Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

July 24, 2020Episode 83
Overview
This week Joe talks Linux Security Modules stacking with John Johansen and
Steve Beattie plus Alex looks at security updates for snapd, the Linux
kernel and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4199-2] libvpx vulnerabilities [01:05]
3 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2019-9433
CVE-2019-9232
CVE-2017-13194
VP8/VP9 video code (webm)
Various OOB read on crafted input
[USN-4424-1] snapd vulnerabilities [01:38]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-11934
CVE-2020-11933
James Henstridge from Ubuntu Desktop team
snapd sandbox for strict mode snaps - within sandbox provides xdg-open
implementation which can forward to the real xdg-open outside the
sandbox - but would use XDG_DATA_DIRS env from the snap when launching
xdg-open outside of the snap - XDG_DATA_DIRS could then contain a
directory which the snap itself controls - allows to launch arbitrary
binaries from the snap outside of confinement
Fixed to not incorporate XDG_DATA_DIRS from the snap
cloud-init would run on every boot without restriction - supports the
concept of loading meta-data from an external disk - so a local attacker
with physical access could alter the boot sequence - would be an issue
with FDE since could intercept the disk encryption key etc - fixed via
snapd to disable cloud-init after the first boot since cloud-init is
managed by snapd
Is only an issue for Ubuntu Core 16/18 devices which employed FDE
Doesn’t affect UC20
[USN-4425-1] Linux kernel vulnerabilities [06:20]
4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-15780
CVE-2020-11935
CVE-2019-19462
CVE-2019-16089
5.4 kernel (focal / bionic hwe)
Possible bypass of Secure Boot lockdown protections via loading of ACPI
tables via configs - provides a means of arbitrary memory write - allows
root user to bypass lockdown
aufs inode reference count issue - BUG() -> DoS
relay subsystem crash (Episode 81)
[USN-4426-1] Linux kernel vulnerabilities [7:32]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-15780
CVE-2020-11935
CVE-2020-10757
CVE-2019-20908
4.15 kernel (bionic / xenial hwe)
ACPI lockdown bypass / aufs inode above
Second lockdown bypass via loading of ACPI tables via the SSDT EFI
variable similar to above
DAX (direct access to files in persistent memory arrays) huge pages
support - abuse mremap() to gain root privileges - requires the system to
make use of DAX storage to be able to exploit
[USN-4427-1] Linux kernel vulnerabilities [08:30]
10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2019-12380
CVE-2020-13974
CVE-2020-11935
CVE-2020-10768
CVE-2020-10767
CVE-2020-10766
CVE-2020-10732
CVE-2019-20908
CVE-2019-20810
CVE-2019-19947
4.4 kernel (xenial / trusty hwe)
aufs
Various means to bypass spectre related mitigations
SSDT ACPI lockdown bypass
[USN-4429-1] Evolution Data Server vulnerability [09:12]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-14928
Very similar to recent mutt & Thunderbird vuln from Episode 81 / Episode
82
Would read extra data after clear-text “begin TLS” when initiating
STARTTLS - would allow an untrusted attacker who could intercept and
modify traffic to inject arbitrary responses that then get processed
later as though they had come from the trusted, encrypted connection to
the server - fixed in same way as mutt by clearing buffered content when
starting TLS
[USN-4430-1] Pillow vulnerabilities [10:24]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-11538
CVE-2020-10994
CVE-2020-10378
CVE-2020-10177
Python Imaging Library - used for image handling by lots of Python GUIs
All OOB reads on crafted input -> crash, DoS
Goings on in Ubuntu Security Community
John Johansen and Steve Beattie talk Linux Security Modules with Joe [10:51]
https://www.kernel.org/doc/html/latest/security/lsm.html
https://lwn.net/Articles/808048/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
29min
July 17, 2020Episode 82
Overview
With Ubuntu 19.10 going EOL, we have a special interview by Joe with Chris
Coulson and Steve Beattie from the Ubuntu Security Team to talk TPMs and
Ubuntu Core 20, plus Alex looks at some of the 71 CVEs addressed by the
team and more.
