collabtive vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2015-0258
[USN-4586-1] PHP ImageMagick vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-11037
[USN-4594-1] Quassel vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2018-1000179
CVE-2018-1000178
[USN-4595-1] Grunt vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-7729
Goings on in Ubuntu Security Community
NSA Report on 25 most exploited CVEs by Chinese State-Sponsored Actors [09:51]
https://twitter.com/NSACyber/status/1318568065769132035
https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Most apply to appliances (network gateway devices) or Windows
Only 1 applies open source software for Linux
CVE-2018-6789 - Exim 4.90.1 - CVE was public 7 February 2018, patched
in affected Ubuntu releases 5 days later on 12 February 2018
oss-security posting claims ‘unsure of severity, an exploit is difficult’
The researcher which found it provided a very detailed write-up about
the low-level details to exploit it on 6th March 2018 but without an
actual PoC (although all details are there to reconstruct one)
First public PoC seems to be on 2 May 2018 - there have been others
since (exploitdb, github etc)
So why does this one get exploited over others?
Availability of multiple PoC?
Have other distros not patched?
Are there lots of installs that are from source and have never been
updated?
Lots of old docker images of various exim with lots of Pulls
(although the most popular one was updated 9 days ago)
Shows should always get your open source from a trusted, maintained
downstream like Ubuntu
Ubuntu 20.10 Groovy Gorilla Release [13:50]
https://lists.ubuntu.com/archives/ubuntu-announce/2020-October/000263.html
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
16min
October 02, 2020Episode 92
Overview
It’s CVE bankruptcy! With a deluge of CVEs to cover from the last 2 weeks,
we take a particular look at the ZeroLogon vulnerability in Samba this
week, plus Alex covers the AppArmor 3 release and some recent / upcoming
webinars hosted by the Ubuntu Security team.
This week in Ubuntu Security Updates
121 unique CVEs addressed
[USN-4510-1, USN-4510-2] Samba vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-1472
“ZeroLogon”
Would allow an attacker who already can communicate with the domain
controller to reset it’s password and so then take control of the DC and
obtain the domain admin’s credentials
Flaw in the NetLogon protocol would allow the attacker to impersonate any
computer in the domain, even the DC itself, and execute calls on that
computer’s behalf
This flaw was in the cryptographic authentication scheme employed by
the NetLogon protocol
Samba also implements this protocol - and so contained the same flaw
In both cases (Window AD vs Samba) there is an option to use a more
secure authentication mechanism - for older Ubuntu releases like Trusty,
Xenial and Bionic the default configuration as specified by upstream
Samba did not enforce the use of this bu default
So the fix is a simple configuration change to enable this by default
This is done by patching Samba directly (rather than trying to say update
everyone’s deployed /etc/samba.conf or similar) - which still allows a
local admin to turn this off if they so desire (although this is
definitely not recommended)
One example of how Ubuntu tries to be secure by default - when known
better security configuration options become available we try and enable
them (whilst weighing up the likelihood of breaking existing installs -
we try very hard not to do this)
Similarly we have done the same for the various spec exec mitigations -
almost all default to on even at the expense of a performance hit in that
case
[USN-4504-1] OpenSSL vulnerabilities
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-1563
CVE-2019-1551
CVE-2019-1547
CVE-2020-1968
[USN-4505-1] PHPMailer vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-13625
[USN-4506-1] MCabber vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2016-9928
[USN-4507-1] ncmpc vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-9240
[USN-4508-1] StoreBackup vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-7040
[USN-4509-1] Perl DBI module vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2014-10401
CVE-2013-7490
[USN-4511-1] QEMU vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14364
[USN-4512-1] util-linux vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2018-7738
[USN-4513-1] apng2gif vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2017-6960
[USN-4514-1] libproxy vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-25219
[USN-4515-1] Pure-FTPd vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-9274
[USN-4516-1] GnuPG vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-14855
USN-4518-1] xawtv vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-13696
[USN-4519-1] PulseAudio vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-15710
[USN-4520-1] Exim SpamAssassin vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-19920
[USN-4521-1] pam_tacplus vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-13881
[USN-4522-1] noVNC vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2017-18635
[USN-4523-1] LibOFX vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-9656
[USN-4524-1] TNEF vulnerabilities
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-18849
[USN-4525-1] Linux kernel vulnerabilities
5 CVEs addressed in Focal (20.04 LTS)
CVE-2020-25212
CVE-2020-16166
CVE-2020-12888
CVE-2019-19054
CVE-2019-18808
[USN-4526-1] Linux kernel vulnerabilities
10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-16166
CVE-2020-14356
CVE-2020-12888
CVE-2019-9445
CVE-2019-19074
CVE-2019-19073
CVE-2019-19067
CVE-2019-19061
CVE-2019-19054
CVE-2019-18808
[USN-4527-1] Linux kernel vulnerabilities
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-25212
CVE-2020-0067
CVE-2019-9453
CVE-2019-9445
CVE-2019-20811
CVE-2019-19074
CVE-2019-19073
CVE-2019-19054
[USN-4528-1] Ceph vulnerabilities
