Start / Ubuntu Security Podcast / Episode 119

Episode 119

15 min • 11 juni 2021

Overview

This week we cover security updates for the Linux kernel, PolicyKit, Intel Microcode and more, plus we look at a report of an apparent malicious snap in the Snap Store and some of the mechanics behind snap confinement.

This week in Ubuntu Security Updates

42 unique CVEs addressed

[USN-4979-1] Linux kernel vulnerabilities [01:04]

13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
4.15 based kernel
integer overflow in ext4 extent handling -> could be triggered by mounting an malicious ext4 image -> crash (DoS)
reference counting error in firewire packet sniffer driver - UAF
NFC LLCP issues above

[USN-4982-1] Linux kernel vulnerabilities [02:23]

13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
5.4 based kernel

[USN-4984-1] Linux kernel vulnerabilities [02:39]

13 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
5.8 based kernel

[USN-4977-1] Linux kernel vulnerabilities

6 CVEs addressed in Hirsute (21.04)
5.11 based kernel
OOB write in KVM VMX implementation (crash -> DoS, RCE)
eBPF Spectre side-channel attack - info leak
NFC LLCP (logical link control protocol) - allows to multiplex a single connection between two NFC devices
- infinite loop on error condition -> DoS
- memory leak
- reference count mishandling -> crash -> DoS

[USN-4983-1] Linux kernel (OEM) vulnerabilities [03:32]

4 CVEs addressed in Focal (20.04 LTS)
5.10 based kernel
OOB write in KVM VMX implementation (crash -> DoS, RCE)
eBPF Spectre side-channel attacks - verifier fails to stop loading of eBPF programs which could cause speculative loads -> info leak
eBPF pointer limit error - OOB read/write - crash / RCE

[USN-4978-1] Firefox vulnerabilities [03:40]

5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
89.0 upstream release
- not only the new visual UI PLUS enhanced private browsing mode via “Total Cookie Protection” - confines cookies to the site where they were created to avoid tracking across sites - PLUS a bunch of security fixes including
  - cached the last filename of a printed file even in private browsing mode - would then surface this next time you choose to print a file
  - Various memory safety issues - RCE / crash etc

[USN-4980-1] polkit vulnerability [04:43]

1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- CVE-2021-3560
Daemons often use policykit to ask whether a user’s application is permitted to perform an action - to do this, they send the DBus name of the process to polkit and it looks up the resulting uid/pid via an internal function polkit_system_bus_name_get_creds_sync() - logic error within policykit when looking if the process in question were to disconnect from DBus at the right time, policykit would return an error but also a boolean TRUE value indicating success (depends on how the daemon interpreted this value with an associated error). This could then allow an application which was not privileged to be able to perform more privileged actions. Fixed to actually return FALSE in this case and avoid any potential confusion.

[USN-4981-1] Squid vulnerabilities [06:11]

7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
All DoS issues - memory leaks, OOB reads etc, able to be triggered by remote attackers

[USN-4969-3] DHCP regression [06:28]

Affecting Hirsute (21.04)
Episode 118 - update for 21.04 only introduced a regression where valid config files would be seen as invalid and rejected and hence isc-dhcp-server would fail to start - actually caused as a result of the newer toolchain used in 21.04 - has stricter aliasing checking and so would treat certain operations introduced in this change as UB and change code-flow as a result. Fixed by disabling this stricter aliasing checking in the build to restore the original behaviour.

[USN-4937-2] GNOME Autoar regression [07:22]

Episode 115
Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
upstream regression where when extracting an archive, only an empty directory would be created if an archive contained a file of the same name as the archive itself - fixed to avoid creating this directory first so that files would then actually get created as expected

[USN-4985-1] Intel Microcode vulnerabilities [07:48]

5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
Latest intel-microcode release from upstream, fixes a number of security issues for particular processors PLUS potential stability issues that have been seen in previous microcode releases (processor would hang if tried to load a too new microcode version compared to the one contained within the BIOS)
- potential cross-domain issue with Intel VT-d (priv esc) plus a fix for an issue which would result in EIBRS (Spectre) mitigations not being applied, cache-lines not being flushed properly and a speculative execution issue specific to Atom processors via micro-arch buffers.

[USN-4986-1] rpcbind vulnerability [09:02]

1 CVEs addressed in Bionic (18.04 LTS)
- CVE-2017-8779
DoS since would fail to free memory allocated during particular requests - could then be made to crash by allocating too much memory

Goings on in Ubuntu Security Community

odrive-unofficial snap investigation [09:20]

https://twitter.com/XHaughin/status/1400743600464355331

The magic behind snap interfaces [12:36]

https://ubuntu.com/blog/the-magic-behind-snap-interfaces

Get in contact

Kategorier

Poddar Teknologi

Förekommer på

Teknik

00:00 -00:00