This week in Ubuntu Security Updates
71 unique CVEs addressed
[USN-4407-1] LibVNCServer vulnerabilities [01:02]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2017-18922
CVE-2019-20788
CVE-2019-15690
CVE-2019-15681
CVE-2019-15680
Used by gnome-remote-desktop, virtualbox and others
Provides both a server and client libraries
So some issues affect clients when connecting to a malicious server,
others could be from a malicious client to the server
Issues when handling WebSocket frames, cursor shape updates,
ServerCutText messages and decompression of zlib compressed data - crash ->
DoS, info leak, RCE etc
[USN-4408-1] Firefox vulnerabilities [01:57]
11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12421
CVE-2020-12426
CVE-2020-12425
CVE-2020-12424
CVE-2020-12422
CVE-2020-12420
CVE-2020-12419
CVE-2020-12418
CVE-2020-12417
CVE-2020-12416
CVE-2020-12415
78.0.1
Would reject certificate chains for addons which did not terminate in a
built-in root certificate - could cause some add-ons to become outdated
as it would reject updates for them
Usual web browser issues -> crafted website DoS, info leak, bypass
permission prompts or RCE
[USN-4409-1] Samba vulnerabilities [03:00]
3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-10760
CVE-2020-10745
CVE-2020-10730
2 separate issues when handling LDAP queries -> both UAF -> crash -> DoS
or RCE
CPU based DoS when processing NetBIOS over TCP/IP
[USN-4410-1] Net-SNMP vulnerability [03:44]
1 CVEs addressed in Focal (20.04 LTS)
CVE-2019-20892
Double free -> heap memory corruption -> crash / RCE
[USN-4411-1] Linux kernel vulnerabilities [04:02]
5 CVEs addressed in Focal (20.04 LTS)
CVE-2020-12768
CVE-2020-13143
CVE-2020-12770
CVE-2020-10711
CVE-2020-10732
5.4 kernel
Various low impact issues - info leak due to failure to initialise memory
when handling ELF code, SELinux network label handling NULL ptr deref,
SCSI driver OOB read, USB gadget OOB read via configfs etc
[USN-4412-1] Linux kernel vulnerabilities [04:57]
5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)
CVE-2020-12768
CVE-2020-10751
CVE-2020-13143
CVE-2020-12770
CVE-2020-10711
5.3 kernel (bionic HWE)
Most of above plus an SELinux failure to validate all parts of a
multi-part netlink message - could then possibly bypass SELinux access
controls - SELinux is not the default LSM in Ubuntu - AppArmor
[USN-4413-1] Linux kernel vulnerabilities [05:58]
5 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-12768
CVE-2020-10751
CVE-2020-13143
CVE-2020-12770
CVE-2020-10711
5.0 kernel (gke/oem)
[USN-4414-1] Linux kernel vulnerabilities [06:10]
12 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2019-19039
CVE-2019-12380
CVE-2020-13143
CVE-2020-12770
CVE-2020-10711
CVE-2019-19462
CVE-2019-19377
CVE-2019-19816
CVE-2019-19813
CVE-2019-19318
CVE-2019-19036
CVE-2019-16089
4.15 kernel (bionic / xenial hwe)
Some of above, plus others and a kernel->user space relay bug where
local user could trigger a crash -> DoS via improper return values to the
kernel
[USN-4419-1] Linux kernel vulnerabilities [06:49]
5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-8992
CVE-2020-13143
CVE-2020-12770
CVE-2020-10711
CVE-2020-10690
4.4 kernel (xenial / trusty hwe)
ptp race condition during device allocation and removal due to a dangling
pointer to free’d memory
[USN-4415-1] coTURN vulnerabilities [07:33]
3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-6062
CVE-2020-6061
CVE-2020-4067
TURN / STUN server used to traverse VoIP media traffic over NAT with a
telnet / HTTPS management interface
Info leak due to failure to zero memory used for response buffers
Improper handling of HTTP POST requests to the web interface -> DoS /
info-leak etc
[USN-4416-1] GNU C Library vulnerabilities [08:04]
11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10)
CVE-2020-1752
CVE-2020-1751
CVE-2020-10029
CVE-2019-9169
CVE-2019-19126
CVE-2018-6485
CVE-2018-19591
CVE-2018-11237
CVE-2018-11236
CVE-2017-18269
CVE-2017-12133
Failure to handle regex/s, bit patters, path tilde expansion, hostname
lookups, memalign & AVX-512 optimised memcpy() etc -> memory corruption
-> crash / RCE
Possible ASLR bypass for setuid() programs since would not respect the
LD_PREFER_MAP_32BIT_EXEC environment variable after security transition
and so a local attcker could use this to restrict the range of memory
addresses used when loading libraries
[USN-4417-1, USN-4417-2] NSS vulnerability [09:38]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12402
Possible RSA side-channel due to input-dependent code flow - would allow
possible RSA private key extraction via electromagnetic-based
side-channel measurements
[USN-4418-1] OpenEXR vulnerabilities [10:06]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-15306
CVE-2020-15305
Heap buffer overflow and UAF
[USN-4420-1] Cinder and os-brick vulnerability [10:13]
1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
CVE-2020-10755
Possible exposure of credentials when using the Dell EMC ScaleIO or
VxFlex OS backend storage drivers - credentials would be accessible via
the connection_info element in various API calls - instead credentials
get moved to a file on disk so may require some changes on various
deployed environments as a result
[USN-4421-1] Thunderbird vulnerabilities [10:52]
10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12421
CVE-2020-12399
CVE-2020-12398
CVE-2020-12420
CVE-2020-12419
CVE-2020-12418
CVE-2020-12417
CVE-2020-12410
CVE-2020-12406
CVE-2020-12405
68.10.0
Most firefox issues mentioned earlier, plus a specific TB one where if an
attacker could potentially intercept and modify traffic across a STARTTLS
IMAP server by responding with a PREAUTH.