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-1760
CVE-2020-12059
CVE-2020-10753
[USN-4529-1] FreeImage vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-12213
CVE-2019-12211
[USN-4531-1] BusyBox vulnerability
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2018-1000500
[USN-4530-1] Debian-LAN vulnerabilities
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-3467
[USN-4532-1] Netty vulnerabilities
3 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-20445
CVE-2019-20444
CVE-2019-16869
[USN-4533-1] LTSP Display Manager vulnerabilities
1 CVEs addressed in Focal (20.04 LTS)
CVE-2019-20373
[USN-4534-1] Perl DBI module vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-20919
[USN-4535-1] RDFLib vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-7653
[USN-4537-1] Aptdaemon vulnerability
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15703
[USN-4538-1] PackageKit vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-16122
CVE-2020-16121
[USN-4536-1] SPIP vulnerabilities
7 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-16393
CVE-2019-19830
CVE-2017-15736
CVE-2019-16391
CVE-2019-11071
CVE-2019-16394
CVE-2019-16392
[USN-4539-1] AWL vulnerability
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-11728
[USN-4540-1] atftpd vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-11366
CVE-2019-11365
[USN-4542-1] MiniUPnPd vulnerabilities
5 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-12111
CVE-2019-12110
CVE-2019-12109
CVE-2019-12108
CVE-2019-12107
[USN-4543-1] Sanitize vulnerability
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-4054
[USN-4541-1] Gnuplot vulnerabilities
3 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-19492
CVE-2018-19491
CVE-2018-19490
[USN-4545-1] libquicktime vulnerabilities
7 CVEs addressed in Xenial (16.04 LTS)
CVE-2017-9125
CVE-2017-9128
CVE-2017-9127
CVE-2017-9126
CVE-2017-9124
CVE-2017-9123
CVE-2017-9122
[USN-4546-1] Firefox vulnerabilities
6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15678
CVE-2020-15677
CVE-2020-15676
CVE-2020-15675
CVE-2020-15674
CVE-2020-15673
[USN-3968-3] Sudo vulnerabilities
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2016-7032
CVE-2016-7076
[USN-4549-1] ImageMagick vulnerabilities
2 CVEs addressed in Focal (20.04 LTS)
CVE-2019-19949
CVE-2019-19948
[USN-4548-1] libuv vulnerability
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-8252
[USN-4547-1] iTALC vulnerabilities
12 CVEs addressed in Bionic (18.04 LTS)
CVE-2018-7225
CVE-2018-20750
CVE-2018-20749
CVE-2018-20748
CVE-2018-20024
CVE-2018-20023
CVE-2018-20022
CVE-2018-20021
CVE-2018-20020
CVE-2018-20019
CVE-2018-15127
CVE-2019-15681
[USN-4553-1] Teeworlds vulnerability
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-12066
[USN-4552-1] Pam-python vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-16729
[USN-4550-1] DPDK vulnerabilities
5 CVEs addressed in Focal (20.04 LTS)
CVE-2020-14378
CVE-2020-14377
CVE-2020-14376
CVE-2020-14375
CVE-2020-14374
[USN-4551-1] Squid vulnerabilities
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-24606
CVE-2020-15811
CVE-2020-15810
CVE-2020-15049
[USN-4554-1] libPGF vulnerability
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2015-6673
[USN-4547-2] SSVNC vulnerabilities
5 CVEs addressed in Xenial (16.04 LTS)
CVE-2018-20024
CVE-2018-2024
CVE-2018-20022
CVE-2018-20021
CVE-2018-20020
[USN-4556-1] netqmail vulnerabilities
5 CVEs addressed in Focal (20.04 LTS)
CVE-2020-3812
CVE-2020-3811
CVE-2005-1515
CVE-2005-1514
CVE-2005-1513
Goings on in Ubuntu Security Community
AppArmor 3.0 Release
https://gitlab.com/apparmor/apparmor/-/releases/v3.0.0
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
Ubuntu Security Related Webinars
FIPS certification and CIS compliance with Ubuntu Webinar
<2020-10-01 Thu>
More on the Ubuntu FIPS certification for cryptographic modules in Ubuntu
18.04 LTS and 16.04 LTS and the Ubuntu FIPS public cloud images
The difference between FIPS certified and FIPS compliant modules
More on compliance benchmark documentation for Ubuntu CIS compliance
How to quickly harden Ubuntu systems and easily view which rules your
systems are not compliant with using the CIS automation tooling from
Canonical [demo]
Presented by Vineetha Kamatha (Security Engineering Manager), Shaun
Murphy (Public Cloud Sr Product Manager) & Lech Sandecki (Product
Manager)
https://www.brighttalk.com/webcast/6793/432536/fips-certification-and-cis-compliance-with-ubuntu
Best Practices for Securing Open Source Webinar
<2020-10-08 Thu>
https://www.brighttalk.com/webcast/6793/440071
Presented by me :)
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
12min
September 18, 2020Episode 91
Overview
This week we look at security updates for GUPnP, OpenJPEG, bsdiff and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4488-2] X.Org X Server vulnerabilities [00:31]
5 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-14345
CVE-2020-14362
CVE-2020-14361
CVE-2020-14347
CVE-2020-14346
Episode 90
[LSN-0071-1] Linux kernel vulnerability [00:50]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-14386
Episode 90 (AF_PACKET OOB write - crash / code exec)
Also affects Focal (20.04 LTS) but livepatch is still being prepared
[USN-4494-1] GUPnP vulnerability [01:29]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-12695
GNOME UPnP impl, used by Rygel for media sharing on GNOME (standard
Ubuntu) desktop and many other applications
Callstranger Vulnerability - vuln in UPnP protocol - callback header in
UPnP SUBSCRIBE can contain arbitrary delivery URL - so this could be on a
different network segment than the event subscription URL - so you can
SUBSCRIBE to events and supply one or more URLs for delivery of the
messages. Can then make this point anywhere and so can get the device to
send HTTP traffic to any arbitrary destination - and so can be used for
data exfil or DDoS attacks etc. Fixed to check the destination host is
either a link-local address or the address mask matches - either way,
check is on the same network segment.
