Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

August 21, 2019Episode 43
Overview
This week we cover vulnerabilities in Ghostscript, the Linux kernel, nginx and more, and we follow up last weeks interview with another interview with Jamie Strandboge, this time talking about the history of the Ubuntu Security team.
This week in Ubuntu Security Updates
53 unique CVEs addressed
[USN-4091-1] poppler vulnerability
1 CVEs addressed in Bionic, Disco
CVE-2019-14494
Divide by zero when texture surface specified with 0 length or width -
found via fuzzing - handled by checking first for zero-length and
returning an error -> DoS
[USN-4092-1] Ghostscript vulnerability
1 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-10216
Yet another Ghostscript -dSAFER sandbox bypass - Episode 31, Episode 25,
Episode 18, Episode 14, Episode 10, Episode 7, Episode 5
Allows to escape the sandbox and use the various Ghostscript APIs for
arbitrary file access / modification etc.
Related: ImageMagick policy update Episode 38
[USN-4070-2, USN-4070-3] MariaDB vulnerabilities
4 CVEs addressed in Bionic and Disco
CVE-2019-2805
CVE-2019-2740
CVE-2019-2739
CVE-2019-2737
4 CVEs addressed in Disco only
CVE-2019-2614
CVE-2019-2627
CVE-2019-2628
CVE-2019-2758
Covered some for MySQL in Episode 41
[USN-4093-1] Linux kernel vulnerabilities
7 CVEs addressed in Bionic (HWE), Disco
CVE-2019-3846
CVE-2019-13272
CVE-2019-13233
CVE-2019-12984
CVE-2019-12614
CVE-2019-1125
CVE-2019-10126
Latest speculative execution side-channel attack - SWAPGS
https://www.bitdefender.com/business/swapgs-attack.html
Userspace can speculatively execute SWAPGS, allowing it to potentially
read kernel memory by speculatively swapping out userspace for kernel
memory - requires an appropriate gadget in the kernel
Linux not believed to be affected, since no appropriate gadget is
available, however we have proactively included the upstream fix which
is to add LFENCE calls around SWAPGS to ensure SWAPGS occurs before any
subsequent memory reads to / from userspace
2 different memory corruption issues in the Marvell Wifi driver -
wouldn’t do bounds checking on structures passed to it from user-space -
could allow DoS via crash or RCE
NULL ptr dereferences:
NFC subsystem, able to be triggered from userspace (using netlink)
PowerPC specific - could occur on memory allocation failures (failed to
check NULL return value)
2 by Jann Horn:
ptrace would record process credentials incorrectly, so that a local user
can escalate to root in scenarios where a parent process drops privileges
and then calls execve of an attacker controlled application
UAF in handling of local descriptor table entries
[USN-4094-1] Linux kernel vulnerabilities
32 CVEs addressed in Xenial (HWE), Bionic
CVE-2018-20511
CVE-2019-3846
CVE-2019-2101
CVE-2019-2024
CVE-2019-13272
CVE-2019-13233
CVE-2019-12984
CVE-2019-12819
CVE-2019-12818
CVE-2019-12614
CVE-2019-1125
CVE-2019-10126
CVE-2018-5383
CVE-2018-20856
CVE-2018-20169
CVE-2018-16862
CVE-2018-14617
CVE-2018-14609
CVE-2018-14613
CVE-2018-14612
CVE-2018-14611
CVE-2018-14610
CVE-2018-14615
CVE-2018-13098
CVE-2018-13096
CVE-2018-14616
CVE-2018-14614
CVE-2018-13100
CVE-2018-13099
CVE-2018-13097
CVE-2018-13093
CVE-2018-13053
Includes all from above, plus a heap of others - most interesting ones:
Heaps of DoS via NULL dereference / divide by zero / invalid read when dealing with
crafted file-system images (XFS, Ext4, F2FS, etc)
Bluetooth crypto may not validate ECC parameters, allowing an attacker
to force a weak key and snoop on communications as a result
[USN-4095-1] Linux kernel vulnerabilities
8 CVEs addressed in Xenial
CVE-2019-9503
CVE-2019-3846
CVE-2019-13272
CVE-2019-12614
CVE-2019-11599
CVE-2019-1125
CVE-2019-10126
CVE-2018-5383
Marvell Wifi, ptrace, PowerPC, SWAPGS and Bluetooth ECC parameter
validation mentioned above
Core dump race-condition (Episode 41)
[USN-4095-2] Linux kernel (Xenial HWE) vulnerabilities
7 CVEs addressed in Trusty ESM
CVE-2019-3846
CVE-2019-2054
CVE-2019-12614
CVE-2019-11833
CVE-2019-1125
CVE-2019-10126
CVE-2018-5383
Marvell, PowerPC, SWAPGS, Bluetooth
seccomp race, ext4 extents (Episode 41)
[USN-4096-1] Linux kernel (AWS) vulnerability
1 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-1125
SWAPGS
[USN-4097-1, USN-4097-2] PHP vulnerabilities
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
CVE-2019-11042
CVE-2019-11041
PHP EXIF parser would read past enf of supplied data - OOB read - crash -> DoS
[USN-4098-1] wpa_supplicant and hostapd vulnerability
1 CVEs addressed in Bionic, Disco
CVE-2019-13377
Side-channel attack when using brainpool curves for ECC in WPA3 - observe
timing differences between various operations over long enough time to
infer the resulting encryption key - hard to achieve same level of
side-channel robustness as other ECC groups - recommended to disable
Brainpool curves in the context of SAE and EAP-pwd -
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt
[USN-4099-1] nginx vulnerabilities
3 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-9516
CVE-2019-9513
CVE-2019-9511
HTTP/2 DoS attacks
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/http2
8 different vulnerabilities affecting a variety of HTTP/2
implementations - disovered mainly by Netflix:
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
3 affect nginx
0 length header
resource loop
data dribble
[USN-4101-1] Firefox vulnerability
1 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-11733
Upstream 68.0.2 release
Able to copy passwords from the Saved Logins dialog without entering
Master Password - allows a local user with physical access to obtain
passwords etc
Goings on in Ubuntu Security Community
History of Ubuntu Security with Jamie Strandboge and Joe McManus
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
27min
August 14, 2019Episode 42
Overview
This week we have a special interview with Ubuntu Security Team member
Jamie Strandboge, talking about security aspects of the Snap packaging
system, as well as the usual roundup of security fixes from the past week.