[USN-4376-2] OpenSSL vulnerabilities [11:33]
3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2019-1563
CVE-2019-1559
CVE-2019-1547
Episode 77
[USN-4422-1] WebKitGTK+ vulnerabilities [11:40]
8 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-9850
CVE-2020-9843
CVE-2020-9807
CVE-2020-9806
CVE-2020-9805
CVE-2020-9803
CVE-2020-9802
CVE-2020-13753
[USN-4423-1] Firefox vulnerability [11:52]
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
78.0.2
Possible click-jacking attack via crafted X-Frame-Options bypass when
visiting a specially crafted website (no CVE..)
Goings on in Ubuntu Security Community
Joe talks TPMs and Ubuntu Core 20 with Chris Coulson and Steve Beattie [12:30]
https://forum.snapcraft.io/t/uc20-beta1-released/18631
Ubuntu 19.10 Eoan Ermine goes end-of-life [23:12]
https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-July/005494.html
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
25min
July 03, 2020Episode 81
Overview
Joe talks cyber security policy with Dr David Reed from CU Boulder, plus
Alex covers the week in security updates including Mutt, NVIDIA graphics
drivers, Mailman and more.
This week in Ubuntu Security Updates
6 unique CVEs addressed
[USN-4403-1] Mutt vulnerability and regression [00:40]
1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-14954
When connecting to an IMAP/SMTP/POP3 server via STARTTLS, would read
additional data after the clear-text command to begin TLS - if someone
was able to intercept the connection they could inject content which
would then later get processed by Mutt as though it had come from the TLS
connection. Fixed to simply clear input buffer at the start of TLS
negotiation.
Also includes a fix for a possible regression in the previous security
update (Episode 80)
[USN-4404-1, USN-4404-2] NVIDIA graphics drivers & Linux kernel vulnerabilities [01:59]
3 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-5973
CVE-2020-5967
CVE-2020-5963
CUDA driver failed to properly perform access control during IPC - could
allow a local attacker to DoS/RCE
UVM driver (Unified Virtual Memory - used with CUDA driver for better
performance) race condition - local attacker DoS
Virtual guest GPU driver unspecified vuln -> privileged operations -> DoS
Updates the linux kernel source package since this is used to provide the
DKMS packages
[USN-4405-1] GLib Networking vulnerability [03:15]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13645
glib-networking - additional library for glib/gio to provide TLS (ie
links against gnutls etc.)
Would fail to verify that the hostname of a server’s TLS certificate
matches the expected hostname by the client - but only if the client
failed to specify the hostname itself. If did not provide hostname, would
expect it to fail validation completely. Balsa (GNOME mail client) did
this, so could possibly be tricked into connecting to a different mail
server as a result.
[USN-4406-1] Mailman vulnerability [04:48]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-15011
Failed to validate inputs to the private archive login page - would then
echo these back inside the generated page and so provides arbitrary
content injection from a crafted URL.
Goings on in Ubuntu Security Community
Joe talks cyber security policy with Dr David Reed, Scholar in Residence @ UC Boulder [05:51]
https://www.colorado.edu/program/tcp/people/david-reed
Stock price study:
https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/
FCC 5G FAST Plan
https://docs.fcc.gov/public/attachments/DOC-354326A1.pdf
Ubuntu Security Notices relocated [27:00]
Thanks to the design and web teams at Canonical
Notices now live at https://ubuntu.com/security/notices/
Old notices from https://usn.ubuntu.com will get redirected
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
29min
June 25, 2020Episode 80
Overview
This week, Sid Faber and Kyle Fazzari of the Ubuntu Robotics team interview
Vijay Sarvepalli from CERT about the recent Ripple20 vulnerabilities
announcement, plus we look at security updates for Bind, Mutt, curl and
more.
This week in Ubuntu Security Updates
8 unique CVEs addressed
[USN-4397-2] NSS vulnerability [00:40]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-12399
Episode 79 - timing side-channel attack during DSA key generation
[USN-4399-1] Bind vulnerabilities [01:00]
2 CVEs addressed in Focal (20.04 LTS)
CVE-2020-8619
CVE-2020-8618
2 DoS issues (resulting from the ability to crash BIND) - an
authoritative nameserver which provides entries containing asterisks
could change entries and cause BIND to crash, also an attacker who can
send crafted zone data to cause a zone transfer could trigger an
assertion failure -> crash
[USN-4400-1] nfs-utils vulnerability [01:44]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2019-3689
/var/lib/nfs was writable by statd user - if this user were compromised
could change then contents of this directory. This dir also contains
files owned and managed by root (rmtab etc) - mountd uses rmtab and so
since statd user can change this files contents, they could make mountd
create or overwrite other files on the system as root -> and so escalate
privileges. Fixed to just make the few specific subdirectories owned by
statd.
