Ubuntu Security Podcast

By Ubuntu Security Team

A fortnightly podcast talking about the latest developments and updates from the Ubuntu Security team, including a summary of recent security vulnerabilities and fixes as well as a discussion on some ... more

· Technology

4.8

1010 ratings

Download on the App Store

Download on the App Store

Get it on Google Play

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.

Ubuntu Security Podcast episodes:

May 27, 2019Episode 33
Overview
Updated Intel microcode for Cherry + Bay Trial CPUs, fixes for
vulnerabilities in curl, Firefox, PHP and MariaDB, plus we talk
configuration of virtualised guests to mitigate speculative execution
vulnerabilities as well as plans for the Ubuntu 19.10 development cycle.
This week in Ubuntu Security Updates
43 unique CVEs addressed
[USN-3977-2] Intel Microcode update
4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
Corresponding Intel microcode updates for Cherry Trail and Bay Trail CPU families
[USN-3989-1] LibRaw vulnerabilities
7 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2018-5819
CVE-2018-5818
CVE-2018-5817
CVE-2018-20365
CVE-2018-20364
CVE-2018-20363
CVE-2018-20337
Multiple issues fixed:
2*NULL pointer dereference
Heap-based buffer overflow
Stack-based buffer overflow
3 different cases of possible infinite loop - CPU DoS
[USN-3990-1] urllib3 vulnerabilities
3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11324
CVE-2019-11236
CVE-2018-20060
When validating certs for HTTPS, could specify a set of certs to validate
against - however it would always include the system CA certs as well -
so could validate successfully even if cert is not in chain of explicitly
desired set - fixed to NOT include system certs in this case
Possible CRLF injection
Would possibly expose HTTP authorization credentials across different
origin hosts as after authenticating, if being redirected to a different
origin host, would still include the Authorization header from the old
host to the new host - fixed by ensuring this defaults to being off
[USN-3991-1] Firefox vulnerabilities
17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-9816
CVE-2019-11698
CVE-2019-11697
CVE-2019-9821
CVE-2019-9820
CVE-2019-9819
CVE-2019-9817
CVE-2019-9814
CVE-2019-9800
CVE-2019-7317
CVE-2019-11701
CVE-2019-11699
CVE-2019-11696
CVE-2019-11695
CVE-2019-11693
CVE-2019-11692
CVE-2019-11691
Latest upstream Firefox release (67.0)
Includes fixes for various issues including:
DoS, spoofing of browser UI, tricking users into launching local
executables, XSS and RCE
Tricking users into installing a malicious add-on by disabling the UI prompt
History exposure via bookmark handling
[USN-3566-2] PHP vulnerabilities
5 CVEs addressed in Precise ESM, Trusty ESM
CVE-2016-10712
CVE-2017-11362
CVE-2017-12933
CVE-2019-11036
CVE-2018-20783
In February 2018, and March 2018, released updates for PHP5 in Trusty
fixing multiple CVEs - this update is a corresponding update which fixes
some new CVEs in both Precise ESM and Trusty ESM and some of the same
older CVEs in Precise ESM.
[USN-3992-1] WebKitGTK+ vulnerabilities
3 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-8615
CVE-2019-8607
CVE-2019-8595
New upstream release (2.24.2) - like most WebKitGTK+ updates, contains
little information on the new vulnerabilities - so assume the worst -
DoS, XSS, RCE
Used by GNOME Shell for captive portal handling etc
[USN-3993-1, USN-3993-2] curl vulnerabilities
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic and Disco
CVE-2019-5436
TFTP receive heap-based buffer overflow
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-5435
Integer overflow for 32-bit arches when handling a very large URL (>2GB)
via the libcurl API (curl_url_set())
[USN-3957-2] MariaDB vulnerabilities
2 CVEs addressed in Trusty ESM
CVE-2019-2627
CVE-2019-2614
Episode 30 mentioned an update for MariaDB for the standard support
releases fixing 8 CVEs - 2 of those applied to MariaDB in Trusty ESM -
both where a privileged attacker can crash server
Goings on in Ubuntu Security Community
Clarifications to documentation regarding latest Intel MDS vulnerabilities
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ
Updated to describe situation when doing virtualisation:
To enable guest to mitigate various speculative execution
vulnerabilities, need to ensure the guest CPU emulates the various CPU
features (such as pcid, ssbd etc).
Depends on workloads - if running untrusted code in guests or not etc.
Previously QEMU would define various CPU models such as Broadwell-IBRS
which would include support for this emulation. However, most of the
newer features ssbd, md_clear etc are not included in these CPU models.
So instead need to explicitly enable them - this can be done in a few ways:
Can just passthrough host CPU features directly - recommended
approach if NOT going to migrating guests across hosts (since if has
different features will cease to work)
Otherwise manually enable features directly as a subset of the
supported features from all the various hosts in your datacenter -
depending on whether using QEMU on the command-line or libvirt to
configure has different ways to specify this but same idea for both
Security Team plans for 19.10 development cycle
19.10 cycle roadmap meeting was held in Lyon a 2 weeks ago - each Ubuntu
team presented on the progress etc from the 19.04 cycle as well as their
plans for the 19.10 cycle
Security team highlights for 19.10:
Automate more parts of our processes around triage of code reviews,
reactive package updates etc
Review and incorporate KSPP recommendations for kernel hardening
GCC -fstack-clash-protection and -fcf-protection as default
Various snapd enhancements (daemon user, OpenGL support, audio
migration)
AppArmor features - prompting, more groundwork for fine-grained network
mediation
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Security Certifications Engineer
https://boards.greenhouse.io/canonical/jobs/1660658
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
14min
May 20, 2019Episode 32
Overview
This week we look at updates to cover the latest Intel CPU vulnerabilities
(MDS - aka RIDL, Fallout, ZombieLoad), plus other vulnerabilies in
PostgreSQL, ISC DHCP, Samba and more, whilst special guest this week is
Seth Arnold from the Ubuntu Security Team to talk Main Inclusion Review
code audits.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-3972-1] PostgreSQL vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-10130
CVE-2019-10129
Stores statistics for columns by sampling values from that column
Security policy allows to restrict users from viewing particular rows
But sampling would not take into account security policy
User could craft a leaky operator which would return the sampled data
and effectively bypass the security policy
Fixed to only allow non-leakproof operators to use sampled data when no
relevant row security policies in place
Arbitrary server memory able to be read by executing a crafted INSERT
statement on a partitioned table (only affects PostgreSQL 11 so only
Disco)
[USN-3973-1] DHCP vulnerability
1 CVEs addressed in Bionic, Cosmic
CVE-2019-6470
DHCP server could crash due to mismatch in BIND internal memory
management and DHCP server code
BIND in Bionic + Cosmic contained a change which zeroed out an internal
index to indicate it was unused - however 0 is still a valid index in the
DHCP server codebase - and so this could cause a use-after free (since
would be free’d, index set to 0 by BIND lib but then still used later
since 0 is valid). Instead changed to track indexes correctly to account
for this behaviour.
