Overview
This week we cover security updates for the Linux kernel, PolicyKit, Intel
Microcode and more, plus we look at a report of an apparent malicious snap
in the Snap Store and some of the mechanics behind snap confinement.
This week in Ubuntu Security Updates
42 unique CVEs addressed
[USN-4979-1] Linux kernel vulnerabilities [01:04]
- 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
- 4.15 based kernel
- integer overflow in ext4 extent handling -> could be triggered by
mounting an malicious ext4 image -> crash (DoS)
- reference counting error in firewire packet sniffer driver - UAF
- NFC LLCP issues above
[USN-4982-1] Linux kernel vulnerabilities [02:23]
- 13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 based kernel
[USN-4984-1] Linux kernel vulnerabilities [02:39]
- 13 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- 5.8 based kernel
[USN-4977-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Hirsute (21.04)
- 5.11 based kernel
- OOB write in KVM VMX implementation (crash -> DoS, RCE)
- eBPF Spectre side-channel attack - info leak
- NFC LLCP (logical link control protocol) - allows to multiplex a single
connection between two NFC devices
- infinite loop on error condition -> DoS
- memory leak
- reference count mishandling -> crash -> DoS
[USN-4983-1] Linux kernel (OEM) vulnerabilities [03:32]
- 4 CVEs addressed in Focal (20.04 LTS)
- 5.10 based kernel
- OOB write in KVM VMX implementation (crash -> DoS, RCE)
- eBPF Spectre side-channel attacks - verifier fails to stop loading of eBPF
programs which could cause speculative loads -> info leak
- eBPF pointer limit error - OOB read/write - crash / RCE
[USN-4978-1] Firefox vulnerabilities [03:40]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 89.0 upstream release
- not only the new visual UI PLUS enhanced private browsing mode via
“Total Cookie Protection” - confines cookies to the site where they
were created to avoid tracking across sites - PLUS a bunch of security
fixes including
- cached the last filename of a printed file even in private browsing
mode - would then surface this next time you choose to print a file
- Various memory safety issues - RCE / crash etc
[USN-4980-1] polkit vulnerability [04:43]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Daemons often use policykit to ask whether a user’s application is
permitted to perform an action - to do this, they send the DBus name of
the process to polkit and it looks up the resulting uid/pid via an
internal function polkit_system_bus_name_get_creds_sync() - logic error
within policykit when looking if the process in question were to
disconnect from DBus at the right time, policykit would return an error
but also a boolean TRUE value indicating success (depends on how the
daemon interpreted this value with an associated error). This could then
allow an application which was not privileged to be able to perform more
privileged actions. Fixed to actually return FALSE in this case and avoid
any potential confusion.
[USN-4981-1] Squid vulnerabilities [06:11]
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- All DoS issues - memory leaks, OOB reads etc, able to be triggered by
remote attackers
[USN-4969-3] DHCP regression [06:28]
- Affecting Hirsute (21.04)
- Episode 118 - update for 21.04 only introduced a regression where valid
config files would be seen as invalid and rejected and hence
isc-dhcp-server would fail to start - actually caused as a result of the
newer toolchain used in 21.04 - has stricter aliasing checking and so
would treat certain operations introduced in this change as UB and change
code-flow as a result. Fixed by disabling this stricter aliasing checking
in the build to restore the original behaviour.
[USN-4937-2] GNOME Autoar regression [07:22]
- Episode 115
- Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- upstream regression where when extracting an archive, only an empty
directory would be created if an archive contained a file of the same
name as the archive itself - fixed to avoid creating this directory first
so that files would then actually get created as expected
[USN-4985-1] Intel Microcode vulnerabilities [07:48]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Latest intel-microcode release from upstream, fixes a number of security
issues for particular processors PLUS potential stability issues that
have been seen in previous microcode releases (processor would hang if
tried to load a too new microcode version compared to the one contained
within the BIOS)
- potential cross-domain issue with Intel VT-d (priv esc) plus a fix for
an issue which would result in EIBRS (Spectre) mitigations not being
applied, cache-lines not being flushed properly and a speculative
execution issue specific to Atom processors via micro-arch buffers.
[USN-4986-1] rpcbind vulnerability [09:02]
- 1 CVEs addressed in Bionic (18.04 LTS)
- DoS since would fail to free memory allocated during particular
requests - could then be made to crash by allocating too much memory
Goings on in Ubuntu Security Community
odrive-unofficial snap investigation [09:20]
The magic behind snap interfaces [12:36]
Get in contact