[USN-4495-1] Apache Log4j vulnerability [03:21]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-17571
Failed to properly deserialise data - so if is listening to untrusted log
data from the network could be exploited to run arbitrary code
[USN-4496-1] Apache XML-RPC vulnerability [03:42]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-17570
Similarly failed to properly deserialize data - a malicious XML-RPC
server could cause code execution on the client as a result
[USN-4497-1] OpenJPEG vulnerabilities [03:58]
7 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-12973
CVE-2020-15389
CVE-2020-8112
CVE-2020-6851
CVE-2018-21010
CVE-2018-20847
CVE-2016-9112
Usual mix of memory safety issues in image handling libraries written in
C - DoS, RCE etc via crafted image data
[USN-4499-1] MilkyTracker vulnerabilities [04:27]
3 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-14497
CVE-2019-14496
CVE-2019-14464
Failed to properly validate files - 2 different heap and 1 stack based
buffer overflows - RCE if loading untrusted files
[USN-4498-1] Loofah vulnerability [04:52]
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2019-15587
ruby module for manipulation and transformation of HTML/XML etc
Possible XSS - failed to sanitize JS when handling crafted SVG
[USN-4500-1] bsdiff vulnerabilities [05:16]
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2014-9862
(Oldest CVE of the week!)
Failed to properly validate input patch file -> integer overflow -> heap
based buffer overflow -> code exec / DoS
[USN-4501-1] LuaJIT vulnerability [05:40]
1 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-15890
OOB read -> crash / info leak
[USN-4502-1] websocket-extensions vulnerability [05:49]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-7663
ruby websockets extension - used regex with backtracking to properly
parse headers, could be sent crafted input which is very computationally
intensive to parse as a result -> CPU based DoS
[USN-4503-1] Perl DBI module vulnerability [06:21]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-14392
Perl DB interface - underlying code would potentially allocate the stack
and hence result in invalid pointers to object that were previously on
the stack - could be manipulated by a remote user to result in memory
corruption etc -> crash
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
9min
September 11, 2020Episode 90
Overview
This week we look at security updates for the X server, the Linux kernel
and GnuTLS plus we preview the upcoming AppArmor3 release that is slated
for Ubuntu 20.10 (Groovy Gorilla).
This week in Ubuntu Security Updates
20 unique CVEs addressed
[USN-4487-1, USN-4487-2] libx11 vulnerabilities [00:58]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14363
CVE-2020-14344
2 privilege escalation attacks
integer overflow -> double free -> memory corruption
integer overflow -> heap buffer overflow
privilege escalation may be possible since in both cases could cause
arbitrary code exec with a binary that is using libX11 and running with
root privileges (setuid / sudo etc) - this is why we often advise don’t
run graphical applications via sudo etc
[USN-4488-1, USN-4490-1] X.Org X Server vulnerabilities [02:29]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14362
CVE-2020-14361
CVE-2020-14347
CVE-2020-14346
CVE-2020-14345
Various memory corruption vulnerabilities all discovered by Jan-Niklas
Sohn - on some older releases (xenial and earlier) X server runs as root
[USN-4449-2] Apport vulnerabilities [03:28]
3 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-15702
CVE-2020-15701
CVE-2020-11936
Episode 85
[USN-4474-2] Firefox regressions [03:38]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15668
CVE-2020-6829
CVE-2020-12401
CVE-2020-12400
CVE-2020-15670
CVE-2020-15666
CVE-2020-15665
CVE-2020-15664
Episode 89
80.0.1 - upstream release to fix regressions in 80.0 release -> crashes
on GPU resets, WebGL rendering issues, performance issue in processing CA
certs &c
[USN-4489-1] Linux kernel vulnerability [04:09]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14386
AF_PACKET (layer 2) socket did not perform bounds checks in some places -
requires CAP_NET_RAW or root - BUT can be root in a user namespace and
these are enabled by default in Ubuntu and other Linux distros -> can
disable by sysctl `kernel.unprivileged_userns_clone=0`
[USN-4491-1] GnuTLS vulnerability [06:01]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-24659
Malicious server can trigger a NULL ptr deref in client during TLS 1.3
negotiation - DoS
Goings on in Ubuntu Security Community
AppArmor3 slated for Ubuntu 20.10 [06:32]
Beta version of AppArmor3 is being prepared for Ubuntu 20.10 Groovy
Gorilla - should land in -proposed next week and then main soon after
Provides ABI feature pinning - so upgrading to kernels with newer
additional features will not break existing profiles
Rewrites of a number of tools into different languages to make their use
and packaging easier
Support for new kernel features such as v8 ABI network socket rules,
xattr attachment conditionals, PERFMON and BPF capabilities
Improved compilar warnings and semantic checks
Improved support for kernels that support LSM stacking
Profile modes - enforce (default), kill and unconfined
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
12min
September 03, 2020Episode 89
Overview
This week we farewell Joe McManus plus we look at security updates for
Firefox, Chrony, Squid, Django, the Linux kernel and more.