[USN-4401-1] Mutt vulnerabilities [03:16]
2 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-14154
CVE-2020-14093
2 issues on handling of TLS connections for IMAP servers, could allow a
middleperson attack since wouldn’t properly do authentication of the
network connection, and would proceed to connect even if a user chooses
to reject the connection due to an expired certificate. So only relevant
if using mutt to connect to IMAP directly.
[USN-4402-1] curl vulnerabilities [04:06]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-8177
CVE-2020-8169
Could be tricked to overwrite local files as
specified by a malicious server when using the CLI arguments -i in
combination with -J - -J is used to specify that the local filename
should come from a HTTP header specified by the server. Normally this
refuses to overwrite any existing local file but when using in
conjunction with -i this check was skipped.
Possible partial password leak since could be tricked into appending part
of the password to the hostname before this is resolved via DNS during a
redirect - but only if the password contains an @ character….
Goings on in Ubuntu Security Community
Sid Faber and Kyle Fazzari interview Vijay Sarvepalli from CERT about Ripple20 [05:44]
https://www.us-cert.gov/ncas/current-activity/2020/06/16/ripple20-vulnerabilities-affecting-treck-ip-stacks
https://www.us-cert.gov/ics/advisories/icsa-20-168-01
https://insights.sei.cmu.edu/author/vijay-sarvepalli/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
29min
June 19, 2020Episode 79
Overview
This week Joe discusses Intel’s CET announcement with John Johansen, plus
Alex details recent security fixes including SQLite, fwupd, NSS, DBus and
more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4394-1] SQLite vulnerabilities [00:56]
9 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13632
CVE-2020-13631
CVE-2020-13630
CVE-2020-13435
CVE-2020-13434
CVE-2020-11655
CVE-2019-19645
CVE-2019-19603
CVE-2018-8740
NULL ptr deref via crafted query, UAF, OOB read, integer overflow when
printing high precision floating point numbers, various minor issues when
handling crafted databases
[USN-4385-2] Intel Microcode regression [01:43]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-0549
CVE-2020-0548
CVE-2020-0543
Episode 78 - SRBDS etc - microcode is specific to processors, and is
identified by the triplet of CPU Family, Model and Stepping - this is
listed in /proc/cpuinfo - mine say is 6, 142, 10 - in hex - 06-8E-0A -
would cause a specific Skylake processor type to fail to boot
(06-4e-03) - we reverted this back to the previous release version from
November 2019
[USN-4395-1] fwupd vulnerability [03:39]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-10759
A crafted firmware update file could bypass signature verification - in
general not an issue since would need to be able to get in the middle of
firmware updates (which come from LVFS via HTTPS) - so either would need
to compromise LVFS directly or the HTTPS connection to it.
Dangling S3 bucket… :/
https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
[USN-4315-2] Apport vulnerabilities [06:11]
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-8833
CVE-2020-8831
Episode 70
[USN-4396-1] libexif vulnerabilities [06:24]
6 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13114
CVE-2020-13113
CVE-2020-13112
CVE-2020-0198
CVE-2020-0182
CVE-2020-0093
UAF due to uninitialised memory, various buffer over-reads, integer
overflow, etc
[USN-4397-1] NSS vulnerabilities [07:24]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12399
CVE-2019-17023
Possible timing side-channel attack during DSA key generation - due to
the difference in time of various operations (dependent on the contents
of the private key) - the key value could be inferred by an attacker
[USN-4398-1, USN-4398-2] DBus vulnerability [08:01]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12049
DBus can be used to send file-descriptors - client sends to server via
the dbus daemon - daemon will validate that messages only contain a
certain number of file-descriptors - if too may, will reject BUT fail to
close those file-descriptors - eventually would accumulate too many open
files itself and so the daemon would not be able to accept new
connections -> DoS from a local unprivileged user
Goings on in Ubuntu Security Community
Joe discusses Intel CET with John Johansen (aka JJ) [09:28]
Return Oriented Programming (ROP) https://en.wikipedia.org/wiki/Return-oriented_programming
Sigreturn Oriented Programming (SROP) (https://en.wikipedia.org/wiki/Sigreturn-oriented_programming
Jump/Call Oriented Programming (JOP) https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/ASIACCS11.pdf
Control-flow Enforcement technology (CET)
https://www.linuxplumbersconf.org/event/2/contributions/147/attachments/72/83/CET-LPC-2018.pdf
https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
CFI in software
https://www.cse.usf.edu/~ligatti/papers/cficcs.pdf
CET on Linux
Kernel
https://lwn.net/Articles/758245/
gcc
https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=8d286dd118a5bd16f7ae0fb9dfcdcfd020bea803
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d17cdc17c90ce77cb90c569322c1f241d3530cec
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=d21486483579c2205fcabf1308b155000af86fe1
https://gcc.gnu.org/git/?p=gcc.git&a=search&h=HEAD&st=commit&s=CET
glibc
https://sourceware.org/legacy-ml/libc-alpha/2018-08/msg00003.html
LLVM/Clang
not just CET, clang has it own CFI not dependent on CET but will support CET
https://clang.llvm.org/docs/ControlFlowIntegrity.html
https://clang.llvm.org/docs/ShadowCallStack.html
CET on windows
https://windows-internals.com/cet-on-windows/
Pre CET software based CFI on windows
https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
Papers/talks on attacking CET/CFI
https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-Hardware-Assisted-Control-Flow-Integrity-Enforcement.pdf
https://windows-internals.com/cet-on-windows/
Smashing the stack for fun and profit
https://www.eecs.umich.edu/courses/eecs588/static/stack_smashing.pdf
StackClash
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
24min
June 12, 2020Episode 78
Overview
SRBDS aka CrossTalk, the latest Intel speculative execution attack, is the
big news this week in security updates for Ubuntu, as well as fixes for
GnuTLS, Firefox and more, plus Alex and Joe talk about using STRIDE for
threat modelling of software products.