[USN-3974-1] VCFtools vulnerabilities
3 CVEs addressed in Xenial
CVE-2018-11130
CVE-2018-11129
CVE-2018-11099
Tools for working with VCF files (1000 Genomes Project)
Fuzzed in conjunction with AddressSanitizer in clang using crafted VCF files
Read-based heap buffer overflow - crash, DoS
2 * use after free -> crash, DoS / code execution
[USN-3975-1] OpenJDK vulnerabilities
4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-2698
CVE-2019-2697
CVE-2019-2684
CVE-2019-2602
2 affecting both openjdk-11 and openjdk-8
CPU DoS via BigDecimal implementation operating on particular values
Sandbox escape due to incorrect skeleton class selection in the RMI registry
2 sandbox escapes affecting only openjdk-8 via the 2D graphics component
[USN-3976-1, USN-3976-2] Samba vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2018-16860
Kerberos (as used in AD) contains an extension to allow a service to
request a Kerberos ticket to itself on behalf of a non-Kerberos
authenticated user (allows to use Kerberos for all internal code-paths)
Can be proxied over the network so that a privileged server can proxy on
behalf of the non-Kerberos authenticated user
This proxied request contains a checksum (which can be keyed to prevent
spoofing) - BUT this is not enforced - so an attacker can intercept the
proxied request and rewrite the user name to any other one in the KDC AND
replace the checksum with a simple CRC32 - as this can be computed
without any prior knowledge
[USN-3986-1] Wireshark vulnerabilities
9 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-9214
CVE-2019-9209
CVE-2019-9208
CVE-2019-10903
CVE-2019-10901
CVE-2019-10899
CVE-2019-10896
CVE-2019-10895
CVE-2019-10894
Updated to latest 2.6.8 release to fix many issues in various packet
dissectors that would cause wireshark to crash
[USN-3988-1] MediaInfo vulnerabilities
2 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-11373
CVE-2019-11372
CLI tool for reading metadata from various audio/video files
2* OOB read -> crash, DoS
[LSN-0051-1] Linux kernel vulnerability
4 CVEs for Microarchitectural Data Sampling (MDS) vulnerabilities
CVE-2019-11091
CVE-2018-12130
CVE-2018-12127
CVE-2018-12126
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
https://www.redhat.com/en/blog/deeper-look-mds-vulnerability
Too invasive to be addressed by Livepatch - requires updates to the
kernel and new microcode to fix
Intel CPUs contain various microarchitectural elements - store buffers,
load ports, fill buffers - which get used to complete architectural
operations (read from an address etc)
4 CVEs due to the different use of these different buffers in the
various techniques
RIDL (Rogue in-flight data load) - fill buffers and load ports
Fallout - store buffers
ZombieLoad - independent discovery of fill-buffer variant of RIDL
These get reused across operations, and in particular get reused across
hyperthreads executing on the same CPU core
A malicious process can use speculative execution sampling techniques to
infer the contents of one of these microarchitectural buffers - so could
see data from a process that had previously been executing on the same
CPU core OR in the case of HT can see data from a process executing
concurrently on the same core
In the case of a single core can be fixed by first adding new behaviour
to the unused VERW instruction to clear these buffers as a microcode
update
Then updating the Linux kernel to call this new VERW instruction when
switching tasks, VMs etc
However, does not mitigate in the case of SMT
So only way to properly mitigate is to disable SMT as well
In the case of virtualisation, the guest does the task switching so it
needs to clear these buffers - update to QEMU + libvirt to expose this
new CPU capability to the guest so that it can perform the flushing
itself
Kernel + QEMU updates also contain fixes for other CVEs
Kernels updated for all supported releases including the HWE kernels
[USN-3977-1] Intel Microcode update
4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3978-1] QEMU update
7 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-9824
CVE-2019-5008
CVE-2019-11091
CVE-2018-20815
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3979-1] Linux kernel vulnerabilities
11 CVEs addressed in Disco
CVE-2019-9503
CVE-2019-9500
CVE-2019-3887
CVE-2019-3882
CVE-2019-3874
CVE-2019-1999
CVE-2019-11683
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3980-1, USN-3980-2] Linux kernel vulnerabilities
10 CVEs addressed in Bionic (HWE), Cosmic
CVE-2019-9503
CVE-2019-9500
CVE-2019-3887
CVE-2019-3882
CVE-2019-3874
CVE-2019-11091
CVE-2018-16884
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3981-1, USN-3981-2] Linux kernel vulnerabilities
9 CVEs addressed in Trusty ESM (HWE), Xenial (HWE), Bionic
CVE-2019-9503
CVE-2019-9500
CVE-2019-3882
CVE-2019-3874
CVE-2019-11091
CVE-2018-16884
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3982-1, USN-3982-2] Linux kernel vulnerabilities
6 CVEs addressed in Trusty ESM (Xenial HWE), Xenial
CVE-2019-3882
CVE-2019-3874
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3983-1, USN-3983-2] Linux kernel vulnerabilities
4 CVEs addressed in Precise ESM (Trusty HWE), Trusty ESM
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3984-1] Linux kernel vulnerabilities
4 CVEs addressed in Precise ESM
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
[USN-3985-1, USN-3985-2] libvirt update
4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-11091
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
Goings on in Ubuntu Security Community
Main inclusion review security code audits discussion with Seth Arnold
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Security Certifications Engineer
https://boards.greenhouse.io/canonical/jobs/1660658
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
24min
May 13, 2019Episode 31
Overview
This week we cover security fixes for GNOME Shell, FFmpeg, Sudo, Ghostscript and others, and we talk to Joe McManus about malicious Dockerhub images, Git repos being ransomed more.
This week in Ubuntu Security Updates
14 unique CVEs addressed
[USN-3966-1] GNOME Shell vulnerability
1 CVEs addressed in Bionic, Cosmic
CVE-2019-3820
Local user could potentially bypass various restrictions of the lock
screen - menu items can be activated by keyboard combinations - these
could then be used to take screenshots (and fill up disk space), close
windows behind the lock screen or start the screen reader which could
read out the contents of windows behind the lock screen.
Fixed by disabling all menu items when the screen is locked
[USN-3965-1] aria2 vulnerability
1 CVEs addressed in Cosmic, Disco
CVE-2019-3500
CLI download tool (akin to curl / wget but can also do bittorrent and others)
When logging would store credentials in log file which could be read by other users
Fixed by masking out credentials
[USN-3967-1] FFmpeg vulnerabilities
5 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-9721
CVE-2019-9718
CVE-2019-11339
CVE-2019-11338
CVE-2018-15822
CPU DoS in Matroska and HTML subtitle decoding
Various issues discovered by Google’s oss-fuzz project:
2 x OOB read found by Google’s clusterfuzz / oss-fuzz project in MPEG-4 decoder
NULL pointer dereference and OOB read in HEVC decoder
Assertion failure for missing audio packet size in FLV encoder
[USN-3968-1] Sudo vulnerabilities
2 CVEs addressed in Xenial
CVE-2017-1000368
CVE-2016-7076
Fails to properly parse /proc/PID/stat - this is used to determine the
controlling tty - this name could contain newlines - sudo would only read
one line of input and so would get a truncated name - when sudo is used
with SELinux this allows to confuse sudo as to where the destination for
stdout / stderr and so cause sudo to overwrite and arbitrary file by
creating a symlink from the supposed tty to the destination file.