This week in Ubuntu Security Updates
7 unique CVEs addressed
[USN-4058-2] Bash vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-9924
Episode 40 (rbash, BASH_CMDS)
[USN-4049-3, USN-4049-4] GLib regression
Affecting Precise ESM, Trusty ESM, Xenial
Episode 40 - previous update introduced a memory leak due to backport
using different API which didn’t just return a const string but allocated
it and returned it but was not freed
https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/1838890
[USN-4086-1] Mercurial vulnerability
1 CVEs addressed in Disco
CVE-2019-3902
Able to write to files outside of the repository by using a combination of symlinks and subrepositories
Can be mitigated either by disabling support for subrepositories in
your local configuration or by ensuring any cloned repos don’t contain
malicious symlinks …
[USN-4087-1] BWA vulnerability
1 CVEs addressed in Bionic, Disco
CVE-2019-10269
Genome sequencing - maps DNA sequences against large reference genome (aka human genome mapping)
Takes input from .alt file - contains a name for the DNS sequence - which
is read into a fixed sized buffer - stack buffer overflow if name too
long (code even had a note - FIXME segfault here)
[USN-4088-1] PHP vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-13224
Use-after-free in the embedded oniguruma regular expression library if
regular expression was multi-byte but input string was not (or
vice-versa) - fix to disallow processing if either is not the same as the
other
[USN-4089-1] Rack vulnerability
1 CVEs addressed in Xenial, Bionic
CVE-2018-16471
XSS in Ruby webserver interface (used as middleware for writing Ruby web
application)
[USN-4090-1] PostgreSQL vulnerabilities
2 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-10209
CVE-2019-10208
Disco only - if a database contained super-user defined hash-equality
operators, could allow attacker to read arbitrary server memory
If a function was declared as “SECURITY DEFINER” an attacker could
execute arbitrary SQL as the identity of the function owner - needs
EXECUTE permission on the function and then requires the function itself
to have inexact argument type matching otherwise will be disallowed.
Goings on in Ubuntu Security Community
Discussion with Joe McManus on Capital One breach and special guest Jamie Strandboge on snaps and security
https://www.zdnet.com/article/100-million-americans-and-6-million-canadians-caught-up-in-capital-one-breach/
https://snapcraft.io
https://forum.snapcraft.io/t/security-policy-and-sandboxing/554
https://assets.ubuntu.com/v1/66fcd858-ubuntu-core-security-whitepaper.pdf
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
22min
August 05, 2019Episode 41
Overview
With Alex and Joe having been away at a Canonical sprint last week, we look back at the past fortnight’s security updates including new Linux kernel releases, MySQL, VLC, Django and more plus we discuss a recent Citrix password spraying attack.
This week in Ubuntu Security Updates
90 unique CVEs addressed
[USN-4066-2] ClamAV vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-1010305
Episode 40 - libmspack buffer overflow - ClamAV contains own copy of
libmspack in older releases so is affected
[USN-4065-2] Squid vulnerabilities
2 CVEs addressed in Precise ESM
CVE-2019-12529
CVE-2019-12525
Episode 40 (memory corruption issues)
[USN-4067-1] Evince vulnerability
1 CVEs addressed in Xenial
CVE-2019-1010006
Integer overflow -> buffer overflow when handling embedded tiff content in PDF documents
DoS -> possible RCE
[USN-4068-1, USN-4068-2] Linux kernel vulnerabilities
4 CVEs addressed in Bionic and Xenial (HWE)
CVE-2019-11884
CVE-2019-11833
CVE-2019-11815
CVE-2019-11085
2 information disclosure vulnerabilities:
Exposes kernel memory to user-space which could expose sensitive
information (keys, pointers to help defeat ASLR etc)
Bluetooth Human Interface Device Protocol (HIDP) socket ioctl() failed
to NUL terminate the name field
Ext4 file-system did not zero out unused regions in extents tree blocks
which are returned to user-space
Use-after-free due to a race-condition in the reliable datagram socket
(RDS) protocol module -> crash / code exec
Blacklisted by default in Ubuntu and contrary to the original CVE
description, this is not likely to be remotely exploitable since the
use-after-free only occurs on namespace cleanup
Intel i915 graphics driver failed to validate ranges for mmap() in some places
Local attacker who already has access to the device could use this to
crash / code execution -> privilege escalation
[USN-4076-1] Linux kernel vulnerabilities
6 CVEs addressed in Xenial
CVE-2019-10142
CVE-2019-9503
CVE-2019-2054
CVE-2019-11884
CVE-2019-11833
CVE-2018-20836
Freescale Hypervisor Manager (HVM) for PowerPC - used invalid size
parameter from ioctl() for page size calculations - local attacker could
use this to cause various memory corruption issues possibly resulting in
privilege escalation or code execution (only enabled in Xenial 4.4
kernel)
Broadcom wifi driver would possibly pass through firmware events received
on-the-air to the local USB wifi device - allows a remote attacker to
send firmware events to the device having unspecified impact
Possible seccomp bypass for policies that use ptrace on ARM - a tracing
process could modify a syscall parameter after the seccomp decision for
that syscall had been made - so could violate the policy
Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
Race condition in Serial Attached SCSI (SAS) could possibly result in a
UAF -> crash, or code execution
[LSN-0053-1] Linux kernel vulnerability
5 CVEs addressed in Xenial, Bionic
CVE-2019-11884
CVE-2019-11833
CVE-2019-11815
CVE-2019-2054
CVE-2011-1079
RDS UAF, Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
Seccomp bypass on ARM
Separate bluetooth info disclosure via ioctl() for a similar non-NUL
terminated string
[USN-4069-1, USN-4069-2] Linux kernel vulnerabilities
4 CVEs addressed in Disco and Bionic (HWE)
CVE-2019-11884
CVE-2019-11833
CVE-2019-11599
CVE-2019-11487
2 information disclosure issues mentioned for the Bionic/Xenial HWE above
(4.15 kernel) - Bluetooth HIDP + Ext4 extents information disclosure
vulns covered earlier
Race condition in coredump generation - local user can trigger coredump
for a process which can race with other memory managment handling and so
could result in access to invalid memory regions - crash -> DoS or
information disclosure
Integer overflow for page reference counts -> UAF
Requires at least 140GB of RAM to be affected
[USN-4070-1] MySQL vulnerabilities
13 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-2819
CVE-2019-2805
CVE-2019-2797
CVE-2019-2791
CVE-2019-2778
CVE-2019-2774
CVE-2019-2758
CVE-2019-2757
CVE-2019-2741
CVE-2019-2740
CVE-2019-2739
CVE-2019-2738
CVE-2019-2737
Latest upstream version 5.7.27 - various vulnerabilities including:
Multiple variants of low privileged remote attacker could gain complete
access to all MySQL server data (modify / access etc)
Multiple versions of privileged AND unprivileged attacker could hang /
crash MySQL server
[USN-4071-1, USN-4071-2] Patch vulnerabilities
2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
CVE-2019-13638
CVE-2019-13636
OS shell command injection via a crafted patch file - uses shell meta
characters to take control of patch
Mishandles symlinks which allows a crafted patch file to overwrite
arbitrary files
[USN-4072-1] Ansible vulnerabilities
8 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-3828
CVE-2018-10875
CVE-2018-10874
CVE-2019-10156
CVE-2018-16876
CVE-2018-16837
CVE-2018-10855
CVE-2017-7481
Path traversal vulnerability in fetch module - allows an attacker to
overwrite files outside of the specified destination
Configuration or inventory variables read from CWD - local attacker could
