Overview
This week we look at some details of the 23 unique CVEs addressed across the supported Ubuntu releases, discuss the latest purported Intel side-channel vulnerability PortSmash and more.
This week in Ubuntu Security Updates
23 unique CVEs addressed
[USN-3806-1] systemd vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- Reported by Felix Wilhelm from Google Security Team to Ubuntu in LP #1795921
- systemd contains DHCPv6 client written from scratch
- Heap buffer overflow in DHCPv6 option handling (say via server id of >=493 bytes)
- Coordinated with systemd upstream and Red Hat to resolve this
[USN-3807-1] NetworkManager vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- NetworkManager contains the same code taken from systemd-networkd so is also vulnerable
[USN-3808-1] Ruby vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic and Cosmic
- Misuses return value when comparing names in X509 certificates
- If returned 1 on comparing name would assume are identical but are in fact not
- Could allow to impersonate a certificate
- Taint flags not propagated when unpacking arrays into strings, or packing strings into arrays
- Could allow untrusted data to be treated as trusted
[USN-3809-1] OpenSSH vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic
- User enumeration due to fail to bail out early on invalid user authentication
- Would take longer to process a packet with a valid username than an invalid one
- Can determine account names as a result via brute-force timing attack
- Possible to crash the per-connection process on NULL pointer dereference
- Low priority since doesn’t crash the main daemon so not really a DoS
[USN-3786-2] libxkbcommon vulnerabilities
- 11 CVEs addressed in Bionic
- Episode 7 for Trusty and Xenial
- Some common CVEs, some new ones specific to Bionic version
- 1 CVEs addressed in Trusty, Xenial, Bionic
- Ubuntu specific change to pppd to add support for EAP-TLS authentication
- Could be triggered on both peer or server side
- Lack of input validation coupled with an integer overflow lead to crash and possible authentication bypass
- Leads to memcpy() with a negative length value (and hence very large unsigned value)
- Theoretically possible to overwrite other data structures related to server state and therefore bypass authentication
[USN-3811-1] SpamAssassin vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic
- Updated to latest stable version of spamassassin (3.4.2)
- So all supported Ubuntu releases now have 3.4.2
- Local user code injection via meta rule syntax
- RCE via PDFInfo plugin
- Failure to handle unclosed HTML tags in emails leading to DoS
[USN-3812-1] nginx vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- DoS due to memory usage in HTTP/2 handling
- DoS due to excessive CPU usage in HTTP/2 handling
- When processing a specially crafted mp4 file, could lead to infinite loop
- This module is in the nginx-extras package
[USN-3813-1] pyOpenSSL vulnerabilities
- 2 CVEs addressed in Xenial
- DoS via crash in handling of X509 certificates
- UAF in handling of X509 certificates
Goings on in Ubuntu Security Community
PortSmash - New Intel side-channel vulnerability or expected behaviour for SMT?
- CVE-2018-5407 assigned to OpenSSL but described as a side-channel in Intel SMT / Hyper-Threading
- Originally suggested as a possible side-channel in 2015
- Due to sharing of execution engines in SMT
- Two processes across shared hyper-threads, contend for execution units across same ports
- Meaure port contention delay -> side channel to recover ECDSA private key of server running in other process
- So crypto code needs not only to be constant-time, but also secret-independent execution-flow
- ie. execute same instruction sequence regardless of secret
- all code and data addresses are assumed public
- Or disable HT / learn to schedule trust domains across different hyper-threads (gang-scheduling)
Hiring
Ubuntu Security Engineer
Preview of Next Episode
Upcoming fixes
- libmspack, systemd, gettext
Get in contact