Fixed by ensuring to parse the full name including any newlines
sudo contains the ability to restrict users with sudo access to running
further commands via the NOEXEC tag
Does this by LD_PRELOAD to replace exec() and other functions with
versions that return an error
wordexp() performs shell expansion on a string and so can contain shell
directives to run a command and get the output $(foo) - this can run
commands and so would not be stopped by LD_PRELOAD lib - so a user can
run a binary which does wordexp() they could bypass this restriction
Fixed by adding wordexp() to the LD_PRELOAD wrapper AND by adding a
seccomp filter to stop all execve() entirely
[USN-3969-1, USN-3969-2] wpa_supplicant and hostapd vulnerability
1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
CVE-2019-11555
Possible NULL pointer dereference if an attacker could construct out of
sequence EAP message fragments
Fixed by validating and rejecting invalid fragments on both the peer and
server side
[USN-3970-1] Ghostscript vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-3839
Follow up to CVE-2019-6116 (Episode 18)
GS sandbox allowed access to system operators which allowed arbitrary code execution
Missed some protections for pdf related operations which could also allow code execution
[USN-3971-1] Monit vulnerabilities
2 CVEs addressed in Cosmic, Disco
CVE-2019-11455
CVE-2019-11454
Buffer over-read when decoding URLs could allow a remote authenticated
attacker to read other memory - information disclosure but could also
cause a crash via reading from an invalid memory location
Persistent XSS in decoding Authorization header for HTTP Basic
Authorization could allow an unauthenticated remote attacker to inject
arbitrary JavaScript in the _viewlog operation - fixed by properly
escaping this data
[USN-3956-2] Bind vulnerability
1 CVEs addressed in Precise ESM, Trusty ESM
CVE-2018-5743
Episode 29 covered for standard support releases - now fixed in ESM
Discussion with Joe McManus about malicious DockerHub images and Git repo takeover ransoms
https://threatpost.com/malicious-docker-containers-earn-crypto-miners-90000/132816/
https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/
Goings on in Ubuntu Security Community
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Security Certifications Engineer
https://boards.greenhouse.io/canonical/jobs/1660658
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
23min
May 06, 2019Episode 30
Overview
Fixes for 19 different vulnerabilities across MySQL, Dovecot, Memcached and others, plus we talk to Joe McManus about the recent iLnkP2P IoT hack and the compromise of DockerHub’s credentials database and more.
This week in Ubuntu Security Updates
19 unique CVEs addressed
[USN-3957-1] MySQL vulnerabilities
8 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-2683
CVE-2019-2632
CVE-2019-2628
CVE-2019-2627
CVE-2019-2614
CVE-2019-2592
CVE-2019-2581
CVE-2019-2566
Latest upstream version 5.7.26 includes fixes for 8 different issues including:
Unauthenticated remote attacker could gain complete access to all MySQL server data
Multiple versions of privileged attacker could hang / crash MySQL server
[USN-3958-1] GStreamer Base Plugins vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-9928
Heap based buffer overflow in RTSP connection parser - could allow a
malicious server to gain remote code execution on the client - session id
can contain attributes separated by semi-colons - would assume when
encountering a semi-colon that this delimits the maximum size of the
session id - however the session id has a maximum size of 512 bytes -
would overflow by using the user-supplied session id length rather than
sticking to the maximum structure length - changed to only parse up to
the maximum size of the structure to ensure we then don’t overflow when
copying
[USN-3959-1] Evince vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11459
Failed to check return values when calling functions for libTIFF - these
return the pixel data from an embedded TIFF image - on failure would end
up rendering uninitialised memory rather than the TIFF image - fixed to
check return values and bail out on error
[USN-3960-1] WavPack vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-11498
Fuzzing via valgrind - found if no sample rate was specified then a stack
declared but uninitialized value would be used - could cause a crash etc
since could be anything - fixed to initialise it to 0 and to check if
still zero before proceeding to process
[USN-3961-1] Dovecot vulnerabilities
2 CVEs addressed in Cosmic, Disco
CVE-2019-11499
CVE-2019-11494
Two issues related to authentication in recent versions of dovecot - if
client aborts authentication the serer could crash due to a NULL pointer
dereference, and if using TLS but send an invalid authentication message
could crash as well
[USN-3962-1] libpng vulnerability
1 CVEs addressed in Bionic, Cosmic
CVE-2019-7317
Use after free in png image cleanup - originally was called under
png_safe_execute() - this is an internal function which itself calls
png_image_free() - so after freeing the image would free it a second time
in certain conditions - changed to just call the free function directly
rather than via png_safe_execute()
[USN-3963-1] Memcached vulnerability
1 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-11596
Possible NULL pointer dereference via local command interface due to
insufficient checks when parsing input - commands require 4 input tokens
but only checked for 3 (off-by-one) - could allow an attacker with access
to the command interface to crash memcached
[USN-3953-2] PHP vulnerabilities
2 CVEs addressed in Precise ESM, Trusty ESM
CVE-2019-11035
CVE-2019-11034
Episode 29 covered these for standard supported releases - this update is
for the ESM releases - two bugs in EXIF tag handling
[USN-3964-1] python-gnupg vulnerabilities
2 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-6690
CVE-2018-12020
Possible to trick gnupg to decrypt ciphertext other than the intended one
when an attacker can control the passphrase to gnupg and the ciphertext
is assumed trusted - this uses the command-interface of gnupg and passes
the passphrase directly to it - along with the ciphertext - so if
attacker includes newlines in the supplied passphrase can then inject
their own ciphertext (or plaintext in the context of encryption) - fixed
to check passphrase does not contain line-feed or carriage return
characters
Possible to trick by including what looks like the return response from
gnupg directly in the filename to be decrypted when using verbose output
mode - fixed by sanitising this filename first
Discussion with Joe McManus about another IoT compromise and DockerHub
https://krebsonsecurity.com/2019/04/p2p-weakness-exposes-millions-of-iot-devices/
https://www.zdnet.com/article/over-two-million-iot-devices-vulnerable-because-of-p2p-component-flaws/
https://www.zdnet.com/article/docker-hub-hack-exposed-data-of-190000-users/
Goings on in Ubuntu Security Community
Hiring
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
21min
April 30, 2019Episode 29
Overview
This week we look at fixes from the past two weeks including BIND, NTFS-3G,
Dovecot, Pacemaker and more, plus we follow up last episodes IoT security
discussion with Joe McManus talking about Ubuntu Core. Finally we cover the
release of Ubuntu 19.04 Disco Dingo and the transition of Ubuntu 14.04
Trusty Tahr to Extended Security Maintenance.