This week in Ubuntu Security Updates
59 unique CVEs addressed
[USN-4473-1] libmysofa vulnerabilities [01:01]
5 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-16095
CVE-2019-16094
CVE-2019-16093
CVE-2019-16092
CVE-2019-16091
OOB, NULL ptr deref, heap buffer overflow etc -> DoS
[USN-4474-1] Firefox vulnerabilities [01:30]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15668
CVE-2020-6829
CVE-2020-12401
CVE-2020-12400
CVE-2020-15670
CVE-2020-15666
CVE-2020-15665
CVE-2020-15664
80.0
Attacker controlled website -> DoS, install malicious extension, spoof
URL bar, leak sensitive info across origins, RCE etc
NSS side-channel attacks etc
Race condition when importing a cert into the trust store (unspec impact)
[USN-4446-2] Squid regression [02:31]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-18676
CVE-2019-12524
CVE-2019-12523
CVE-2019-12520
Regression in recent squid update would cause issues if using icap or
ecap protocols to do content adaptation
[USN-4475-1] Chrony vulnerability [02:51]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14367
pid file is created as root before drops privileges and was susceptible
to a symlink attack -> could be used to overwrite arbitrary files on the
system
[USN-4476-1] NSS vulnerability [03:45]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-12403
OOB read for CHACHA20 decryption with undersized tag
[USN-4477-1] Squid vulnerabilities
3 CVEs addressed in Focal (20.04 LTS)
CVE-2020-24606
CVE-2020-15811
CVE-2020-15810
HTTP request smuggling
[USN-4478-1] Python-RSA vulnerability [04:15]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-13757
Ignores leading NUL/zero byte in decryption of ciphertext - fixed to
check length matches block size
[USN-4479-1] Django vulnerabilities [04:40]
2 CVEs addressed in Focal (20.04 LTS)
CVE-2020-24584
CVE-2020-24583
Incorrect handling of permissions on directories in caches - caused by a
behavioural change in python 3.7 - so only affects Python Django when
used with python 3.7 and hence say bionic (which uses python 3.6) is not
affected
[USN-4480-1] OpenStack Keystone vulnerabilities [05:25]
4 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-12692
CVE-2020-12690
CVE-2020-12691
CVE-2020-12689
Incorrect handling of EC2 permissions could allow an authenticated
attacker to create EC2 credentials with elevated permissions
Incorrect handling of OAUTH1 roles could give an authenticated attacker
more role assignments than intended
Incorrect handling of EC2 signature TTL checks could allow reuse of
authorisation headers
[USN-4471-2] Net-SNMP regression [05:51]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-15862
CVE-2020-15861
Previous update (Episode 87) caused `nsExtendCacheTime` to be not
settable as MIB attribute - instead add cacheTime feature flag to set
this
[USN-4481-1] FreeRDP vulnerabilities [06:23]
10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-4033
CVE-2020-4032
CVE-2020-4031
CVE-2020-4030
CVE-2020-15103
CVE-2020-11099
CVE-2020-11098
CVE-2020-11097
CVE-2020-11096
CVE-2020-11095
Various memory corruption and handling issues -> OOB reads / writes, UAF
etc -> crash / RCE
[USN-4482-1] Ark vulnerability [06:54]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-24654
Crafted TAR with symlinks outside of working directory -> overwrite or
creation of arbitrary files (zipslip but for tar - tarslip?)
[USN-4483-1] Linux kernel vulnerabilities [07:22]
13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-12656
CVE-2020-24394
CVE-2020-15393
CVE-2020-14356
CVE-2020-13974
CVE-2020-12771
CVE-2020-12655
CVE-2020-10781
CVE-2020-10768
CVE-2020-10767
CVE-2020-10766
CVE-2020-10757
CVE-2019-20810
5.4 kernel - focal - raspi / aws / gcp / oracle / azure / gcp etc for
bionic
Memory leak in USB audio and USB testing drivers, DAX mremap, Speculative
Store Bypass Disable (SSBD), Indirect Branch Predictor Barrier (IBPB) &
Indirect Branch Speculation mitigation bypasses, crafted XFS metadata
DoS, cgroupv2 reference count -> NULL ptr deref etc
[USN-4484-1] Linux kernel vulnerability
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-14356
5.3 gke/HWE kernel
cgroupv2 issue
[USN-4485-1] Linux kernel vulnerabilities
14 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-12656
CVE-2020-24394
CVE-2020-15393
CVE-2020-13974
CVE-2020-12771
CVE-2020-12655
CVE-2020-10781
CVE-2020-10768
CVE-2020-10767
CVE-2020-10766
CVE-2020-10732
CVE-2019-20810
CVE-2019-19947
CVE-2018-20669
4.15 (bionic / xenial hwe / trusty esm azure)
Mostly same as above
[USN-4486-1] Linux kernel vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2018-10323
4.4 (xenial / trusy esm hwe)
XFS metadata DoS
Goings on in Ubuntu Security Community
Farewell Joe McManus [09:04]
Thanks for being the best co-host a bloke could wish for
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
11min
August 27, 2020Episode 88
Overview
This week we talk antivirus scanners and false positives in the Ubuntu
archive, plus we look at security updates for QEMU, Bind, Net-SNMP,
sane-backends and more.