point to an arbitrary module / plugin under their control and so gain
code-execution as the ansible daemon
Various issues with variable substitution which could result in any
variable being substituted and thus an information disclosure
[USN-4073-1] libEBML vulnerability
1 CVEs addressed in Xenial, Bionic
CVE-2019-13615
VLC related issue - lots of media attention - “uninstall VLC now” etc - overblown
Heap-based buffer over-read in the Matroska decoder - crash -> DoS - not
code-execution
However, VLC itself had a number of outstanding vulnerabilities
[USN-4074-1] VLC vulnerabilities
4 CVEs addressed in Bionic, Disco
CVE-2019-5439
CVE-2019-13602
CVE-2019-12874
CVE-2018-19857
2 different heap-based buffer overflow - possible RCE but likely mitigated with ASLR (according to upstream)
Double free -> crash -> DoS (glibc heap-protector ensures can’t cause heap corruption -> abort)
Invalid pointer dereference (uninitialized) -> crash or infoleak
[USN-4075-1] Exim vulnerability
1 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-13917
Possible RCE as root if configuration used the ${sort } expansion on
items that can be controlled by an attacker - ie. $domain etc
[USN-4054-2] Firefox regressions
21 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-11730
CVE-2019-11729
CVE-2019-11728
CVE-2019-11727
CVE-2019-11725
CVE-2019-11724
CVE-2019-11723
CVE-2019-11721
CVE-2019-11720
CVE-2019-11719
CVE-2019-11718
CVE-2019-11717
CVE-2019-11716
CVE-2019-11715
CVE-2019-11714
CVE-2019-11713
CVE-2019-11712
CVE-2019-11711
CVE-2019-11710
CVE-2019-11709
CVE-2019-9811
Episode 40 - Firefox update for 68.0 contained some minor regressions
Upstream released 68.0.1 to fix these
[USN-3990-2] urllib3 vulnerability
1 CVEs addressed in Trusty ESM
CVE-2019-11236
Episode 33 covered for standard support releases
[USN-4077-1] tmpreaper vulnerability
1 CVEs addressed in Xenial, Bionic
CVE-2019-3461
Race condition when performing a bind-mount via rename() - local
privilege escalation since can result in a file being placed elsewhere on
the fs hierarchy - so could drop a file in etc/cron.d for example to
get root code execution
[USN-4078-1] OpenLDAP vulnerabilities
2 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-13565
CVE-2019-13057
Would confuse authorisation for one user with another - so other user
could then perform operations which they were not entitled to - in SASL
authentication code paths
[USN-4079-1, USN-4079-2] SoX vulnerabilities
4 CVEs addressed in Xenial, Bionic and Disco
CVE-2019-8357
CVE-2019-8356
CVE-2019-8355
CVE-2019-8354
CLI audio converter etc - usual sorts of issues for a C based application handling complex input file formats:
NULL ptr dereference
Stack-based buffer overflow
2 separate integer overflows -> heap overflow
[USN-4080-1] OpenJDK 8 vulnerabilities
7 CVEs addressed in Xenial
CVE-2019-7317
CVE-2019-2842
CVE-2019-2816
CVE-2019-2786
CVE-2019-2769
CVE-2019-2762
CVE-2019-2745
New upstream Java release 8u2222-b10
[USN-4083-1] OpenJDK 11 vulnerabilities
7 CVEs addressed in Bionic, Disco
CVE-2019-7317
CVE-2019-2821
CVE-2019-2818
CVE-2019-2816
CVE-2019-2786
CVE-2019-2769
CVE-2019-2762
New upstream Java release 11.0.4
[USN-4081-1] Pango vulnerability
1 CVEs addressed in Disco
CVE-2019-1010238
Heap-based buffer overflow -> code execution for applications which pass
invalid utf8 to Pango APIs like pango_itemize()
[USN-4082-1] Subversion vulnerabilities
2 CVEs addressed in Xenial
CVE-2019-0203
CVE-2018-11782
2 remote DoS issues against svnserve
[USN-4084-1] Django vulnerabilities
4 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-14235
CVE-2019-14234
CVE-2019-14233
CVE-2019-14232
DoS via memory exhaustion when encoding an attacker controlled URI
SQL injection in key and index lookups in JSON handling
2 different CPU based DoS - 1 in strip_tags() function if input contained
large sequence of nested, incomplete HTML entities, other in truncating
due to use of regex with backtracking
[USN-4085-1] Sigil vulnerability
1 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-14452
Zip slip vulnerability discovered by Mike Salvatore (Episode 40)
Goings on in Ubuntu Security Community
Alex and Joe discuss the recent Citrix password spraying attack
https://threatpost.com/citrix-confirms-password-spraying-heist/146641/
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
27min
July 23, 2019Episode 40
Overview
Big roundup of security updates from the past 2 weeks including Docker,
ZeroMQ, Squid, Redis and more, plus we talk with Joe McManus about some
recent big fines for companies breaching their GDPR responsibilities and
it’s EOL for Ubuntu 18.10 Cosmic Cuttlefish.
This week in Ubuntu Security Updates
62 unique CVEs addressed
[USN-4047-1] libvirt vulnerabilities
4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-10168
CVE-2019-10167
CVE-2019-10166
CVE-2019-10161
All related - in each case various libvirt APIs were accessible to users
with read-only permissions and allowed them to perform operations which
they should not have access to - in one case providing an ability to
escalate privileges to root on the host - since would allow to execute
arbitrary binaries with elevated permissions.
By default, libvirt is constrained by AppArmor in Ubuntu which provides
some isolation to help in these cases
[USN-4048-1] Docker vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-5736
CVE-2018-15664
Directory traversal via crafted symlink exchange (TOCTOU) via docker cp
command - docker cp can be used to copy files between host and
container - to do this safely, need to resolve paths as though were in
the container - so tries to check a path by resolving symlinks, and then
later use it if validates - but race exists where can then modify a
component in the path via symlink after the check but before the
copy, so can then overwrite arbitrary files on the host -> privilege
escalation
runc component in docker could allow a container to overwrite the runc
binary on the host -> privilege escalation (and container escape) to the
runc context on the host
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/runC
[USN-4049-1, USN-4049-2] GLib vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic
CVE-2019-13012
Similar to CVE-2019-12450 (Episode 36) - in this case, directories and
files would get created with default permisssions, not restrictive
permissions, when using the keyfile gsettings backend - could expose
settings or allow other users to modify settings etc.
[USN-4050-1] ZeroMQ vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-13132
Stack buffer overflow when using CURVE encryption/authentication -> RCE
[USN-4051-1, USN-4051-2] Apport vulnerability
1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-7307
Reported by Kevin Backhouse of Semmle Security Research Team
TOCTOU when processing a users own ignore configuration file
Apport runs as root, but would check permission to file via access()
system call - which uses the real processes’ UID / GID - so is safe as a
permission check - BUT would then go and open the file - so in the
meantime this could be replaced by a symlink to say a root owned file
which could then get included in the resulting crash report
Fix is to seteuid() as the desired user to set effective UID to then
actually open the file before restoring euid to root - so this does both
the equivalent of the access and open in 1 call avoiding to TOCTOU
[USN-4052-1] Whoopsie vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11476
Reported by Kevin Backhouse of Semmle Security Research Team
Integer overflow when processing crash dump - when parsing the crash
dump, if it contained an artificially large value in the dump file, would
overflow length calculation, then would result in a heap-buffer OOB write
-> crash, DoS OR code-execution as whoopsie process.