These past two weeks in Ubuntu Security Updates
53 unique CVEs addressed
[USN-3947-1, USN-3947-2] Libxslt vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
CVE-2019-11068
Library to transform XML via XML definitions
Includes a security framework since XSLT can define operations to
fetch/read/write files and resources etc
Various functions would return 0 if an operation is not allowed by the
framework which was checked for and correctly disallowed - BUT they could
also return -1 on error (say from a potentially bad URL) which would not
be caught and so then would proceed and would fetch from the URL in
question thereby violating the security policy
Fixed to also check for error codes on handle the same as an explicit
policy violation
[USN-3948-1] WebKitGTK+ vulnerabilities
14 CVEs addressed in Bionic, Cosmic
CVE-2019-8563
CVE-2019-8559
CVE-2019-8558
CVE-2019-8551
CVE-2019-8544
CVE-2019-8536
CVE-2019-8535
CVE-2019-8524
CVE-2019-8523
CVE-2019-8518
CVE-2019-8506
CVE-2019-8375
CVE-2019-6251
CVE-2019-11070
Wide mix of issues fixed including XSS and DoS attacks or possible
arbitrary code execution if visiting a malicious website
[USN-3949-1] OpenJDK 11 vulnerability
1 CVEs addressed in Bionic
CVE-2019-2422
Backport of openjdk-11 from Disco to Bionic, includes a minor security
fix to memory disclosure vulnerablity which could enable an attacker to
bypass sandbox
[USN-3918-4] Firefox regressions
17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9803
CVE-2019-9793
CVE-2019-9809
CVE-2019-9808
CVE-2019-9807
CVE-2019-9806
CVE-2019-9805
CVE-2019-9802
CVE-2019-9799
CVE-2019-9797
CVE-2019-9796
CVE-2019-9795
CVE-2019-9792
CVE-2019-9791
CVE-2019-9790
CVE-2019-9789
CVE-2019-9788
Episode 26 covered 66.0.2 regression - this is now 66.0.3 to fix further
regressions in keyboard handling as discussed previously
[USN-3914-2] NTFS-3G update
Affecting Xenial, Bionic, Cosmic
Episode 25 covered ntfs-3g update for possible heap buffer overflow
As was setuid root this could possibly be used for root privilege
escalation
This update removes setuid root to additionally harden ntfs-3g so that
any future vulnerablilites can’t be used for privilege escalation
[USN-3950-1] ZNC vulnerability
1 CVEs addressed in Cosmic
CVE-2019-9917
crash -> DoS due to improper handling of character encoding - if a remote
user specified an invalid encoding it could cause znc to crash
Fixed to fallback to utf-8 if unknown encoding specified
[USN-3951-1] Dovecot vulnerability
1 CVEs addressed in Cosmic, Disco
CVE-2019-10691
Only affects Dovecot 2.3 and hence only Cosmic, Disco, Eoan etc
Improper handling of invalid utf-8 username in JSON encoding could cause
the authentication service to crash
[USN-3952-1] Pacemaker vulnerabilities
3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-3885
CVE-2018-16878
CVE-2018-16877
Cluster resource manager - high availability and load balancing for OpenStack
All discovered by Jan Pokorný - local attacker could possibly escalate
privileges or cause a denial of service or to cause sensitive information
to be leaked to system logs
[USN-3953-1] PHP vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2019-11035
CVE-2019-11034
php7.2 and php7.0
Buffer over-read when processing certain EXIF tags - possible information
disclosure or crash -> DoS
[USN-3922-2, USN-3922-3] PHP vulnerabilities
7 CVEs addressed in Precise ESM, Trusty
CVE-2019-9641
CVE-2019-9640
CVE-2019-9639
CVE-2019-9638
CVE-2019-9637
CVE-2019-9675
CVE-2019-9022
Most covered back in Episode 26
[USN-3936-2] AdvanceCOMP vulnerability
1 CVEs addressed in Disco
CVE-2019-9210
Corresponding update for Disco - covered in Episode 27
[USN-3954-1] FreeRADIUS vulnerabilities
2 CVEs addressed in Bionic, Cosmic, Disco
CVE-2019-11235
CVE-2019-11234
2 possible “Dragonblood” authentication bypass issues - mentioned back in
Episode 28 in the context of wpa_supplicant and hostapd - similar issue
for FreeRADIUS
[USN-3955-1] tcpflow vulnerabilities
2 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2018-18409
CVE-2018-14938
Stack based buffer overflow and an integer overflow -> usual effects
(crash -> DoS / information disclosure)
[USN-3956-1] Bind vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
CVE-2018-5743
DoS - possible to bypass bind’s limits on simultaneous TCP clients and so
cause a DoS via excessive resource usage
IoT Security follow-up with Joe McManus
Alex and Joe follow up on last episode’s conversation about IoT and in
particular talk about Ubuntu Core and how this has been engineered to
address many of these common IoT security design and implementation flaws
Goings on in Ubuntu Security Community
Ubuntu 19.04 Disco Dingo Released
Released on Thursday 18th April
Officially supported by Canonical for 9 months - with security fixes for
packages in main by the security team
Ubuntu 14.04 Trusty Tahr transitions to Extended Security Maintenance
Standard support period concluded on Thursday 25th April
Users are encouraged to upgrade to our latest LTS release 18.04 via 16.04
Extended security maintenance is now available via Ubuntu Advantage
https://blog.ubuntu.com/2019/02/05/ubuntu-14-04-trusty-tahr
https://www.ubuntu.com/esm
Hiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
22min
April 15, 2019Episode 28
Overview
This week we look at updates for vulnerabilities in wpa_supplicant, Samba, systemd, wget and more and we talk to Joe about IoT security (or the prevailing lack-thereof).