This week in Ubuntu Security Updates
56 unique CVEs addressed
[USN-4467-1] QEMU vulnerabilities [00:52]
13 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-16092
CVE-2020-15863
CVE-2020-14415
CVE-2020-13800
CVE-2020-13765
CVE-2020-13754
CVE-2020-13659
CVE-2020-13362
CVE-2020-13361
CVE-2020-13253
CVE-2020-12829
CVE-2020-10761
CVE-2020-10756
OOB read in SLiRP networking implementation when replying to a ICMP ping
echo request -> malicious guest could leak host memory -> info leak
Network Block Device server assertion failure able to be triggered via a
remote NBD client -> DoS
Malicious guest could cause a OOB write / read in SM501 graphic driver on
host -> crash / code exec
[USN-4466-2] curl vulnerability [01:58]
1 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-8231
Episode 87 - connect_only option -> could connect to wrong destination
-> info leak
[USN-4468-1, USN-4468-2] Bind vulnerabilities [02:16]
5 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-8624
CVE-2020-8623
CVE-2020-8622
CVE-2020-8621
CVE-2020-8620
Assertion failures when handling:
queries for zones signed by RSA signature
truncated response to a TSIG-signed request
queries when QNAME minimazation and forward first are enabled
specially crafted large TCP payload on most recent versions (focal
only)
[USN-4471-1] Net-SNMP vulnerabilities [03:10]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15862
CVE-2020-15861
Would cache MIBs in a directory on the host - an attacker who has
read-write access to the SNMP service could use the NET-SNMP-EXTEND-MIB
extension to modify an existing MIB to add a command to be executed when
the MIB attribute is read, and this would be cached for future. In
general net-snmp server runs as a low privileged user, so any
command-exec is not privileged, except at startup when it runs as root
and loads the cached MIBs - these could then contain commands to change
the configuration of net-snmp to instead run as root and not drop
privileges. Then subsequent runs of net-snmp will run as root and so any
command-exec can be done as root. Fix is to both disable the EXTEND-MIB
extension by default and to not cache MIBs.
[USN-4469-1] Ghostscript vulnerabilities [04:47]
25 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-17538
CVE-2020-16310
CVE-2020-16309
CVE-2020-16308
CVE-2020-16307
CVE-2020-16306
CVE-2020-16305
CVE-2020-16304
CVE-2020-16303
CVE-2020-16302
CVE-2020-16301
CVE-2020-16300
CVE-2020-16299
CVE-2020-16298
CVE-2020-16297
CVE-2020-16296
CVE-2020-16295
CVE-2020-16294
CVE-2020-16293
CVE-2020-16292
CVE-2020-16291
CVE-2020-16290
CVE-2020-16289
CVE-2020-16288
CVE-2020-16287
Fixes for various buffer overflows etc found via fuzzing with address
sanitizer enabled - crafted PDF files -> crash / RCE
[USN-4470-1] sane-backends vulnerabilities [05:17]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-12867
CVE-2020-12866
CVE-2020-12865
CVE-2020-12864
CVE-2020-12863
CVE-2020-12862
CVE-2020-12861
CVE-2017-6318
Heap buffer overflows when accessing network attached scanners - could
happen automatically when starting a scanning app which then scans the
local network -> crash / code exec - found by GitHub security team
https://securitylab.github.com/research/last-orders-at-the-house-of-force
https://youtu.be/EGiQ-0pCcwc
[USN-4472-1] PostgreSQL vulnerabilities [06:25]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14350
CVE-2020-14349
2 issues in the mishandling of the search path, allowing a remote
attacker to execute arbitrary SQL code - one when using logical
replication and the other with CREATE EXTENSION command.
Goings on in Ubuntu Security Community
Windows Defender and other AVs flagging jq as possibly malicious [06:54]
https://discourse.ubuntu.com/t/several-av-engines-are-hating-on-usr-bin-jq-from-jq-1-6-1-false-positive-imo/18030
https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1892843
https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1892552
Windows Defender flags as Trojan:Linux/CoinMiner.N!MTB whilst Trend Micro
flags as Trojan.SH.HADGLIDER.TSE - false positives, possible hash
collision?