This week in Ubuntu Security Updates
39 unique CVEs addressed
[USN-4381-2] Django vulnerabilities [01:00]
2 CVEs addressed in Trusty ESM (14.04 ESM)
CVE-2020-13596
CVE-2020-13254
Episode 77
[USN-4382-1] FreeRDP vulnerabilities [01:28]
14 CVEs addressed in Xenial (16.04 LTS)
CVE-2020-13398
CVE-2020-13397
CVE-2020-13396
CVE-2020-11526
CVE-2020-11525
CVE-2020-11523
CVE-2020-11522
CVE-2020-11521
CVE-2020-11058
CVE-2020-11049
CVE-2020-11048
CVE-2020-11046
CVE-2020-11045
CVE-2020-11042
Episode 77 covered a similar update for FreeRDP2 in 18.04 LTS, 19.10, 20.04 LTS
This is the corresponding update for FreeRDP 1 in 16.04 LTS
[USN-4383-1] Firefox vulnerabilities [02:09]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12399
CVE-2020-12411
CVE-2020-12410
CVE-2020-12409
CVE-2020-12408
CVE-2020-12407
CVE-2020-12406
CVE-2020-12405
77.0.1
[USN-4384-1] GnuTLS vulnerability [02:54]
1 CVEs addressed in Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13777
Rare Friday update - high priority GnuTLS vulnerability - would use an
all-zero key for encrypting TLS session ticket
TLS1.3 -> enables a middleperson attack against resumed sessions
TLS1.2 -> enables passive decryption of traffic to/from servers when the
client supports session tickets
[USN-4386-1] libjpeg-turbo vulnerability [04:19]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13790
Heap buffer over-read via crafted PPM file -> info disclosure / crash
[USN-4385-1] Intel Microcode vulnerabilities [04:49]
3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-0549
CVE-2020-0548
CVE-2020-0543
Latest Intel microarchitectural cache side-channel vulnerabilities - L1D
cache, vector registers, special registers
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SRBDS
Special register buffer data sampling (SRBDS) -> RDRAND, RDSEED etc ->
aka CrossTalk -> micro-arch buffer is shared across cores so old values
could be read by other processors
microcode clears buffers -> performance decrease for RDRAND etc as a
result -> kernel update contains support for a kernel command-line arg to
disable this mitigation
[USN-4387-1] Linux kernel vulnerabilities [07:25]
5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)
CVE-2020-12659
CVE-2020-12464
CVE-2020-12114
CVE-2020-0543
CVE-2020-0067
5.3
Kernel command-line option to disable SRBDS mitigation
F2FS bounds check fail on xattrs -> OOB read -> info leak
USB scatter-gather UAF -> malicious USB device -> crash / RCE
XDP socket fail to validate userspace metadata -> OOB write -> requires
CAP_NET_ADMIN
[USN-4388-1] Linux kernel vulnerabilities [08:40]
6 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-1749
CVE-2020-12659
CVE-2020-12464
CVE-2020-12114
CVE-2020-0543
CVE-2020-0067
5.0 gke & oem
[USN-4389-1] Linux kernel vulnerabilities [08:54]
6 CVEs addressed in Focal (20.04 LTS)
CVE-2020-10751
CVE-2020-12659
CVE-2020-12464
CVE-2020-12114
CVE-2020-0543
CVE-2020-0067
5.4
[USN-4390-1] Linux kernel vulnerabilities [09:02]
6 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-10751
CVE-2020-1749
CVE-2020-12464
CVE-2020-12114
CVE-2020-0543
CVE-2020-0067
4.15 (14.04 ESM azure, 16.04 LTS - hwe, 18.04 LTS
all)
As above + IPsec fail to encrypt IPv6 in some conditions -> info leak
[USN-4391-1] Linux kernel vulnerabilities [09:35]
8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-10751
CVE-2020-1749
CVE-2020-12826
CVE-2020-12769
CVE-2020-12464
CVE-2020-12114
CVE-2020-0543
CVE-2019-19319
4.4
[USN-4392-1] Linux kernel vulnerabilities [09:46]
3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-12114
CVE-2020-0543
CVE-2020-12654
3.13
[USN-4393-1] Linux kernel vulnerabilities [09:46]
2 CVEs addressed in Precise ESM (12.04 ESM)
CVE-2020-0543
CVE-2020-12654
3.2
Goings on in Ubuntu Security Community
Joe and Alex discuss Threat Modelling via STRIDE [10:12]
https://en.wikipedia.org/wiki/STRIDE_(security)
https://threatmodelingbook.com/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
25min
June 07, 2020Episode 77
Overview
This week we look at security updates for Unbound, OpenSSL, Flask, FreeRDP,
Django and more, plus Joe and Alex discuss the Octopus malware infecting
Netbeans projects.