This week in Ubuntu Security Updates
27 unique CVEs addressed
[USN-3939-1, USN-3939-2] Samba vulnerability
1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
CVE-2019-3880
Symlink path traversal vulnerability in the Windows Registry service emulation RPC API end-point
Allows a local user to create a new registry file anywhere they have Unix
permissions to do so within the Samba share
Bypasses share restrictions such as read-only and share ACLs
Also allows to create the file outside the share itself if there is
already a symlink pointing outside the shared areas
Fixed by removing the ability to save or restore registry keys at all via
this RPC API end-point
[USN-3940-1, USN-3940-2] ClamAV vulnerabilities
3 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
CVE-2019-1789
CVE-2019-1788
CVE-2019-1787
3 file-handling issues
2 OOB heap read when handling PE (Windows EXE and DLL) and PDF files ->
crash -> DoS
OOB heap write when scanning OLE2 files (old format Microsoft Office
documents), crash -> DoS or possible code execution
[USN-3941-1] Lua vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-6706
UAF if calling debug.upvaluejoin() with the same function for both function parameters
[USN-3938-1] systemd vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-3842
Failure to properly sanitize environment before using XDG_SEAT
Attacker could set XDG_SEAT such that they can have actions checked
against the wrong PolicyKit policy
Allows a remotely logged in attacker (SSH) to run commands which should
be restricted to only physically present users
Fixed by using secure_getenv() rather than just getenv() - so that if
running via su the existing value is effectively scrubbed from the
environment and ignored
[USN-3942-1] OpenJDK 7 vulnerability
1 CVEs addressed in Trusty
CVE-2019-2422
Information leak allows a remote attacker to possibly leverage this to
bypass the Java sandbox
[USN-3943-1, USN-3943-2] Wget vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic (1 in Precise ESM)
CVE-2019-5953
CVE-2018-20483
Heap buffer overflow due to improper memory management - crash -> DoS or possible code execution
By default wget would store the origin URL in an extended attribute on the downloaded file
Could include username / password
getfattr -d to dump
changed to NOT store extended attributes by default AND to strip out
any credentials when doing so
doesn’t effect Precise ESM
[USN-3937-2] Apache vulnerabilities
4 CVEs addressed in Precise ESM
CVE-2018-1312
CVE-2018-1301
CVE-2017-15710
CVE-2019-0217
Episode 27 covered mod_auth_digest bypass for other supported releases
Also includes 3 other issues:
Nonce generated to prevent reply attacks for HTTP digest authentication
challenenge wasn’t sufficiently random
Could allow and attacker to reply across a cluster of servers with
the same common digest authentication configuration
changed to actually use a proper random source
Possible OOB read -> crash -> DoS
Possible one-byte memory corruption if specify a character encoding of
only 1 byte (since assumes is at least 2 bytes and so writes a NULL at
index +2 which could be past the end of the header) - crash, DoS
[USN-3944-1] wpa_supplicant and hostapd vulnerabilities
5 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2016-10743
CVE-2019-9499
CVE-2019-9498
CVE-2019-9497
CVE-2019-9495
Fix fallback to low-quality PRNG if failed to get an actual random value for a WPS pin
Multiple vulnerabilities discovered in the implementation of WPA3 in
hostapd and wpa_supplicant (aka Dragonblood)
2 apply to SAE (Simultaneous Authentication of Equals , also known as
Dragonfly Key Exchange) not relevant since we don’t enable SAE support
in our builds (this is used for initial key exchange instead of PSK)
4 apply to the use of EAP-PWD - Extensible Authentication Protocol
Password
cache side channel attack
reflection attack
may allow an attacker to authenticate without the password but
likely not derive session key or complete the key exchange so no
loss of confidentiality
2 failure to validate crypto components
could allow attacker to authenticate AND gain access to session key
and get network access
[USN-3945-1] Ruby vulnerabilities
6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-8325
CVE-2019-8324
CVE-2019-8323
CVE-2019-8322
CVE-2019-8321
CVE-2019-8320
Symlink directory traversal issue - gem would delete the target
destination before creating any new directories or files when extracting
a Gem - as this is often run via sudo could allow to delete anything on
target system
Fixed to check target paths are symlinks
5 different code-injection attacks:
4 via injection of terminal escape sequences in debug code paths to stdout
one via eval() of the stub line in a gemspec file
[USN-3946-1] rssh vulnerabilities
3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-3464
CVE-2019-3463
CVE-2019-1000018
Possible to execute arbitrary shell commands since failed to properly
sanitize environment variables and command-line arguments when executing
rsync or scp
Removed from archive in disco since dead upstream
Goings on in Ubuntu Security Community
IoT Security discussion with Joe McManus
https://arstechnica.com/information-technology/2019/04/new-variants-of-mirai-botnet-detected-targeting-more-iot-devices/
https://www.ubuntu.com/core
Hiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
22min
April 08, 2019Episode 27
Overview
Carpe Diem for Apache HTTP Server, plus updates for Dovecot, PolicyKit and the Linux kernel, and we talk to Joe McManus about the recent Asus ShadowHammer supply chain attack and more.
This week in Ubuntu Security Updates
52 unique CVEs addressed
[USN-3928-1] Dovecot vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-7524
Local user root privilege escalation
Stack buffer overflow - indexer-worker processes missing bounds check when copying from the index
If local user can modify the dovecot index then could leverage this
for code-execution in the indexer process context
Mitigated by usual hardening techniques (ASLR, stack-protector,
read-only GOT (via RELRO & BIND_NOW))
[USN-3929-1] Firebird vulnerabilities
2 CVEs addressed in Trusty
CVE-2017-6369
CVE-2014-9323
Remote authenticated users execute code
Remote un-authenticated user DoS via op_response action with a non-empty status
[USN-3934-1] PolicyKit vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-6133
Episode 23 - fixed kernel to make process start_time via fork() more atomic
Updated policykit to also check UIDs match (so now checks start_time,
PID and UID so can’t use another user’s authorisations)
[USN-3935-1] BusyBox vulnerabilities
10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-5747
CVE-2018-20679
CVE-2018-1000517
CVE-2017-16544
CVE-2017-15873
CVE-2016-2148
CVE-2016-2147
CVE-2015-9261
CVE-2014-9645
CVE-2011-5325
Mix of issues across various components in BusyBox
udhcpc:
Information disclosure of stack memory in dhcp client / server
(shared component) due to failure to check DHCP options are correct
size - original fix was incomplete so this got 2 CVEs
Heap buffer overflow via DHCP option parsing of OPTION_6RD (IPv6
rapid deployment on IPv4 infra)
Integer overflow -> heap-based OOB write -> crash -> DoS / code
execution
wget:
Heap buffer overflow in wget
shell:
Failure to sanitize filenames during tab completion - could allow
code execution etc as user who is running the shell
archive handling
Integer overflow in bzip2 decompression - OOB write - crash -> DoS
/ code execution?