sudo apt install jq
xdg-open "https://www.virustotal.com/gui/file/$(sha256sum /usr/bin/jq | cut -f1 -d' ')"
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
11min
August 21, 2020Episode 87
Overview
This week we look at the Drovorub Linux malware outed by the NSA/FBI plus
we detail security updates for Dovecot, Apache, Salt, the Linux kernel and
more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4456-1, USN-4456-2] Dovecot vulnerabilities [00:46]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-12674
CVE-2020-12673
CVE-2020-12100
3 DoS issues - nested MIME -> resource exhaustion, Compuserve RPA auth
mechanism (rare) -> zero length message -> assert fail, NTLM missing
length check -> buffer over read -> crash
[USN-4457-1, USN-4457-2] Software Properties vulnerability [01:39]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15709
add-apt-repository ANSI escape sequence display from launchpad PPA
description
[USN-4458-1] Apache HTTP Server vulnerabilities [02:27]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-11993
CVE-2020-11984
CVE-2020-9490
CVE-2020-1934
CVE-2020-1927
mod_rewrite could be tricked into redirecting to an unexpected URL via
newlines encoded into the request URL
use of uninitialized memory when proxying to a malicious FTP server ->
info leak
2 HTTP/2 issues - improper handling of Cache-Digest headers and certain
logging statements -> crash, DoS
buffer overflow in mod_proxy_uwsgi - crash / code exec
[USN-4459-1] Salt vulnerabilities [03:18]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-11652
CVE-2020-11651
CVE-2019-17361
CVE-2018-15751
CVE-2018-15750
File enumeration on remote server -> info leak
Authentication bypass
Command injection from unauthenticated users -> code exec on salt-api host
Failure to validate method calls and sanitize paths - access control
bypass
[USN-4460-1] Oniguruma vulnerabilities [03:58]
4 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2019-19246
CVE-2019-19204
CVE-2019-19012
CVE-2019-16163
regex library used by PHP and Ruby -> various issues leading to DoS /
info leak etc
[USN-4461-1] Ark vulnerability [04:20]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-16116
KDE archive handler - malicious ZIP files could contain files outside the
working directory (zip-slip)
[USN-4465-1] Linux kernel vulnerabilities [04:50]
3 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-15393
CVE-2020-12771
CVE-2020-12655
5.3 (hwe)
Memory leak in USB testing driver on disconnect - so physical attacker
could add / remove device and eventually exhaust memory
bcache deadlock -> DoS
Crafted XFS metadata could cause a sync of excessive duration -> DoS
[USN-4462-1] Linux kernel vulnerability [05:53]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-12771
5.0 (gke / oem)
bcache deadlock -> DoS
[USN-4463-1] Linux kernel vulnerabilities [06:06]
2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-15393
CVE-2020-12771
4.4 (xenial / trusy esm hwe)
bcache deadlock
usb testing driver memory leak
[USN-4464-1] GNOME Shell vulnerability [06:24]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-17489
Could show the login password when logging out if had set it visible
during login
[USN-4466-1] curl vulnerability [06:53]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-8231
libcurl - improper handling of the CURLOPT_CONNECT_ONLY option -> could
connect to wrong destination and so expose sensitive info
Goings on in Ubuntu Security Community
Joe and Alex discuss Drovorub Linux malware [07:24]
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
24min
August 13, 2020Episode 86
Overview
This week we discuss the recent announcement of a long-awaited native
client for 1password, plus Google Chrome experiments with anti-phishing
techniques, and we take a look at security updates for OpenJDK 8, Samba,
NSS and more.
This week in Ubuntu Security Updates
13 unique CVEs addressed
[USN-4453-1] OpenJDK 8 vulnerabilities [01:03]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14621
CVE-2020-14593
CVE-2020-14583
CVE-2020-14581
CVE-2020-14579
CVE-2020-14578
CVE-2020-14577
CVE-2020-14556
Usual mix of issues for a Java update - sandbox escape, DoS, information
disclosure etc
[USN-4451-2] ppp vulnerability [01:29]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-15704
Episode 85
[USN-4454-1, USN-4454-2] Samba vulnerability [01:50]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM),
Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14303
A remote attacker could send a zero length UDP packet to Samba when
acting as a AD DC with NetBIOS over TCP (NBT) enabled - would effectively
enter an infinite loop -> CPU-based DoS
[USN-4455-1] NSS vulnerabilities [02:41]
3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-6829
CVE-2020-12401
CVE-2020-12400
Fixes for various side-channel attacks against elliptic curve crypto
implementations - could allow an attacker to infer the private key
Goings on in Ubuntu Security Community
Google Chrome 86 to only show domain in URL bar for phishing experiment [03:20]
Will only show just the domain in the URL bar to select users to see if
this helps avoid phishing
Presumably users will be less likely to mistake a URL like
http://h.paypal.de-checking.net/de/ID.php?u=LhsdoOKJfsjdsdvg for a
real paypay.com URL
One way to help avoid phishing, particularly for credentials, is to use a
password manager that associates credentials with the site in question -
so it should only offer to say fill-in your paypal credentials on a
paypal.com site - and if it does not this is a hint it is not legitimate
Has other benefits too like being able to autogenerate unique passwords
per site, sync across devices etc
1password just launched a beta of their Linux client [06:46]
https://discussions.agilebits.com/discussion/114964/1password-for-linux-development-preview
https://snapcraft.io/1password