This week in Ubuntu Security Updates
40 unique CVEs addressed
[USN-4374-1] Unbound vulnerabilities
2 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12663
CVE-2020-12662
NXNS attack (Episode 75) (form of DNS reflection attack)
Infinite loop when processing malformed answers from upstream servers ->
CPU DoS
[USN-4375-1] PHP vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2019-11048
DoS via upload of files with very long names -> memory allocation
failure, stop process, fail to cleanup temp file on disk -> disk space
DoS
[USN-4376-1] OpenSSL vulnerabilities
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10)
CVE-2019-1563
CVE-2019-1551
CVE-2019-1549
CVE-2019-1547
Timing side-channel attack against ECDSA signatures -> recover private
keys
RNG state shared between parent and child process across fork()
Vulnerable to padding oracle attack -> decrypt traffic
[USN-4360-4] json-c vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12762
Episode 75 -> update, regression, update without fix -> now properly
fixed vuln without regression
[USN-4359-2] APT vulnerability
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-3810
Episode 75 (ar archive handling)
[USN-4367-2] Linux kernel regression
3 CVEs addressed in Focal (20.04 LTS)
CVE-2020-12657
CVE-2020-11565
CVE-2019-19377
5.4 kernel (Episode 75)
overlayfs regression - caused by adding some changes for shiftfs to
special-case overlayfs - BUT in-fact was already present in overlayfs and
this just manifested it - so for now revert the shiftfs related changes
until is fixed properly in overlayfs itself
[USN-4369-2] Linux kernel regression
8 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)
CVE-2020-12657
CVE-2020-11668
CVE-2020-11609
CVE-2020-11608
CVE-2020-11565
CVE-2020-11494
CVE-2019-19769
CVE-2019-19377
5.3 kernel (Episode 75)
overlayfs regression above
[USN-4377-1, USN-4377-2] ca-certificates update
Affecting Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
“AddTrust Exteral Root CA” certificate had expired - curl and other
applications would fail to connect if they found a certificate chain
which validated via this cert (even if other paths in the chain would be
valid) - removing this cert is the easiest way to fix the issue.
Updated the certs for 16.04 & 18.04 LTS as well
[USN-4378-1] Flask vulnerability
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2018-1000656
DoS via memory exhaustion on crafted inputs
[USN-4379-1] FreeRDP vulnerabilities
19 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13398
CVE-2020-13397
CVE-2020-13396
CVE-2020-11526
CVE-2020-11525
CVE-2020-11524
CVE-2020-11523
CVE-2020-11522
CVE-2020-11521
CVE-2020-11058
CVE-2020-11049
CVE-2020-11048
CVE-2020-11047
CVE-2020-11046
CVE-2020-11045
CVE-2020-11044
CVE-2020-11042
CVE-2019-17177
CVE-2018-1000852
Various issues including, OOB write for RSA crypto handling, OOB read on
font handling, info disclosure via ability to read client memory as color
info, etc.