When coupled with previous Apport bug could allow an arbitrary user to
read any file on the system by first embedding it in a crash dump via
Apport and then triggering Whoopsie to process it and expose the via
arbitrary code execution
[USN-4053-1] GVfs vulnerabilities
4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-12795
CVE-2019-12449
CVE-2019-12448
CVE-2019-12447
gvfs private server socket did not configure any authorisation - so any
user could possible connect to it and issue API calls -> possible code
exection as another user
files created / moved by admin backend could end up with wrong file
ownership - admin backend allows to access root files as normal user (via
admin authorisation) - so can copy files as a user to root’s home which
then are still owned by the original user
[USN-4054-1] Firefox vulnerabilities
21 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11730
CVE-2019-11729
CVE-2019-11728
CVE-2019-11727
CVE-2019-11725
CVE-2019-11724
CVE-2019-11723
CVE-2019-11721
CVE-2019-11720
CVE-2019-11719
CVE-2019-11718
CVE-2019-11717
CVE-2019-11716
CVE-2019-11715
CVE-2019-11714
CVE-2019-11713
CVE-2019-11712
CVE-2019-11711
CVE-2019-11710
CVE-2019-11709
CVE-2019-9811
Upstream release 68.0
[USN-4064-1] Thunderbird vulnerabilities
10 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11730
CVE-2019-11729
CVE-2019-11719
CVE-2019-11717
CVE-2019-11715
CVE-2019-11713
CVE-2019-11712
CVE-2019-11711
CVE-2019-11709
CVE-2019-9811
Upstream release 60.8
[USN-4055-1] flightcrew vulnerabilities
3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-13453
CVE-2019-13241
CVE-2019-13032
Mike Salvatore discovered and coordinated with upstream on fixing these issues
Found 2 through fuzzing, 1 though code-analysis whilst analysing first two vulnerabilites
2 fuzzing bugs
1 NULL pointer dereference (crash, DoS)
1 infinite loop (CPU DoS)
1 zip slip - write files outside of working directory when handling zip files (EPUB is a ZIP file)
Great write-up on his blog:
https://salvatoresecurity.com/fun-with-fuzzers-or-how-i-discovered-three-vulnerabilities-part-1-of-3/
https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-2-of-3/
https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-3-of-3/
[USN-4056-1] Exiv2 vulnerabilities
7 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-13114
CVE-2019-13113
CVE-2019-13110
CVE-2019-13112
CVE-2018-19535
CVE-2018-19108
CVE-2018-19107
Library and CLI toolks to manage image metadata
All DoS - assertion failure / NULL pointer dereference / OOB read /
uncontrolled memory allocation / infinite loop
[USN-4057-1] Zipios vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-13453
Same as the flightcrew infinite loop issue since flightcrew contains an
embedded copy of zipios
[USN-4058-1] Bash vulnerability
1 CVEs addressed in Xenial
CVE-2019-9924
rbash did not prevent modifying BASH_CMDS so user could execute any
commands as the shell, defeating the purpose of rbash
[USN-4059-1, USN-4059-2] Squid vulnerabilities
2 CVEs addressed in Precise ESM, Xenial, Bionic, Disco
CVE-2019-13345
CVE-2018-19132
XSS in cachemgr CGI web module, and memory leak in SNMP module
[USN-4060-1, USN-4060-2] NSS vulnerabilities
3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
CVE-2019-11729
CVE-2019-11727
CVE-2019-11719
3 of the CVEs from the Firefox update (since Firefox contains libnss)
Empty public keys could trigger a segfault
Possible to force to sign with wrong signature type with TLS 1.3
OOB read when importing a private key with leading NUL bytes -> info
disclosure / crash
[USN-4061-1] Redis vulnerabilities
2 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-10193
CVE-2019-10192
1 stack, and 1 heap based buffer overflows when handling purposely
corrupted hyperloglog data structure
[USN-4062-1] WavPack vulnerabilities
4 CVEs addressed in Bionic, Disco
CVE-2019-1010319
CVE-2019-1010318
CVE-2019-1010317
CVE-2019-1010315
3 different DoS issues (1 CVE was found to be the same as the other)
2 * use of uninitialised variable
Divide by zero
[USN-4063-1] LibreOffice vulnerabilities
2 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-9849
CVE-2019-9848
RCE via a malicious document - docs can contain python - and this can be
used with the built-in LibreLogo turtle graphics script to execute
bundled python code - so can get RCE via a mouse-over event using
LibreLogo and embedded python
Stealth mode - documents can only fetch resources from ’trusted'
locations
Allows to disable the normal remote resource handling in documents to
be a more private mode
BUT bullet graphics not included - so could specify a remote bullet
graphic from a non-trusted location and would still be fetched
[USN-4065-1] Squid vulnerabilities
3 CVEs addressed in Xenial, Bionic, Disco
CVE-2019-12529
CVE-2019-12527
CVE-2019-12525
3 different possible crash bugs via memory corruption -> DoS, but also
maybe RCE…
1 when using digest auth and 2 for basic auth
[USN-4066-1] libmspack vulnerability
1 CVEs addressed in Xenial, Bionic
CVE-2019-1010305
Buffer over-read with malicious chm file -> crash, DoS
Goings on in Ubuntu Security Community
Discussion with Joe McManus on recent large GDPR fines for Marriot and British Airways
https://thehackernews.com/2019/07/british-airways-breach-gdpr-fine.html
https://threatpost.com/marriott-123m-fine-data-breach/146320/
Ubuntu 18.10 (Cosmic Cuttlefish) End-of-Life
Ubuntu 18.10 Cosmic Cuttlefish EOL was on 18th July, 2019
https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/005021.html
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
28min
July 09, 2019Episode 39
Overview
A look at security updates for Django, Thunderbird, ZNC, Irssi and more,
plus news on the CanonicalLtd GitHub account credentials compromise, SKS
PGP keyservers under attack and Ubuntu 18.10 Cosmic Cuttlefish reaches EOL.
This week in Ubuntu Security Updates
7 unique CVEs addressed
[USN-4043-1] Django vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-12781
CVE-2019-12308
If using django via a reverse proxy, which itself would connect to django
over HTTPS, if accessing HTTP resources they would not be redirected to
HTTPS even if configured to do so on the django server.