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
10min
August 06, 2020Episode 85
Overview
Dr. Levi Perigo is our special guest this week to discuss SDN and NFV with
Joe, plus Alex does the weekly roundup of security updates, including
Ghostscript, Squid, Apport, Whoopsie, libvirt and more.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-4444-1] WebKitGTK vulnerabilities [00:48]
6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-9925
CVE-2020-9915
CVE-2020-9895
CVE-2020-9894
CVE-2020-9893
CVE-2020-9862
Various issues in web / JS engines - remote attacker with a malicious
website could cause XSS, DoS, RCE etc
[USN-4445-1] Ghostscript vulnerability [01:22]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-15900
Integer overflow via `rsearch` operator - could allow to override file
access controls and hence get code execution as the user who is viewing /
processing the PS file - only affects most recent versions
[USN-4446-1] Squid vulnerabilities [02:24]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-18676
CVE-2019-12524
CVE-2019-12523
CVE-2019-12520
Jeriko One & Kristoffer Danielsson - incorrect cache handling -> cache
injection attacks. Incorrect URN / URL handling -> bypass access / rule
checks. Input validation failure -> crash, DoS
[USN-4298-2] SQLite vulnerabilities [03:07]
6 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2019-19926
CVE-2019-13751
CVE-2019-13753
CVE-2019-13752
CVE-2019-13750
CVE-2019-13734
Episode 66
[USN-4447-1] libssh vulnerability [03:27]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-16135
Under low memory conditions, could fail to allocate a buffer, would
result in a NULL pointer dereference and hence crash
[USN-4448-1] Tomcat vulnerabilities [04:01]
3 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-9484
CVE-2020-1935
CVE-2020-13935
Infinite loop if sent a WebSocket frame with an invalid payload length ->
DoS if then sent multiple requests
[USN-4449-1] Apport vulnerabilities [04:23]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15702
CVE-2020-15701
CVE-2020-11936
2 from Ryota Shiga:
Failed to drop privileges correctly when invoking gdbus to determine if
the user is closing their session -> would be invoked with root group
privileges and using the environement of the user - they could override
the DBUS_SESSION_BUS_ADDRESS environment variable, causing gdbus to
connect to a spoofed dbus server and in the process to read a 16-byte
nonce from a file of their choosing - allows to read arbitrary files
that are 16-bytes of length
TOCTOU issue when handling crash dump - if process PID gets recycled
apport could include the wrong processes details in a crash dump that
is then readable by other users - fixed to check process start time is
at least before the time apport itself was invoked
1 from Seong-Joong Kim
Unhandled exception when parsing users preferences configuration file
-> crash, DoS
[USN-4450-1] Whoopsie vulnerabilities [07:24]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15570
CVE-2020-12135
CVE-2020-11937
All 3 from Seong-Joong Kim
Crash when trying to process a crafted crash file (tries to allocate
too large amount of memory and crashes) -> DoS
Integer overflow in vendored bson library when parsing a crafted crash
dump -> heap overflow -> crash, RCE
Memory leak when parsing crash dumps -> crafted report with many
repeated key / value pairs -> OOM, crash -> DoS
[USN-4451-1] ppp vulnerability [09:18]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15704
Ubuntu specific patch - pppd is setuid() root and would helpfully
modprobe ppp_generic module when needed - but would not clear
MODPROBE_OPTIONS environment module and so this could be used to either
load other modules or read other files as root etc - fixed by removing
this functionality since this has not been needed for a long time as
ppp_generic has been built into the kernel since 2012 (ie there is no
ppp_generic module to even load via modprobe)
[USN-4452-1] libvirt vulnerability [10:31]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-15708
libvirt package sets up the libvirt socket via systemd - systemd unit
specifies a SocketMode=0666 so is world writable :( - fixed to ensure
systemd unit specifies this as only owner/group writable and ensures the
owner is root and group is libvirt
[USN-4432-2] GRUB2 regression [11:10]
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15707
CVE-2020-15705
CVE-2020-14308
CVE-2020-14311
CVE-2020-14310
CVE-2020-14309
CVE-2020-15706
CVE-2020-10713
Legacy BIOS systems - grub core (in MBR) and modules (in file-system)
could get out of sync if grub was not being installed onto the correct
disk (this was the case for some users with manually configured RAID
setups / particular cloud images etc) - fixed to just not do the grub
install on the update to ensure they don’t get out of sync (since these
vulnerabilities only are relevant to UEFI secure boot, no need for the
update in BIOS boot systems).
[USN-4441-2] MySQL regression [12:58]
Affecting Focal (20.04 LTS)
Compiler options changed upstream and this could affect other libraries /
apps which link against libmysqlclient - reverted this change since is
not security relevant anyway
Goings on in Ubuntu Security Community
Joe talks SDN & NFV with Dr. Levi Perigo of the University of Colorado [13:28]
https://www.colorado.edu/cs/levi-perigo
https://www.raveninnovation.com/our-team
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
32min
July 30, 2020Episode 84
Overview
In a week when too many security updates are never enough, we cover the
biggest one of them all for a while, BootHole, with an interview between
Joe McManus and Alex Murray for some behind-the-scenes and in-depth
coverage, plus we also look briefly at the other 100-odd CVEs for the week
in FFmpeg, OpenJDK, LibVNCServer, ClamAV and more.
