Overview
Last episode for 2018! This week we look at CVEs in lxml, CUPS, pixman, FreeRDP & more, plus we discuss the security of home routers as evaluated by C-ITL.
This week in Ubuntu Security Updates
21 unique CVEs addressed
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic
- Popular XML/HTML parser for Python
- Tries to remove clean input document and remove links (to say embedded
javascript code) - but doesn’t account for links containing escaped
characters - so link could persist
- Similar to CVE-2014-3146
- In this case tried to account for whitespace in links but didn’t include
all possible whitespace characters
[USN-3842-1] CUPS vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Session cookies used for authentication to CUPS web interface used only the
current time in seconds as a seed for the relatively predictable PRNG
- Easy to bruteforce / guess
- Fix ensures to use current time value including microseconds
- Still using relatively predictable PRNG - should use /dev/urandom etc
[USN-3837-2] poppler regression
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Previous poppler update (Episode 15) - fix missed a previous commit and so
regressed (crash on opening certain PDF files)
- 1 CVEs addressed in Precise ESM, Trusty
- Low level library for pixel manipulation (used by X, Wayland, Qemu etc)
- Pointer overflow leading to stack-based buffer overflow in computing bounds of pixel buffers
- Did include a check to see if was inside bounds, BUT didn’t account for
possible overflow in arithmetic before the check
- Need to check for possible overflow before doing arithmetic and comparison
[USN-3844-1] Firefox vulnerabilities
- 10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 64 - multiple security vulnerabilities fixed
[USN-3845-1] FreeRDP vulnerabilities
- 6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Eyal Itkin discovered multiple vulnerabilities in FreeRDP - not all affect all releases (some too old to contain affected code)
- Various heap-based buffer overflows (crash -> DoS / RCE?)
- Out-of-bounds read (crash -> DoS)
Goings on in Linux Security Community
Linux on MIPS and home routers
- Cyber-ITL (Independent Testing Lab) analysed a number of home routers for basic security hardening features
- ASLR, DEP (non-executable stack), RELRO
- Mix of MIPS and ARM devices
- Compared against Ubuntu 16.04 LTS x86_64 (general hardening)
- Most found to have minimal hardening features enabled
- https://cyber-itl.org/assets/papers/2018/build_safety_of_software_in_28_popular_home_routers.pdf
- Also found Linux kernel on MIPS either has executable stack (until 2016)
due to FP emulation code, or since then has no executable stack but has a
RWX segment at a fixed location, which can be used to bypass DEP / ASLR
- Ubuntu does not support MIPS
Final episode for 2018
- This is the last episode for 2018, on leave for the next 3 weeks
- Next episode will be from Cape Town in 2019 during week of 14th January with some special guests… :)
Get in contact