XSS via the ‘Current URL’ link as this was not validated as a safe URL
before display - so possible to inject javascript etc via a URL query
payload parameter etc - such that when the user clicks the link it would
be executed (RCE bug with user interaction)
[USN-4045-1] Thunderbird vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11708
CVE-2019-11707
Latest upstream 60.7.2 release
Mentioned in the context of Firefox in Episode 37 and Episode 38 (sandbox
escape and RCE)
By default scripting is disabled in TB so not as high an impact
[USN-4044-1] ZNC vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-12816
ZNC provides support for plugin modules
These can be loaded by autenticated, non-admin users
i - The name of this is checked in various places to ensure control
characters and other means of code execution are blocked, but not on
all code-paths using modules
Would allow to execute code as the ZNC server via an authenticated user
Fixed to validate module name on all code paths which use it
[USN-4038-3, USN-4038-4] bzip2 regression
Affecting Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
Episode 38 mentioned bzip2 update - we also mentioned this breaks
decompression of some archives built by lbzip2 etc - this regression
fixes that by introducing a new patch proposed by upstream to accept as
many selectors as specified by to then discard them later
[USN-4046-1] Irssi vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-13045
CVE-2018-7054
2 different UAF’s due to mismanagement of data structures:
One on SASL code-paths - so only affected if using SASL
authentication - would reuse provided username and password
fields after they had been freed
Another in code to handle netsplits (used to handle when servers get
disconnected from the wider network)
This was due to an incomplete fix for previous CVE-2017-7191
Goings on in Ubuntu Security Community
Ubuntu 18.10 (Cosmic Cuttlefish) reaches End of Life on July 18 2019
Released October 18, 2018 - non-LTS so 9 months of support
Past 9 months - no new updates/ security fixes and hence no USNs
Upgrade to Disco (19.04)
https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/004996.html
CanonicalLtd GitHub organisation account compromise
A single account which was part of the CanonicalLtd GitHub organisation
was compromised 6th July
Used to create proof-of-concept repositories and issues to demonstrate
the hack was possible
Investigation is still on-going but at this stage it only appears to be
these actions, not malicious but attention seeking in nature
No code has been altered or PII accessed (nor is any PII stored there)
Account has been removed from the CanonicaLtd organisation, investigation
is still on-going, we will release more details as they become available
https://twitter.com/ubuntu_sec/status/1147675201632473088
SKS keyserver certificate spamming
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
WoT aspect of PGP allows users to sign one-anothers public keys
(certificates) and upload these signatures to the keyservers
SKS keyservers were designed to never delete anything and instead to append
So when downloading a key (certificate) you get it plus all the signatures
SKS supports up to 150k sigs - GnuPG is logarithmic in order of signatures
So can DoS local GnuPG once have downloaded someones key (cert)
Re Ubuntu:
We use GPG for signing the hashes of packages in the repo
This public key is distributed directly inside Ubuntu on install media
and in the archive and does not depend on the SKS keyserver network
Keys for PPAs are fetched from Launchpad, not SKS as well in general
So only exposure for Ubuntu users is if manually fetching keys from SKS
keyservers or if using Enigmail in ThunderBird or other software which
automatically fetches certs from SKS
Mitigation
if using Enigmail, disable auto-fetching / refreshing of public keys
if using GnuPG directly, don’t use SKS keyservers, instead use new
resistant keyserver
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
13min
July 02, 2019Episode 38
Overview
This week we look at the latest security updates for the Linux kernel, Firefox, ImageMagick, OpenStack and more, plus we have a special guest, the maintainer and lead developer of the AppArmor project, John Johansen, to talk about the project and some of the upcoming features.
This week in Ubuntu Security Updates
55 unique CVEs addressed
[USN-4031-1] Linux kernel vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-12817
64-bit PowerPC (ppc64el) memory management issue - introduced in the 4.17
kernel - so only affects Cosmic/Disco or Bionic when using the HWE kernel
Different processes might be able to read / write to each others virtual
memory
Requirements:
Must be using the hash page table MMU - eg. PowerPC 970 (G5), PA6T,
Power5/6/7/8/9
By default Power9 bare-metal use the Radix MMU so are not affected
unless have explicitly disabled this via the kernel command-line
KVM guests would also be affected in this case or if also
explicitly configured to use the HPT MMU
Logical partitions (LPARs) under PowerVM on Power9 would be
affected as they always use HPT MMU
Need to allocate memory above 512TB - only possible via mmap()
Any child process (fork()) receives same context-id for the memory
mapping so can just read/write to the mappings above 512TB
If child exits, a 3rd process could be reallocated the same
context-id and so could then read/write also
Only a subset of PowerPC systems will be affected by this and would need
to be running applications which allocate above 512TB so whilst is high
impact, low probability of being at risk
[USN-4032-1] Firefox vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11708
Firefox 67.0.4 - latest upstream release
Possible for a sandboxed child process to escape the sandbox by using IPC
to send a Prompt:Open message to the parent which would then process
web-content on behalf of the child
Since parent is not sandboxed, it could be then exploited (say by
leveraging another vulnerability such as the one discussed last week for
Firefox) for arbitrary code execution
[USN-4033-1] libmysofa vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-10672
C library to read SOFA (Spatially Oriented Format for Acoustics) files
Used by lots of different applications that handle audio, like
gstreamer, ffmpeg, smplayer, blender etc
Integer overflow leading to buffer overflow - crash -> DoS or possible
code-execution
[USN-4034-1] ImageMagick vulnerabilities
30 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-9956
CVE-2019-7398
CVE-2019-7397
CVE-2019-7396
CVE-2019-7395
CVE-2019-7175
CVE-2019-11598
CVE-2019-11597
CVE-2019-11472
CVE-2019-11470
CVE-2019-10650
CVE-2019-10649
CVE-2019-10131
CVE-2018-20467
CVE-2018-18544
CVE-2018-18025
CVE-2018-18024
CVE-2018-18023
CVE-2018-18016
CVE-2018-17966
CVE-2018-17965
CVE-2018-16645
CVE-2018-16644
CVE-2018-16413
CVE-2018-16412
CVE-2018-16323
CVE-2018-15607
CVE-2018-14434
CVE-2017-12806
CVE-2017-12805
Used by many automated systems for image processing etc
Many memory corruption issues fixed - most able to cause at least a crash
(DoS) but might be possible to also get RCE
Also updated the default policy to disable support for PostScript and PDF
formats (since these are handle by GhostScript which has a long history
of security issues itself) - Cosmic + Disco
This is already the case on Bionic (USN-3785-1 - Episode 7)
[USN-4035-1] Ceph vulnerabilities
4 CVEs addressed in Xenial, Cosmic, Disco
CVE-2019-3821
CVE-2018-16889
CVE-2018-16846
CVE-2018-14662
2 CVEs affect ceph in Xenial
dm-crypt disk encryption keys were able to be read by users with
read-only permissions - fixed to ensure need an explicit permission to
read keys
DoS from authenticated RGW users
2 Cosmic+Disco
Does not properly sanitize encryption keys when outputting debug log
information for v4 auth -so encryption keys would be output in
plaintext to debug logs
fixed to sanitize before output
won’t be fixed for Xenial since upstream hasn’t backported this and
there are many instances of other sensitive info being logged there
as well
DoS by unauthenticated remote users via the civetweb frontend - as they
could create connections to a RADOS gateway to exhaust file descriptors
for the gateway service causing it to run out and fail to create new
connections
Close fd on error path
[USN-4036-1] OpenStack Neutron vulnerability
1 CVEs addressed in Xenial, Cosmic
CVE-2019-9735
Networking abstraction layer of OpenStack
Allows to define security groups with rules which then get executed by a
driver using a particular underlying technology
Rules can specify protocols and source / destination ports
iptables driver would execute rules but if encountered an error (such as
a protocol was specified along with a port but the protocol doesn’t
support ports - like VRRP) then it would error out and not apply further
rules from the security group
So could block other rules from being applied
Fixed to ensure port arguments are only applied to protocols which
support them
[USN-4037-1] policykit-desktop-privileges update
Affecting Xenial, Bionic, Cosmic, Disco
PolicyKit policy update for USB Creator
Previously would allow a user with admin privileges (ie. in the
admin/sudo group) to overwrite disks (ie create bootable USB images)
without prompting for authentication
Now updated to require the user to also authenticate as well
[USN-4038-1, USN-4038-2] bzip2 vulnerabilities
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-12900
CVE-2016-3189
UAF via crafted bzip2 file - crash, DoS
OOB write from crafted bzip2 which contains too many selectors - possible
RCE
Turns out this breaks decompression of some bzip2 files created by the
lbzip2 utility since it would use an invalid number of selectors -
upstream still pondering how to fix this
[USN-4040-1, USN-4040-2] Expat vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2018-20843
CPU DoS if XML names contained large number of colons (used to specify
namespace prefix)
[USN-4042-1] poppler vulnerabilities
13 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-9903
CVE-2019-9631
CVE-2019-9200
CVE-2019-12293
CVE-2019-10873
CVE-2019-10872
CVE-2019-10023
CVE-2019-10021
CVE-2019-10019
CVE-2019-10018
CVE-2018-20662
CVE-2018-18897
CVE-2017-9865
Usual mix of issues
Memory leak
Stack exhaustion -> crash, DoS
3*Heap-based buffer over-reads
NULL pointer dereference
Various floating point exception issues
Assertion failure
Heap-based buffer under-write - so write at a negative index of a heap
allocated buffer - crash, DoS or possible RCE via heap metadata or
object corruption
[USN-4041-1, USN-4041-2] Linux kernel update
1 CVEs addressed in Trusty ESM (HWE), Xenial, Bionic, Cosmic, Disco
CVE-2019-11479
Final SACK Panic issue (Episode 37) - added sysctl to easily set MSS (is
usually hard-coded to 48) - so can be increased to avoid this DoS issue
Goings on in Ubuntu Security Community
AppArmor interview with John Johansen
https://gitlab.com/apparmor/apparmor
https://wiki.ubuntu.com/AppArmor
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Ubuntu Security Engineer
https://boards.greenhouse.io/canonical/jobs/1723997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
28min
June 28, 2019Episode 37
Overview
The big new this week is SackPANIC! updates for the Linux kernel, plus we look at vulnerabilities in, and updates for, Samba, SQLite, Bind, Thunderbird and more, and we are hiring!