This week in Ubuntu Security Updates
109 unique CVEs addressed
[USN-4428-1] Python vulnerabilities [01:03]
4 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM),
Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14422
CVE-2019-9674
CVE-2019-20907
CVE-2019-17514
CPU based DoS via infinite loop in parsing a crafted tar archive
[USN-4431-1] FFmpeg vulnerabilities [01:31]
9 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04
LTS)
CVE-2020-13904
CVE-2020-12284
CVE-2019-17542
CVE-2019-17539
CVE-2019-13390
CVE-2019-13312
CVE-2019-12730
CVE-2019-11338
CVE-2018-15822
UAF, use of uninitialised variables, heap buffer over-read, NULL pointer
deref etc - most via oss-fuzz
[USN-4430-2] Pillow vulnerabilities [02:15]
5 CVEs addressed in Focal (20.04 LTS)
CVE-2020-11538
CVE-2020-10994
CVE-2020-10379
CVE-2020-10378
CVE-2020-10177
2 buffer overflows in TIFF decoder
[USN-4433-1] OpenJDK vulnerabilities [02:33]
8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14621
CVE-2020-14593
CVE-2020-14583
CVE-2020-14581
CVE-2020-14577
CVE-2020-14573
CVE-2020-14562
CVE-2020-14556
11.0.8 upstream release - thanks to Tiago from Foundations for preparing
these
Usual mix of issues for Java - possible sandbox escape, crash in TIFF
decoder, failure to properly validate TLS certs in some cases etc
[USN-4434-1] LibVNCServer vulnerabilities [03:11]
12 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04
LTS)
CVE-2020-14405
CVE-2020-14404
CVE-2020-14403
CVE-2020-14402
CVE-2020-14401
CVE-2020-14400
CVE-2020-14399
CVE-2020-14398
CVE-2020-14397
CVE-2020-14396
CVE-2019-20840
CVE-2019-20839
2 NULL ptr deref, infinite loop -> DoS when closing connection,
misaligned data access leading to possible crash, integer overflow, OOB
read etc
[USN-4435-1, USN-4435-2] ClamAV vulnerabilities [04:03]
3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM),
Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-3481
CVE-2020-3350
CVE-2020-3327
0.102.4 release
NULL ptr deref on crafted EGG, race condition where could replace target
dir with a symlink and get clamscan to remove that target, OOB read in
ARJ decoder (previous fix Episode 76 was incomplete)
[USN-4436-1, USN-4436-2] librsvg vulnerabilities / regression [04:55]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-20446
CVE-2017-11464
Update caused a regression since it removed a symbol - backed out,
waiting for a more complete fix from upstream
[USN-4437-1] libslirp vulnerability [05:26]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-10756
OOB read in icmp6 echo reply - guest leaks contents of host memory ->
info disclosure
[USN-4438-1] SQLite vulnerability [05:45]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2020-15358
Heap buffer overflow
[USN-4439-1] Linux kernel vulnerabilities [05:51]
14 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-15780
CVE-2019-20908
CVE-2019-12380
CVE-2020-13974
CVE-2020-11935
CVE-2020-10768
CVE-2020-10767
CVE-2020-10766
CVE-2020-10757
CVE-2020-10732
CVE-2019-20810
CVE-2019-19462
CVE-2019-19036
CVE-2019-16089
5.0 (gke/oem)
[USN-4440-1] Linux kernel vulnerabilities [06:05]
12 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-15780
CVE-2020-13974
CVE-2020-11935
CVE-2020-10768
CVE-2020-10767
CVE-2020-10766
CVE-2020-10757
CVE-2020-10732
CVE-2019-20908
CVE-2019-20810
CVE-2019-19462
CVE-2019-16089
5.3 (hwe / azure / gcp / gke / oracle)
[USN-4441-1] MySQL vulnerabilities [06:17]
30 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04
LTS)
CVE-2020-14702
CVE-2020-14697
CVE-2020-14680
CVE-2020-14678
CVE-2020-14663
CVE-2020-14656
CVE-2020-14654
CVE-2020-14651
CVE-2020-14643
CVE-2020-14641
CVE-2020-14634
CVE-2020-14633
CVE-2020-14632
CVE-2020-14631
CVE-2020-14624
CVE-2020-14623
CVE-2020-14620
CVE-2020-14619
CVE-2020-14597
CVE-2020-14591
CVE-2020-14586
CVE-2020-14576
CVE-2020-14575
CVE-2020-14568
CVE-2020-14559
CVE-2020-14553
CVE-2020-14550
CVE-2020-14547
CVE-2020-14540
CVE-2020-14539
8.0.21 (focal)
5.7.31 (bionic / xenial)
[USN-4442-1] Sympa vulnerabilities [06:54]
3 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-10936
CVE-2018-1000671
CVE-2018-1000550
Mailing list manager - possible privesc via injection of environment
variables to run setuid wrappers arbitrary code
[USN-4443-1] Firefox vulnerabilities [07:27]
9 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04
LTS)
CVE-2020-15655
CVE-2020-15659
CVE-2020-15658
CVE-2020-15656
CVE-2020-15654
CVE-2020-15653
CVE-2020-15652
CVE-2020-6514
CVE-2020-6463
79.0
[USN-4432-1] GRUB 2 vulnerabilities [07:39]
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15707
CVE-2020-15705
CVE-2020-14308
CVE-2020-14311
CVE-2020-14310
CVE-2020-14309
CVE-2020-15706
CVE-2020-10713
Goings on in Ubuntu Security Community
Alex and Joe take an in-depth and behind-the-scenes look at BootHole / GRUB 2 [08:14]
https://ubuntu.com/blog/mitigating-boothole-theres-a-hole-in-the-boot-cve-2020-10713-and-related-vulnerabilities
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass
Alex hints at pending future secureboot-db update [23:55]
https://uefi.org/revocationlistfile
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
26min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.