Pointer misuse in zip decompression - OOB read - crash -> DoS
directory traversal due to symlinks which point outside the
current working directory when decompressing tar archives
(tyhicks)
module loading
allows users to load modules which are otherwise restricted -
assumes modules could specify the path so uses basename() on the
module name - so just need to include a / in the module name to
circumvent other checks
[USN-3937-1] Apache HTTP Server vulnerabilities
6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-0220
CVE-2019-0217
CVE-2019-0196
CVE-2018-17199
CVE-2018-17189
CVE-2019-0211
“Carpe Diem” and others
Local root privilege escalation due to an OOB array access resulting
in arbitrary function call when apache gracefully restarts - done
daily via logrotate at 6:25am
affects mod_prefork, mod_worker and mod_event
main server (running as root) shares a memory segment (the
scoreboard) with low-privileged worker processes
PID, last request handled etc - maintained by the worker
worker stores an index into global buckets array in the privileged parent
this gets used on restart to restart the worker but no check is done to ensure this is valid
so since is in shm child can change this index to ensure it points back into the shm segment where it has write access
the bucket contains a function pointer to restart worker - so
since this is now indexed from the shm segment can make this point
to any function of choice - AND this gets executed as root by the
parent
Requires some other bug to turn this into a remote exploit since
need to get R/W access remotely on a worker process
Failure to normalize URLs in a consistent manner - LocationMatch and
RewriteRule might not get applied correctly
Race condition in mod_auth_digest could allow user with valid
credentials to impersonate another and bypass access controls
read after free on string comparison in mod_http2 - crash, DoS
failure to respect session expiry time in mod_session_cookie
DoS via slow-loris type attack to occupy server threads
[USN-3936-1] AdvanceCOMP vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9210
Integer overflow when decompressing invalid PNG images - OOB write and
heap OOB read
[USN-3930-1, USN-3930-2] Linux kernel vulnerabilities
13 CVEs addressed in Cosmic and Bionic (HWE)
CVE-2019-9213
CVE-2019-9162
CVE-2019-9003
CVE-2019-8980
CVE-2019-8956
CVE-2019-8912
CVE-2019-7308
CVE-2019-7222
CVE-2019-7221
CVE-2019-6974
CVE-2019-3460
CVE-2019-3459
CVE-2018-19824
Jann Horn (GPZ):
mmap minimum address bypass - could allow to turn a kernel NULL
pointer dereference into code execution
ASN.1 decoding for SNMP NAT missing length checks - OOB R/W possible
side-channel attack due to speculation on pointer arithmetic in eBPF
programs (Spectre V1)
mitigated when secure boot due to lockdown patches blocking BPF
program loading
Reference counting race-condition in KVM -> UAF -> guest VM crash
UAF + OOPS in IPMI due to race-condition on restart
Memory leak on error path of vfs read operations -> DoS
UAF in SCTP sendmsg - crash / code execution
UAF in AF_ALG due to failure to NULL structure members
Originally misclassified by NVD as remotely exploitable, confusion
over socket() use by crypto API?
Info leak and a UAF in KVM when using nested virtualisation - not
enabled by default in Ubuntu kernels unless if install QEMU - this is
enabled automatically
2 different information leak of heap memory in bluetooth subsystem
triggerable by unauthenticated remote attacker
UAF in ALSA USB sound device handling mentioned in Episode 20
[USN-3931-1, USN-3931-2] Linux kernel vulnerabilities
12 CVEs addressed in Bionic, Trusty (HWE) and Xenial (HWE)
CVE-2019-9213
CVE-2019-8980
CVE-2019-8912
CVE-2019-7308
CVE-2019-7222
CVE-2019-7221
CVE-2019-6974
CVE-2019-3460
CVE-2019-3459
CVE-2018-19824
CVE-2018-18021
CVE-2018-14678
10 from above, 2 unique:
Potential host system crash / code execution from malicious guest
for KVM on ARM64 as mentioned previously in Episode 12
Failure to properly initialise all elements of error handler
callback in Xen - guest VM crash triggerable by an unprivileged
attacker in the guest VM
[USN-3932-1, USN-3932-2] Linux kernel vulnerabilities
20 CVEs addressed in Xenial and Trusty (HWE)
CVE-2019-3819
CVE-2019-3701
CVE-2018-9517
CVE-2018-16884
CVE-2018-14613
CVE-2018-14612
CVE-2018-14611
CVE-2018-14610
CVE-2018-14616
CVE-2018-14614
CVE-2018-13100
CVE-2018-13099
CVE-2018-13097
CVE-2017-18249
CVE-2019-9213
CVE-2019-7222
CVE-2019-7221
CVE-2019-6974
CVE-2019-3460
CVE-2019-3459
2 DoS triggerable by root (low priority issue)
UAF in PPP over L2TP
UAF in NFS41+ when using multiple network namespaces
4 different NULL pointer dereferences in btrfs via malicious image
Race condition and various reads of invalid memory areas when mounting
malicious f2fs images
mmap min address bypass and others mentioned previously plus
(bluetooth, kvm etc)
[USN-3933-1, USN-3933-2] Linux kernel vulnerabilities
8 CVEs addressed in Trusty and Precise ESM (HWE)
CVE-2019-9213
CVE-2019-7222
CVE-2019-6974
CVE-2019-3460
CVE-2019-3459
CVE-2018-19824
CVE-2017-18360
CVE-2017-1000410
Goings on in Ubuntu Security Community
Supply chain attacks and Ubuntu
Alex and Joe discuss recent Asus ShadowHammer supply chain attack and how this relates to Ubuntu
https://securelist.com/operation-shadowhammer/89992/
https://www.forbes.com/sites/jasonevangelho/2019/03/29/shadowhammer-asus-1-million-reasons-switch-from-windows-to-linux/
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2018-ossra.pdf
http://go.coverity.com/rs/157-LQW-289/images/2014-Coverity-Scan-Report.pdf
Hiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
30min
April 01, 2019Episode 26
Overview
This week we look security updates for a heap of packages including
Firefox & Thunderbird, PHP & QEMU, plus we discuss Facebook’s recent
password storage incident as well as some listener hardening tips and
more.