This week in Ubuntu Security Updates
36 unique CVEs addressed
[USN-4017-1, USN-4017-2] Linux kernel vulnerabilities
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-11477
CVE-2019-11478
SACK Panic - will be discussed in more detail with Joe later in the show
Livepatch (LSN-0052-1) also available for Xenial and Bionic
[USN-4018-1] Samba vulnerabilities
2 CVEs addressed in Disco
CVE-2019-12436
CVE-2019-12435
Two DoS issues (both NULL ptr dereferences) only affecting most recent Samba versions
One in AD DC DNS mgmt server RPC process
Only an authenticated user could trigger this
Other in LDAP server - user with read access to the directory could
trigger NULL ptr dereference via the paged search control
[USN-4019-1, USN-4019-2] SQLite vulnerabilities
12 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2017-2519
CVE-2017-13685
CVE-2017-10989
CVE-2016-6153
CVE-2019-9937
CVE-2019-9936
CVE-2019-8457
CVE-2018-20506
CVE-2018-20346
CVE-2018-20505
CVE-2017-2520
CVE-2017-2518
7 CVEs addressed in Precise ESM, Trusty ESM
CVE-2017-13685
CVE-2017-10989
CVE-2016-6153
CVE-2019-8457
CVE-2018-20506
CVE-2018-20346
CVE-2017-2518
Mix of various issues, most involving various memory corruption problems
UAFs, DoS (crash), heap-based buffer over-reads (crash -> DoS or
possible information disclosure), incorrect use of temporary
directories, race-condition leading to NULL pointer dereference,
integer overflow -> buffer overflow -> crash / code execution
[USN-4021-1] libvirt vulnerabilities
2 CVEs addressed in Cosmic, Disco
CVE-2019-3886
CVE-2019-10132
DoS where some APIs in the guest agents could be accessed by read-only
users - this would cause libvirt to block and cause a DoS
Privilege escalation due to insecure permissions on the virt-lockd and
virt-logd UNIX domain sockets - these are created by systemd unit files
but were created as world writable - and the daemons don’t try and
authenticate the user - so anyone could use these sockets to potentially
elevate privileges - so fixed by ensuring the systemd socket definitions
specify the right mode.
[USN-4020-1] Firefox vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11707
Firefox 67.0.3 which fixes a remotely exploitable crash or possible code
execution problem due to type confusion in the Javascript engine -
reports this was used to target various cryptocurrency exchanges by
delivering Windows and Mac malware to them
[USN-4024-1] Evince update
Affecting Xenial, Bionic
Updated the AppArmor profile for evince to ensure it restricts access to
various private file directories, and to address various issues raised by
Jann Horn of GPZ - in particular limiting access to various DBus services
[USN-4026-1] Bind vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-6471
DoS (crash due to assertion failure) caused by a race condition when
handling malformed packets
[USN-4028-1] Thunderbird vulnerabilities
4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11706
CVE-2019-11705
CVE-2019-11704
CVE-2019-11703
Various issues in handling of iCal data - all remotely triggerable by crafted emails:
Crash due to type-confusion
Both a stack and 2 separate heap buffer overflows - either could
potentially be exploitable to execute arbitrary code
[USN-4027-1] PostgreSQL vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-10164
“Stack buffer overflow by setting a password” - authenticated user could
set their password to a specially constructed value which when processed
by PostgreSQL would cause it to crash, or possible execute arbitrary code
in the context of the PostgreSQL server
[USN-4023-1] Mosquitto vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2017-7654
CVE-2017-7653
Remotely triggerable memory leak (by unauthenticated users) could be used
to crash the Mosquitto Broker -> DoS
Different DoS where one client could cause others to be disconnected by
sending invalid an UTF-8 topic string - which would cause other clients
which do reject invalid UTF-8 to disconnect themselves
[USN-3977-3] Intel Microcode update
4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
Episode 32 covered most recent Intel CPU vulnerabilities (MDS) -
mitigated by a combination of microcode and kernel updates - this
provides microcode updates for the Sandy Bridge family of Intel
processors
[USN-4030-1] web2py vulnerabilities
5 CVEs addressed in Xenial
CVE-2016-3957
CVE-2016-3954
CVE-2016-3953
CVE-2016-3952
CVE-2016-10321
Various issues including:
Possible RCE (was serializing encryption key info into a session
cookie) which could then be read by an attacker since it also made
session cookie accessible via an API endpoint
Sample web application used a hard-coded encryption key which could
also allow attackers to do RCE as they could easily interpose on the
session
Environment variables were exposed by an example API endpoint which
exposed host info and so remote attackers could then possibly gain
admin access
Lacked brute-force password protection as wouldn’t reject already
denied hosts from repeatedly trying
Goings on in Ubuntu Security Community
Alex and Joe talk about the SACK Panic issues discovered by Netflix
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Ubuntu Security Engineer
https://boards.greenhouse.io/canonical/jobs/1723997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
20min
June 17, 2019Episode 36
Overview
Security updates for DBus, vim, elfutils, GLib and more, plus Joe and Alex look at another npm package hijack as well as some wider discussions around the big vim RCE of this week.