[USN-4380-1] Apache Ant vulnerability
1 CVEs addressed in Eoan (19.10)
CVE-2020-1945
Info leak to / malicious code exec from a local user due to the use of
system-wide /tmp for several tasks (Mike Salvatore)
[USN-4381-1] Django vulnerabilities
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-13596
CVE-2020-13254
XSS via the admin ForeignKeyRawIdWidget due to failure to properly
encoded query parameters
Failure to properly validate memcached cache keys - could allow a remote
attacker to DoS / info leak
Goings on in Ubuntu Security Community
Alex and Joe discuss Github report on Octopus malware targetting Netbeans projects
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
21min
May 28, 2020Episode 76
Overview
This week we welcome back Vineetha Kamath, Ubuntu Security Certifications
Manager, to discuss the recent release of FIPS modules for Ubuntu 18.04 LTS
and we look at security updates for Bind, ClamAV, QEMU, the Linux kernel
and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4365-2] Bind vulnerabilities [00:37]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
CVE-2020-8617
CVE-2020-8616
Episode 75 - https://nxnsattack.com
[USN-4369-1] Linux kernel vulnerabilities [01:11]
8 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)
CVE-2020-12657
CVE-2020-11668
CVE-2020-11609
CVE-2020-11608
CVE-2020-11565
CVE-2020-11494
CVE-2019-19769
CVE-2019-19377
5.3 (19.10, 18.04 LTS HWE)
Episode 75 for details
[USN-4370-1, USN-4370-2] ClamAV vulnerabilities [01:35]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-3341
CVE-2020-3327
Stack and heap buffer over-reads in the PDF and ARJ (Archived by Rober
Jung) file parsers -> crash -> DoS
[USN-4371-1] libvirt vulnerabilities [02:36]
2 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)
CVE-2020-12430
CVE-2020-10703
Memory leak able to be triggered by local users with read-only qemu
access when retrieving domain stats -> DoS
[USN-4372-1] QEMU vulnerabilities [03:08]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-1983
CVE-2020-11869
CVE-2020-10702
CVE-2019-20382
CVE-2019-15034
UAF in libslirp
Integer overflow in handling of ATI VGA emulation -> guest to host crash
[USN-4373-1] Thunderbird vulnerabilities [03:44]
5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12397
CVE-2020-12392
CVE-2020-12395
CVE-2020-12387
CVE-2020-6831
68.8.0
Goings on in Ubuntu Security Community
Joe McManus and Vineetha Kamath discuss FIPS certification for Ubuntu 18.04 LTS [04:10]
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
13min
May 22, 2020Episode 75
Overview
In episode 75 we look at security updates for APT, json-c, Bind, the Linux
kernel and more, plus Joe and Alex discuss recent phishing attacks and the
Wired biopic of Marcus Hutchins.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4358-1] libexif vulnerabilities [00:44]
2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12767
CVE-2018-20030
Divide by zero and a CPU infinite loop (DoS) for handling crafted exif
content
[USN-4359-1] APT vulnerability [01:19]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-3810
Own ar archive handling code
Stack buffer OOB read for ar archive members with specially crafted
names - tried to handle spaces etc in names but if the name was all
spaces would overrun the name and read past the end of it
[USN-4360-1] json-c vulnerability [02:04]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12762
Integer overflow -> OOB write from a large json file
[USN-4360-2, USN-4360-3] json-c regression [02:27]
Affecting Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
Upstream fix had a bug where logic for trying to handle integer overflow
was inverted and so would cause INT_MAX (2GB) memory to be allocated
On machines with a small amount of memory this could exhaust all and
trigger OOM killer
Part of logic of the package is to trigger a rexec of upstart (which
serialises itself via libjson) - so this could cause upstart to consume
all memory, get killed to OOM killer and cause fail to boot etc
upstart not used as default init on xenial+ and initial update was
delayed for ESM so only a small number of users would be affected (those
running 16.04 LTS/xenial who had manually configured upstart as init)
[USN-4361-1] Dovecot vulnerabilities [04:13]
3 CVEs addressed in Eoan (19.10), Focal (20.04 LTS)
CVE-2020-10958
CVE-2020-10967
CVE-2020-10957
3 issues discovered by Philippe Antoine
UAF sending command is followed by a sufficient number of newlines -> crash
Sending with empty quoted localpart or malformed NOOP commands -> crash
[USN-4362-1] DPDK vulnerabilities [04:47]
5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-10726
CVE-2020-10725
CVE-2020-10724
CVE-2020-10723
CVE-2020-10722
Data-plane development kit (provides TCP offloading to userspace to
accelerate package processing workloads)
Used by openvswitch for OpenStack software defined networking
Memory leak and file-descriptor leak -> DoS
Guest to host crash via a missing check on an address in an io descriptor
Failure to validate key lengths
Integer overflow on host from guest -> crash
[USN-4367-1] Linux kernel vulnerabilities [05:51]
3 CVEs addressed in Focal (20.04 LTS)
CVE-2020-12657
CVE-2020-11565
CVE-2019-19377
5.4 kernel
UAF due to a race-condition in bfq block io scheduler in block subsystem
Bug in parsing of mount options for tmpfs -> stack overflow (need root
privileges etc to specify mount options)
UAF in btrfs when handling a specially crafted file-system image
[USN-4363-1] Linux kernel vulnerabilities [06:42]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-12657
CVE-2020-11669
CVE-2020-11565
CVE-2020-11494
4.15 kernel
block io scheduler UAF
PowerPC specific guest -> host VM crash on save / restore of authority
mask registers
tmpfs mount option parsing
Serial CAN driver did not initialise stack data so could leak stack
memory to userspace etc
[USN-4364-1] Linux kernel vulnerabilities [07:30]
7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
CVE-2020-11668
CVE-2020-11609
CVE-2020-11608
CVE-2020-11565
CVE-2020-11494
CVE-2020-10942
CVE-2019-19060
4.4 kernel
USB camera drivers fail to validate device metadata -> NULL ptr deref etc (crash)
tmpfs & serial CAN above
[USN-4368-1] Linux kernel vulnerabilities [07:59]
8 CVEs addressed in Bionic (18.04 LTS)
CVE-2020-12657
CVE-2020-11669
CVE-2020-11668
CVE-2020-11609
CVE-2020-11608
CVE-2020-11565
CVE-2020-11494
CVE-2019-19769
5.0 gke/eom (based off Ubuntu 19.04 disco kernel)
block io scheduler UAF
ppc specific guest -> host VM crash on save / restore of authority mask
registers
USB camera drivers fail to validate device metadata
tmpfs & serial CAN above
[USN-4365-1] Bind vulnerabilities [08:31]
2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-8617
CVE-2020-8616
DNS refelection attack via recursive resolution -
http://www.nxnsattack.com/
[USN-4366-1] Exim vulnerability [09:14]
1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12783
OOB read in Secure Password Authentication (SPA, also known as NTLM)
authenticator, could result in SPA/NTLM auth bypass
Goings on in Ubuntu Security Community
Alex and Joe discuss recent trends in phishing attacks and Marcus Hutchins (aka MalwareTech) [09:43]
https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
30min
May 15, 2020Episode 74
Overview
Special guest, Tim McNamara, author of Rust In Action talks all things Rust
plus we look at security updates for Linux bluetooth firmware, OpenLDAP,
PulseAudio, Squid and more.