This week in Ubuntu Security Updates
48 unique CVEs addressed
[USN-3919-1] Firefox vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9813
CVE-2019-9810
Firefox 66.0.1 (mentioned briefly last week) - fixes two vulnerabilities discovered during Pwn2Own
Both in the IonMonkey JIT compiler
Incorrect alias information for the Array.prototype.slice method
leads to missing bounds check and a buffer overflow - code execution
as a result
Type confusion in handling of ,__proto__ mutations - ,__proto__ is
used to modify the Prototype of an object to be mutated - used for
object inheritance in JavaScript - allows arbitrary memory
read/write and therefore code execution as a result
[USN-3918-2] Firefox vulnerabilities
17 CVEs addressed in Trusty
CVE-2019-9803
CVE-2019-9793
CVE-2019-9809
CVE-2019-9808
CVE-2019-9807
CVE-2019-9806
CVE-2019-9805
CVE-2019-9802
CVE-2019-9799
CVE-2019-9797
CVE-2019-9796
CVE-2019-9795
CVE-2019-9792
CVE-2019-9791
CVE-2019-9790
CVE-2019-9789
CVE-2019-9788
Firefox 66 & 66.0.1 - Episode 25 covered for Xenial, Bionic and Cosmic
[USN-3918-3] Firefox regression
17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9803
CVE-2019-9793
CVE-2019-9809
CVE-2019-9808
CVE-2019-9807
CVE-2019-9806
CVE-2019-9805
CVE-2019-9802
CVE-2019-9799
CVE-2019-9797
CVE-2019-9796
CVE-2019-9795
CVE-2019-9792
CVE-2019-9791
CVE-2019-9790
CVE-2019-9789
CVE-2019-9788
Firefox 66 & 66.0.1 contained a regression - so upstream released 66.0.2
Broke keyboard handling in Office 365, iCloud and IBM WebMail -
Firefox 66 changed the way keycode handling works so these websites
and others which use older, deprecated methods to get the keycode have
been added to an internal fallback list to use the old method
[USN-3927-1] Thunderbird vulnerabilities
10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9793
CVE-2019-9813
CVE-2019-9810
CVE-2019-9796
CVE-2019-9795
CVE-2019-9792
CVE-2019-9791
CVE-2019-9790
CVE-2019-9788
CVE-2018-18506
Thunderbird 60.6.1
Rolls in security fixes covered previous for Firefox (66.0, 66.0.1)
Both the Pwn2Own and previous fixes
As for Firefox, listen back to Episode 25 for details of 66.0 fixes
[USN-3921-1] XMLTooling vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9628
Crash due to uncaught DOMException able to be triggered by a malformed
XML document - DoS
Thanks to Etienne Dysli Metref who provided debdiff’s as well as
testing for this update
[USN-3922-1] PHP vulnerabilities
5 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-9641
CVE-2019-9640
CVE-2019-9639
CVE-2019-9638
CVE-2019-9637
Integer overflow on 32-bit archs when processing malformed EXIF image
data - crash, DoS
Failure to check available data length when processing image
thumbnails - OOB read -> crash -> DoS
OOB read of 1 byte when handling EXIF image data - crash -> DoS
During file rename, if file is moved across file-systems, the new file
briefly is world readable allowing anyone to read it - fixed by
ensuring umask is used correctly so that the new file always has
restrictive permissions from the outset
[USN-3923-1] QEMU vulnerabilities
11 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-6778
CVE-2019-3812
CVE-2018-20216
CVE-2018-20191
CVE-2018-20126
CVE-2018-20125
CVE-2018-20124
CVE-2018-20123
CVE-2018-19489
CVE-2018-16872
CVE-2018-16867
Heap-based buffer overflow in TCP emulation
OOB read in i2c handling allowing a local attacker within a guest who
has permission to execute i2c commands could read qemu host process
stack memory
Plan9 FS host-directory sharing race-condition on file rename -> crash
-> DoS
2 issues in USB MTP handling:
time-of-check to time-of-use error allows attacker with write access
to the shared host filesystem can use this to navigate host FS in
context of QEMU host process and read any therefore read any file
which QEMU can on the host
Path traversal flaw due to improper filename sanitisation - allow to
read-write arbitrary host files -> Dos or code execution on the host
Updates for Paravirtualised RDMA subsystem:
DoS due to infinite loop
NULL pointer dereference due to missing read method
Fix various memory leaks
Various other NULL pointer dereferences plus a failure to check
parameters leading to possible extreme memory allocation
Fix OOB read triggerable by guest
[USN-3924-1] mod_auth_mellon vulnerabilities
2 CVEs addressed in Bionic, Cosmic
CVE-2019-3878
CVE-2019-3877
Apache module to provide authentication and authorisation via SAML 2.0 IdP
Possible to bypass authorisation checks when also using mod_proxy
Fix an open-redirect via the logout endpoint - could encode an
absolute URL using backward-slashes (\) in place of forward-slashes
(/) and this would be propagated by the endpoint to the client where
the browser would convert these and follow the redirect - due to
mismatch in how browsers will convert these but apache’s own internal
URI parsing does not
[USN-3925-1] FreeImage vulnerability
1 CVEs addressed in Trusty, Xenial
CVE-2016-5684
OOB write in XMP image handling - code execution
[USN-3926-1] GPAC vulnerabilities
8 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2018-7752
CVE-2018-20763
CVE-2018-20762
CVE-2018-20761
CVE-2018-20760
CVE-2018-13006
CVE-2018-13005
CVE-2018-1000100
Various memory safety issues, including OOB buffer reads and writes
due to missing bounds checks (was using strcpy without checking
lengths…)
Goings on in Ubuntu Security Community
Joe McManus on Facebook insecure password storage
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
Ubuntu Hardening Tips
Paul Waring got in touch to mention his tips for hardening new Ubuntu installations:
Install and configure unattended-upgrades
Install UFW and block all incoming connections except specific services
Can be done easily via ansible from just a few lines of YAML
For servers:
Install SSHGuard to ban IP addresses with too many failed login attempts
Require TLS for all services via LetsEncrypt + certbot
Configure SSH to permit only key-based authentication
For wordpress installations - install wp-cli to auto-update themes
and plugins
Automate as much of this as possible for automatic hardening
Hiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
21min
March 25, 2019Episode 25
Overview
Ghostscript is back to haunt us for another week, plus we look at vulnerabilities in ntfs-3g, snapd, firefox and more.
This week in Ubuntu Security Updates
39 unique CVEs addressed
[USN-3911-1] file vulnerabilities
4 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-8907
CVE-2019-8906
CVE-2019-8905
CVE-2019-8904
4 DoS (crash) found via fuzzing:
Stack overflow in readelf
2 different OOB read due to failure to NULL terminate a string before processing it
Read past end of stack due to failing to properly keep track of buffer sizes
[USN-3906-2] LibTIFF vulnerabilities
8 CVEs addressed in Precise ESM
CVE-2019-7663
CVE-2019-6128
CVE-2018-18557
CVE-2018-17101
CVE-2018-17100
CVE-2018-1710
CVE-2018-12900
CVE-2018-10779
Covered in Episode 18 and Episode 24 for standard Ubuntu releases (not
all CVEs covered in those updates applicable to Precise ESM)
[USN-3912-1] GDK-PixBuf vulnerability
1 CVEs addressed in Xenial
CVE-2017-12447
Failure to properly validate BMP image palette parameters - leading to
OOB when decoding colormap later on
[USN-3914-1] NTFS-3G vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-9755
Discovered recently by Chris Coulson during code-audit of ntfs-3g -
actually had been fixed upstream late last year but no CVE assigned
Heap buffer overflow able to be triggered when mounting a filesystem
onto a mount point with path name greater than PATH_MAX, and from a
current working directory which has a path name also greater than
PATH_MAX
Contents of buffers is attacker controlled so heap can be overflown
with attacker controlled input - likely to leverage into arbitrary
code execution
