Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 11

13 min • 12 november 2018

Overview

This week we look at some details of the 23 unique CVEs addressed across the supported Ubuntu releases, discuss the latest purported Intel side-channel vulnerability PortSmash and more.

This week in Ubuntu Security Updates

23 unique CVEs addressed

[USN-3806-1] systemd vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Reported by Felix Wilhelm from Google Security Team to Ubuntu in LP #1795921
  • systemd contains DHCPv6 client written from scratch
  • Heap buffer overflow in DHCPv6 option handling (say via server id of >=493 bytes)
  • Coordinated with systemd upstream and Red Hat to resolve this

[USN-3807-1] NetworkManager vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • NetworkManager contains the same code taken from systemd-networkd so is also vulnerable

[USN-3808-1] Ruby vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic and Cosmic
  • Misuses return value when comparing names in X509 certificates
    • If returned 1 on comparing name would assume are identical but are in fact not
    • Could allow to impersonate a certificate
  • Taint flags not propagated when unpacking arrays into strings, or packing strings into arrays
    • Could allow untrusted data to be treated as trusted

[USN-3809-1] OpenSSH vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic
  • User enumeration due to fail to bail out early on invalid user authentication
    • Would take longer to process a packet with a valid username than an invalid one
    • Can determine account names as a result via brute-force timing attack
  • Possible to crash the per-connection process on NULL pointer dereference
    • Low priority since doesn’t crash the main daemon so not really a DoS

[USN-3786-2] libxkbcommon vulnerabilities

[USN-3810-1] ppp vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic
  • Ubuntu specific change to pppd to add support for EAP-TLS authentication
    • Could be triggered on both peer or server side
    • Lack of input validation coupled with an integer overflow lead to crash and possible authentication bypass
    • Leads to memcpy() with a negative length value (and hence very large unsigned value)
    • Theoretically possible to overwrite other data structures related to server state and therefore bypass authentication

[USN-3811-1] SpamAssassin vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic
  • Updated to latest stable version of spamassassin (3.4.2)
    • So all supported Ubuntu releases now have 3.4.2
  • Local user code injection via meta rule syntax
  • RCE via PDFInfo plugin
  • Failure to handle unclosed HTML tags in emails leading to DoS

[USN-3812-1] nginx vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • DoS due to memory usage in HTTP/2 handling
  • DoS due to excessive CPU usage in HTTP/2 handling
  • When processing a specially crafted mp4 file, could lead to infinite loop
    • This module is in the nginx-extras package

[USN-3813-1] pyOpenSSL vulnerabilities

Goings on in Ubuntu Security Community

PortSmash - New Intel side-channel vulnerability or expected behaviour for SMT?

  • CVE-2018-5407 assigned to OpenSSL but described as a side-channel in Intel SMT / Hyper-Threading
  • Originally suggested as a possible side-channel in 2015
  • Due to sharing of execution engines in SMT
    • Two processes across shared hyper-threads, contend for execution units across same ports
    • Meaure port contention delay -> side channel to recover ECDSA private key of server running in other process
  • So crypto code needs not only to be constant-time, but also secret-independent execution-flow
    • ie. execute same instruction sequence regardless of secret
    • all code and data addresses are assumed public
  • Or disable HT / learn to schedule trust domains across different hyper-threads (gang-scheduling)

Hiring

Ubuntu Security Engineer

Preview of Next Episode

Upcoming fixes

  • libmspack, systemd, gettext

Get in contact

Kategorier
Förekommer på
00:00 -00:00