This week in Ubuntu Security Updates
43 unique CVEs addressed
[USN-4012-1] elfutils vulnerabilities
9 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-7665
CVE-2019-7150
CVE-2019-7149
CVE-2018-18521
CVE-2018-18520
CVE-2018-18310
CVE-2018-16403
CVE-2018-16402
CVE-2018-16062
Mix of issues found via fuzzing with ASAN - all resulting in crash -> DoS
from crafted input files
multiple heap-based buffer over-reads in various libraries (libelf,
libdw) on crafted ELF input
divide-by-zero on crafted ELF input in arlib (used by ar, ranlib and
other tools to process .a archive files)
multiple invalid pointer dereferences
double-free in libelf on crafted ELF input
[USN-4013-1] libsndfile vulnerabilities
13 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-3832
CVE-2018-19758
CVE-2018-19662
CVE-2018-19661
CVE-2018-19432
CVE-2018-13139
CVE-2017-6892
CVE-2017-17457
CVE-2017-17456
CVE-2017-16942
CVE-2017-14634
CVE-2017-14246
CVE-2017-14245
Range of issues from crashes (DoS) to possible RCE again found via fuzzing with ASAN
Multiple heap-based buffer over-reads on crafted audio files (WAV, ALAW, AIFF) files
NULL pointer dereference
Stack-based buffer overflow - crash -> DoS or possible RCE on crafted
Divide by zeros
[USN-4014-1, USN-4014-2] GLib vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-12450
GLib contains GIO which is library to abstract file-IO operations
During file copying, would create the new file with default permissions
and then once copy was done would then set the correct permissions (based
on the original files permissions)
Could allow other users to read the file during the copy process
Instead fix to create new file with restrictive permissions (only
accessible by the current user) to avoid this
[USN-4015-1, USN-4015-2] DBus vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-12749
DBus includes multiple authentication mechanisms - usually would just use
credentials passed via UNIX sockets (is secure as is enforced by the
kernel), but this is not supported on all platforms (Windows etc)
So includes another authentication mechanism - DBUS_COOKIE_SHA1
In this case, the authenticating user has to prove they are who they
say by being able to read and provide a magic value from a keyring file
which dbus drops in the user’s home directory
By abusing symlinks, it would be possible to point the local users
keyring at some other file and cause DBus to read / write to some other
file which was not intended
This could further be abused to point your local dbus keyring to root’s
and cause DBus to eventually confuse the local user’s authentication to
the bus as that of the root user and so allow an unprivileged user to
authenticate as root and so then perform operations as root via DBus
Fixed by simply only allowing DBUS_COOKIE_SHA1 to authenticate as the
same user as the DBus server owner - ie. if running DBus as root you can
only authenticate as root, not as your local user (since this use-case is
not actually used in practice)
[USN-4016-1] Vim vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-12735
CVE-2017-5953
Most over-hyped bug of the week
https://threatpost.com/linux-command-line-editors-high-severity-bug/145569/
https://www.reddit.com/r/netsec/comments/bwrjrx/vimneovim_arbitrary_code_execution_via_modelines/
Will discuss with Joe later in the episode, but briefly:
Vim includes support for ‘modelines’
This allows files to include custom settings such as indentation, file
type etc so that editing is consistent
Only a subset of vim commands can be permitted - ie. set - and then not
everything can be set by modelines - and is meant to be side-effect
free
However, the source! command is still allowed - this reads extra
commands from a file as though typed by the user and is done so outside
the sandbox
So is possible to bypass the sandbox and execute arbitrary commands via
the modeline (since vim supports running external commands from the
editor itself)
PoC included running a reverse shell by just opening a crafted file
However, modelines are disabled by default in Debian (and hence Ubuntu)
so unless a user had specifically enabled it in their own vimrc they are
safe
Patched to disable sourcing a file from the modeline or from within the
sandbox at all
One extra low priority issue when vim could be made to crash via a
crafted spell file (this is used to store locally spelling additions etc)
[USN-4016-2] Neovim vulnerability
1 CVEs addressed in Cosmic, Disco
CVE-2019-12735
See above from vim :)
[USN-3991-3] Firefox regression
17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-9816
CVE-2019-11698
CVE-2019-11697
CVE-2019-9821
CVE-2019-9820
CVE-2019-9819
CVE-2019-9817
CVE-2019-9814
CVE-2019-9800
CVE-2019-7317
CVE-2019-11701
CVE-2019-11699
CVE-2019-11696
CVE-2019-11695
CVE-2019-11693
CVE-2019-11692
CVE-2019-11691
Episode 33 - Firefox update to version 67.0 - contained a regression so
updated to 67.0.1 (Episode 35) - this also contained another regression
where Firefox would fail to load correctly if run in safe-mode. So
upstream released 67.0.2 which is this new update.
Goings on in Ubuntu Security Community
Alex and Joe talk about another npm package hijack attack and the vim issue
https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
23min
June 11, 2019Episode 35
Overview
We look at vulnerabilities and updates for Exim, the Linux kernel, Berkeley DB, Qt and more, plus Joe and Alex discuss some recent malware campaigns including Hiddenwasp, and we cover some open positions too.
This week in Ubuntu Security Updates
34 unique CVEs addressed
[USN-4002-1] Doxygen vulnerability
1 CVEs addressed in Xenial
CVE-2016-10245
Generates HTML code documentation from code comments
Includes a field to search across the documentation
Doesn’t treat this as untrusted input and blindly displays the input in resulting pages
Allows possible XSS or iframe injection
Fix is simple - whitelist allowed characters to avoid injection etc
[USN-4003-1] Qt vulnerabilities
3 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2018-19873
CVE-2018-19870
CVE-2018-15518
3 likely DoS issues:
Buffer overflow when handling invalid BMP images - didn’t check for valid
/ sensible width or height parameters
NULL pointer dereference on malformed GIF images
Double free when parsing a specially crafted (illegal format) XML
document
[USN-4004-1, USN-4004-2] Berkeley DB vulnerability
1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-8457
Contains an embedded copy of sqlite which was vulnerable to a heap-based
out-of-bounds read when handling invalid rtree tables
[USN-4005-1] Linux kernel vulnerabilities
2 CVEs addressed in Disco
CVE-2019-11815
CVE-2019-11810
Reliable Datagram Sockets (RDS) module was vulnerable to a race-condition
during network namespace cleanup that could lead to a UAF.
RDS is blacklisted by default in Ubuntu AND this is only able to be
exploited by a local attacker
NULL pointer dereference in LSI Logic MegaRAID driver
[USN-4006-1, USN-4006-2] Linux kernel vulnerability
1 CVEs addressed in Cosmic & Bionic HWE
CVE-2019-11191
Old a.out binary format for 32-bit platforms - so only affects i386
kernel users, and only affects setuid a.out binaries (none in archive)
Kernel would not setup permissions early enough and so could allow ASLR
to be bypassed, weakening system protections to then more easily exploit
some other existing vulnerablity in the given setuid a.out binary
Have also disabled a.out support in general going forward as this is a
relic of the past
[USN-4007-1, USN-4007-2] Linux kernel vulnerability
1 CVEs addressed in Bionic & Xenial HWE
CVE-2019-11191
Same a.out issue
[USN-4008-1, USN-4008-3] Linux kernel vulnerabilities
4 CVEs addressed in Xenial, Trusty ESM (HWE)
CVE-2019-11191
CVE-2019-11815
CVE-2019-11810
CVE-2019-11190
a.out issue, plus RDS and MegaRAID NULL ptr dereference
Similar to a.out issue, in general ASLR could be bypassed on setuid
binaries due to a similar race-condition
This fix also requires some AppArmor profile changes
[USN-4008-2] AppArmor update
4 CVEs addressed in Xenial
CVE-2019-11191
CVE-2019-11815
CVE-2019-11810
CVE-2019-11190
Updated AppArmor profiles to handle new kernel behavoiur as a result of
the fix for CVE-2019-11190 (ASLR bypass on setuid executables).