Contrived example BUT in Debian and Ubuntu ntfs-3g is setuid root -
which then leads to root privilege escalation with arbitrary code
execution
Update was released within hours of the bug being made public to fix
the heap buffer overflow
Currently testing ntfs-3g as not-setuid root to release in a future
update to avoid any other possible privilege escalation bugs in the
future
[USN-3915-1] Ghostscript vulnerabilities
2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-3838
CVE-2019-3835
Similar to previous CVE, forceput operator could be extracted from the
DefineResource method to allow access to the file-system outside of
the -dSAFER sandbox
superexec operator was available in the internal dictionary - also
able to be extracted and hence used to access files outside the
sandbox
[USN-3913-1] P7ZIP vulnerabilities
2 CVEs addressed in Xenial
CVE-2017-17969
CVE-2016-2335
Heap based OOB write when decompressing a crafted ZIP file (crash -> DoS, possible code execution)
Heap based OOB read when decompressing a UDF file (universal disk format - used for DVD images) - crash, DoS
[USN-3918-1] Firefox vulnerabilities
17 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-9803
CVE-2019-9793
CVE-2019-9809
CVE-2019-9808
CVE-2019-9807
CVE-2019-9806
CVE-2019-9805
CVE-2019-9802
CVE-2019-9799
CVE-2019-9797
CVE-2019-9796
CVE-2019-9795
CVE-2019-9792
CVE-2019-9791
CVE-2019-9790
CVE-2019-9789
CVE-2019-9788
Almost latest Firefox release (this is 66, 66.0.1 was released Friday after Pwn2Own
last week so expect another Firefox update today or tomorrow)
Multiple memory safety issues fixed, possible code execution as a result
3 issues in FTP modal dialogs allow to either DoS user via
successive dialogs, or conduct social engineering attacks against
the user
Possible information leak from parent to child process via IPC channels
Various UAFs, type-confusion etc -> memory corruption -> possible code execution
Incorrect bounds checking on JS objects IF Spectre mitigations
disabled (these are enabled by default so user would have to
explicitly disable them)
and more…
[USN-3917-1] snapd vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-7303
Jann Horn reported the seccomp blacklist for TIOCSTI can be bypassed
snapd creates a seccomp filter for each snap which is designed to
block TIOCSTI (as this can be used to fake input to other processes
outside of the sandbox)
This is a 32-bit value to the ioctl system call, but on 64-bit
architectures the kernel does this comparison as a 64-bit integer - so
can be circumvented by using a 64-bit value to ioctl systemcall which
has other bits set in the upper 32 bits - since when seccomp does
comparison it uses the full 64 bits - so it won’t match the 32-bit
value of TIOCSTI and so will be allowed - but then when used as the
ioctl() argument it will correctly be truncated to 32-bits and the
ioctl will proceed
Fixed in snapd to add a second seccomp filter to disallow anything in
the upper 32-bits
Initially seemed like a kernel or libseccomp issue but both currently
document this as a limitation already so treated in the end as a
vulnerability in snapd
[USN-3916-1] libsolv vulnerabilities
3 CVEs addressed in Cosmic
CVE-2018-20534
CVE-2018-20533
CVE-2018-20532
Dependency solver used by packaging systems to resolve dependencies
between packages etc
2 NULL pointer dereferences and 1 invalid memory read due to
mishandling of variable length function arguments - all crash -> DoS
Goings on in Ubuntu Security Community
Hiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
15min
March 19, 2019Episode 24
Overview
A look at recent fixes for vulnerabilities in poppler, WALinuxAgent, the
Linux kernel and more. We also talk about some listener feedback on
Ubuntu hardening and the launch of Ubuntu 14.04 ESM.
This week in Ubuntu Security Updates
18 unique CVEs addressed
[USN-3905-1] poppler vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-9200
Heap-based buffer underwrite (index into array using negative index) -
write into heap memory which preceeds the intended buffer - heap
corruption - crash -> DoS, possible code execution
Found by fuzzing and AddressSanitizer in clang
[USN-3906-1] LibTIFF vulnerabilities
6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-7663
CVE-2019-6128
CVE-2018-19210
CVE-2018-17000
CVE-2018-12900
CVE-2018-10779
All DoS, one possible code-execution:
Dereference of an invalid address (read from invalid memory location)
Heap buffer overread
2x NULL pointer dereferences
Memory leak
Heap buffer overflow - possible code execution
[USN-3907-1] WALinuxAgent vulnerability
1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
CVE-2019-0804
WALinuxAgent used to manage instances of Ubuntu (and other Linux
distributions) running on Azure
Can be used to configure swap space for a given image
would then create a swap file (/mnt/swapfile) BUT would make it world-readable
so any local user could read it - if keys or other sensitive items
were in memory that got swapped to disk could be read by all
Fixed to make this readable only by root and to also correct the
permissions on any existing swapfile as well
[USN-3902-2] PHP vulnerabilities
4 CVEs addressed in Precise ESM
CVE-2019-9023
CVE-2019-9021
CVE-2019-9024
CVE-2019-9020
See last week’s Episode 23 - discussed for Xenial and Trusty - fixed
now for Precise ESM as well
[USN-3910-1, USN-3910-2] Linux kernel vulnerabilities
5 CVEs addressed in Xenial and Trusty (Xenial HWE)
CVE-2019-6133
CVE-2018-7740
CVE-2018-19985
CVE-2018-1120
CVE-2017-18241
2 of these discussed in previous episodes Episode 23 (PolicyKit start
time, DoS via mmaping a FUSE-backed file into processes memory
containing command-line args)
Trigger of BUG_ON() in kernel (like assert() for kernel code) due to
integer overflow from large pgoff parameter to remap_file_pages() when
used in conjuction with an existing mmap() -> crash -> DoS
OOB read in USB driver for Option High Speed mobile devices - would
read a descriptor from the USB device as a u8 and then index into an
array with this without checking whether it fell within the array
NULL pointer dereference in f2fs driver via use of noflush_merge mount
option
[USN-3908-1, USN-3908-2] Linux kernel vulnerability
1 CVEs addressed in Trusty and Precise ESM (Trusty HWE)
CVE-2019-6133
See last week’s Episode 23 - discussed for Bionic kernel - now for
Trusty kernel (and the Trusty HWE kernel backported to Precise ESM)
PolicyKit start time issue, fixed in kernel
[USN-3909-1] libvirt vulnerability
1 CVEs addressed in Xenial, Bionic, Cosmic
CVE-2019-3840
NULL pointer dereference in libvirt if agent does not reply in time
(say guest is being shutdown) - crash host libvirt -> DoS
Goings on in Ubuntu Security Community
Ubuntu Hardening Response
Alexander Popov
Responsible for getting STACKLEAK into the mainline kernel
Pointed out his Linux Kernel Defence Map and kconfig hardened check
We use kconfig hardened check internall and tyhicks has contributed
various improvements which allow this to be used to check the
various Ubuntu kernel configurations
Extended Security Maintenance for Ubuntu 14.04 (Trusty Tahr) begins April 25 2019
https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-March/004800.html
Ubuntu 14.04 LTS will transition to Extended Security Maintenance on Tuesday 25th April
Encourage users to upgrade to Xenial (and then Bionic)
ESM for 14.04 provided to customers via Ubuntu Advantage
Further details regarding ESM
Hiring
Ubuntu Security Generalist
https://boards.greenhouse.io/canonical/jobs/1548812
Robotics Security Engineer
https://boards.greenhouse.io/canonical/jobs/1550997
Get in contact
[email protected]
#ubuntu-security on the Libera.Chat IRC network
@ubuntu_sec on twitter
...more
14min

FAQs about Ubuntu Security Podcast:

How many episodes does Ubuntu Security Podcast have?

The podcast currently has 244 episodes available.