This week in Ubuntu Security Updates
17 unique CVEs addressed
[USN-4351-1] Linux firmware vulnerability [01:03]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2018-5383
Bluetooth devices failed to properly validate elliptic curve parameters
used in key exchange - remote attacker could possibly force a weak key to
be used and hence obtain the encryption key. Required changes to both the
kernel and firmware blobs - kernel was updated previously (Episode 43) -
this is the corresponding update for firmware
[USN-4352-1, USN-4352-2] OpenLDAP vulnerability [02:05]
1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM),
Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12243
A search filter with a large number of nested boolean expressions could
cause slapd daemon to crash via deep stack recursion - add a hard coded
limit to resolve this
[USN-4353-1] Firefox vulnerabilities [02:46]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12392
CVE-2020-12396
CVE-2020-12395
CVE-2020-12394
CVE-2020-12391
CVE-2020-12390
CVE-2020-12387
CVE-2020-6831
76.0
Displays alerts for breached passwords stored in Lockwise
Usual UAF, sandbox escape, buffer overflows, content security policy
bypass etc
https://www.mozilla.org/en-US/firefox/76.0/releasenotes/
[USN-4353-2] Firefox regression [03:34]
8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-12392
CVE-2020-12396
CVE-2020-12395
CVE-2020-12394
CVE-2020-12391
CVE-2020-12390
CVE-2020-12387
CVE-2020-6831
76.0.1
Regression in behaviour related to addons - could impair their
functionality
https://www.mozilla.org/en-US/firefox/76.0.1/releasenotes/
[USN-4354-1] Mailman vulnerability [03:51]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
CVE-2020-12108
Arbitrary content injection via options login page - if the submitted
email address looking invalid it would be echo’d back to the user - and
so anything supplied as the email address would be displayed
[USN-4355-1] PulseAudio vulnerability [04:23]
1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-11931
Snap policy module for pulseaudio - only exists in Ubuntu - is designed
to allow snapd to mediate access to pulseaudio for snaps - so if plug
pulseaudio (or audio-playback / record) interface(s) can talk to
pulseaudio but then should only be able to do certain actions - however
the policy did not restrict unloading the policy module itself so any
snap with access could unload the policy and then have unrestricted
access to pulseaudio - so could say record audio when only audio-playback
interface was connected.
[USN-4357-1] IPRoute vulnerability [05:39]
1 CVEs addressed in Bionic (18.04 LTS)
CVE-2019-20795
UAF when listing network namespaces (ip netns list)
[USN-4356-1] Squid vulnerabilities [05:59]
4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
CVE-2020-11945
CVE-2019-18860
CVE-2019-12521
CVE-2019-12519
Possible cache poisoning, crash or RE from malicious remote servers via
Edge Side Includes
Failure to properly validate hostname in cachemanager for certain
browsers -> HTML injection
Nonce reply due to failure to properly validate Digest Authentication
nonce values
[USN-3911-2] file regression [06:40]
Affecting Xenial (16.04 LTS), Bionic (18.04 LTS)
Episode 25 - USN-3911-1 - update for file caused a regression where the
name of the interpreter parsed by file would be truncated and so the
output would be incorrect - used sizeof(var) - but var is a char * and so
sizeof() is size of a pointer - should instead be the length of the
string - updated to use strlen(var) +1
Goings on in Ubuntu Security Community
Alex talks Rust with Tim McNamara [08:14]
https://tim.mcnamara.nz/
https://www.manning.com/books/rust-in-action
Offer for listeners:
40% off all Manning Products in all forms using the code: podubuntu20
5 copies of Rust in Action e-book to giveaway
Send us your favourite security tools written in Rust or your thoughts
on Rust in Ubuntu to win a copy
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
ubuntu-hardened mailing list
Security section on discourse.ubuntu.com
@ubuntu_sec on twitter
...more
46min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.