When executing a binary, will then appear to require mmap privileges of
the resulting binary, so ensure all current profiles are updated to add
this permission on the appropriate rules
[USN-4009-1, USN-4009-2] PHP vulnerabilities
2 CVEs addressed in Precise ESM, Trusty ESM
3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11040
CVE-2019-11039
CVE-2019-11036
Heap buffer overflow in handling crafted JPEG files
Integer overflow, leading to possible OOB read when handling crafted mime
encoded data
(Xenial, Bionic, Cosmic and Disco only) - OOB read when handling crafted
EXIF data -> crash, DoS or possible information disclosure form other
memory
[USN-4010-1] Exim vulnerability
1 CVEs addressed in Bionic, Cosmic
CVE-2019-10149
Possible remote exploit of popular MTA
Embargo broke early - was expected to be public 11th June - as a
consequence, we released our update once the details were publicly known
It was possible to include shell directives in the recipients email
address which would be evaluated by the exim process (and hence as
root) - but would require the attacker to keep a connection open to the
server for 7 days by transmitting 1 byte every few minutes.
[USN-3957-3] MariaDB vulnerabilities
2 CVEs addressed in Bionic
CVE-2019-2627
CVE-2019-2614
Corresponding fixes for flaws originally reported in MySQL - fixed in
MariaDB (community maintained fork of MySQL) - Episode 30
[USN-4011-1, USN-4011-2] Jinja2 vulnerabilities
2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-10906
CVE-2016-10745
Sandbox is used when rendering user-provided templates (ie untrusted)
Possible to escape the sandbox by reading arbitrary python objects via
Python’s internal string format method (by referencing the globals
array)
Was originally fixed in 2016 for the str.format method - but at the time
missed the similar str.format_map method - so both fixed in this update
[USN-3991-2] Firefox regression
17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-9816
CVE-2019-11698
CVE-2019-11697
CVE-2019-9821
CVE-2019-9820
CVE-2019-9819
CVE-2019-9817
CVE-2019-9814
CVE-2019-9800
CVE-2019-7317
CVE-2019-11701
CVE-2019-11699
CVE-2019-11696
CVE-2019-11695
CVE-2019-11693
CVE-2019-11692
CVE-2019-11691
Previous FF 67.0 had broken code for checking versions on upgrades, and
could potentially think you had downgraded the browser when it was in
fact upgraded and therefore think the old profile data was invalid
Goings on in Ubuntu Security Community
Alex and Joe talk about recent malware campaigns
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
https://thehackernews.com/2019/05/hacking-mysql-phpmyadmin.html
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Security Certifications Engineer
https://boards.greenhouse.io/canonical/jobs/1660658
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
0min
June 03, 2019Episode 34
Overview
This week we look at security updates for Keepalived, Corosync, GnuTLS, libseccomp and more, plus we talk insider threats with Joe McManus.
This week in Ubuntu Security Updates
32 unique CVEs addressed
[USN-3976-3, USN-3976-4] Samba regression
Affecting Trusty ESM, Xenial, Bionic
Episode 32 - discussed privilege escalation vuln and fix for Samba
Original update caused a regression where Samba might crash - fixed
[USN-3994-1] gnome-desktop vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-11460
Thumbnailers could possibly escape bubblewrap sandbox by using TIOCSTI
ioctl to send characters to the controlling terminals input buffer and
hence escape the sandbox
Requires to compromise a thumbnailer in the first place so less impact
Similar to CVE-2019-10063 for flatpak and CVE-2019-7303 for snapd
[USN-3995-1, USN-3995-2] Keepalived vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic
CVE-2018-19115
Heap based buffer overflow when parsing HTTP response code - would
potentially write an unlimited amount of attacker controlled data to the
heap for a 10-byte long buffer
Crash -> DoS, RCE
Fixed to properly parse and expect at most a 3 digit long response code
[USN-3845-2] FreeRDP vulnerabilities
6 CVEs addressed in Bionic, Cosmic
CVE-2018-8789
CVE-2018-8788
CVE-2018-8787
CVE-2018-8786
CVE-2018-8785
CVE-2018-8784
Back in December published update for FreeRDP (USN-3845-1 - Episode 16)
In Bionic and Cosmic freerdp2 is in main, so that update was for freerdp2
This update is for freerdp (v1), which is in universe in bionic + cosmic
Corresponding update
[USN-3997-1] Thunderbird vulnerabilities
14 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2018-18511
CVE-2019-11698
CVE-2019-9816
CVE-2019-7317
CVE-2019-5798
CVE-2019-9820
CVE-2019-9819
CVE-2019-9817
CVE-2019-9800
CVE-2019-9797
CVE-2019-11693
CVE-2019-11692
CVE-2019-11691
CVE-2019-18511
Thunderbird 60.7.0 - latest upstream release includes a heap of security fixes
Most all come from Firefox (DoS, bypass same-origin restrictions or RCE)
[USN-3996-1] GNU Screen vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2015-6806
Old low priority issue fixed for ESM releases (fixed back in 2015
upstream so screen in Xenial, Bionic etc not affected)
Attacker could cause a crash due to stack overrun via recursion due to
large number of repeated ANSI escape sequences in output
[USN-3968-2] Sudo vulnerability
1 CVEs addressed in Trusty ESM
CVE-2017-1000368
Episode 31 - updated sudo in xenial - corresponding update for Trusty ESM
[USN-3998-1] Evolution Data Server vulnerability
1 CVEs addressed in Xenial, Bionic
CVE-2018-15587
Research from Marcus Brinkmann showed it was possible to create an
encrypted email with a zero-length encrypted section along with
unencrypted contents which Evolution (and other email clients) would show
as being encrypted.
Mail clients call out to gpg (gnupg) to decrypt the email but are lax in
parsing GPGs output and so confuse the whole email as being encrypted
Due to SW arch of evolution, part of this fix is done in Evolution itself
(to better highlight to the user that the email contains unencrypted
portions) and part is done in the backend (Evolution Data Server) to
properly parse output of gnupg
[USN-3999-1] GnuTLS vulnerabilities
5 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-3836
CVE-2019-3829
CVE-2018-10846
CVE-2018-10845
CVE-2018-10844
3 CVEs related to “Lucky Thirteen” attack (originally published in 2013)
Timing attack against TLS implementations that use CBC
One countermeasure was to use “psuedo constant time”
New research showed this is not sufficient (incidentally one of the
researchers was Adi Shamir, co-inventor of the RSA algorithm - the “S”
in RSA)
1 CVE from Tavis Ormandy (double-free when handling X.509 certificates) -
crash -> DoS, code execution
Last CVE - uninitialized pointer could be dereferenced when handling
certain post-handshake messages - likely crash -> DoS
[USN-4000-1] Corosync vulnerability
1 CVEs addressed in Xenial, Bionic
CVE-2018-1084
Integer overflow leading to a buffer overflow (read), able to be
triggered by an unauthenticated user - crash -> DoS
[USN-4001-1, USN-4001-2] libseccomp vulnerability
1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-9893
Seccomp allows to write policies to act on system calls arguments via
BPF - includes comparison operators like less than (LT) etc - Jann Horn
discovered that on 64-bit platforms it did not generate correct BPF to
perform comparisons correctly
In this case, the updates from upstream relied on other upstream changes
so we chose to upgrade seccomp entirely rather than try and backport the
fixes as they were too involved and so less risk overall in upgrading the
version than in backporting
Goings on in Ubuntu Security Community
Alex and Joe talk about insider threats
https://threatpost.com/snapchat-privacy-blunder-piques-concerns-about-insider-threats/145074/
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=484738
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Security Certifications Engineer
https://boards.greenhouse.io/canonical/jobs/1660658
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
24min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.