Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 17

22 min • 22 januari 2019

Overview

First episode of 2019! This week we look “System Down” in systemd, as well as updates for the Linux kernel, GnuPG, PolicyKit and more, and discuss a recent cache-side channel attack using the mincore() system call.

This week in Ubuntu Security Updates

51 unique CVEs addressed across the supported Ubuntu releases.

[USN-3846-1, USN-3847-1, USN-3847-2, USN-3847-3] Linux kernel vulnerabilities

  • Kernel updates as part of normal 3-weekly SRU cycle - includes various fixes across the supported releases
  • Info leak in CDROM driver, XFS DoS via writing of extended attributes causing an error condition that leaves the fs in an error state until next mount
  • Bounds check bypass in BPF verifier (mentioned in Episode 15)
  • Incorrect bounds checking in Yurex USB driver (Episode 7)
  • UAF in infiniband -> Crash -> DoS
  • Integer overflow in POSIX timers overrun accounting due to type confusion (int vs 64-bit signed)
  • Double free in AMD GPIO pinctrl driver - DoS / privilege escalation
  • Race condition in midi driver - double free -> privilege escalation
  • NULL pointer dereference in kernel keyring -> crash -> DoS

[LSN-0046-1] Linux kernel livepatch for vulnerabilities

[USN-3850-1] NSS vulnerabilities

[USN-3851-1] Django vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Attacker could craft a malicious URL to make spoofed content appear on the generated 404 page

[USN-3852-1] Exiv2 vulnerabilities

[USN-3853-1] GnuPG vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • GnuPG includes support for Web Key Directories (WKD) to allow easy discovery of public keys via HTTPS
  • Allows a key to be imported from a webserver -> first need to lookup hostname via DNS SRV
  • Fails to sanitize response - so performs an attacker controlled, arbitrary HTTPS GET request
    • Attacker needs to construct a malicious SRV record for the domain in question
  • Possible CSRF, content injection etc
  • Thunderbird will automatically use WKD via GnuPG to lookup missing keys so allows easy exploitation

[USN-3854-1] WebKitGTK+ vulnerabilities

  • 1 CVEs addressed in Bionic, Cosmic
  • Possible RCE via invalid processing of crafted web content (as usual limited details on WebKitGTK vulnerabilities…)

[USN-3855-1] systemd vulnerabilities

  • 3 CVEs addressed in Xenial, Bionic, Cosmic
  • “System Down” systemd vulnerabilities
  • Chris Coulson put in a heroic effort and patched quickly - Ubuntu first affected distro to release patched systemd
  • Due to use of variable length arrays on the stack, allows various fields which are attacker controlled to be overflowed
  • If overflow far enough can bypass kernel stack guard pages, and hence corrupt the heap
  • Possible code execution as a result (original advisory contained a PoC for i386 which gained control of the instruction pointer)
  • Can be mitigated via use of the gcc flag -fstack-clash-protection - this is now under review to be used by default in forthcoming Ubuntu releases

[USN-3856-1] GNOME Bluetooth vulnerability

  • 1 CVEs addressed in Bionic
  • BlueZ doesn’t necessarily make bluetooth device undiscoverable automatically after timeout
  • Hence after enabling discovery would then still be discoverable even though user expectation is that is not anymore
  • Actual bug then is really in BlueZ but now added a workaround in GNOME bluetooth to manually disable discovery

[USN-3857-1] PEAR vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • PHP Extension and Application Repository - possible RCE when deserialising via PHP object injection
  • Triggered when unpacking a PHAR (PHP ARchive) - also possible to sneak one into a JPEG so easy to exploit - just need image upload (Wordpress etc)

[USN-3858-1] HAProxy vulnerabilities

  • 3 CVEs addressed in Xenial, Bionic, Cosmic
  • Popular load balancing reverse proxy (used in OpenStack etc.)
  • Infinite recursion from a pointer referencing itself or from long chains of pointers -> stack exhaustion -> crash -> DoS
  • Out-of-bounds read when validating DNS responses - information disclosure of 16 bytes
  • Fail to ensure valid length of H2 HEADERS when decoding - out-of-bounds read -> crash -> DoS

[USN-3859-1] libarchive vulnerabilities

  • 4 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Out-of-bounds read for UTF-16 names in RAR archives
  • UAF and double free in RAR decoder - crash -> DoS, possible RCE
  • Quasi-infinite runtime and disk usage from a tiny crafted WARC file (Web Archive format for storing results of crawling websites)

[USN-3860-1, USN-3860-2] libcaca vulnerabilities

[USN-3861-1, USN-3861-2] PolicyKit vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Invalid handling of UID > INT_MAX - would allow a user to bypass policy and execute any systemctl command

[USN-3862-1] Irssi vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • UAF when expiring hidden lines from the scroll buffer

Goings on in Ubuntu and Linux Security Community

New page cache side-channel attack via mincore()

  • Discovered by a team of researchers including some of those who found Spectre / Meltdown
  • Uses mincore() system call on Linux to determine if pages exist in the page cache or not
  • mincore() returns a bitmask of which pages are mapped in the cache for the requested range
  • Can use this side-channel to either:
    • determine when a process calls a given function in a shared library (since the library will be mapped at the same address in both the attack and victim process)
      • need to first evict the given page from the cache which is difficult but authors propose a new efficient mechanism to do this
      • can then do things like UI redressing etc in response
    • Or can use this is a covert channel to leak information from one process to another
    • Can even use over the network to leak information via an innocent webserver etc
  • Paper also describes an efficient cache eviction strategy
  • Linus directly applied a fix (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e)
    • This changes the behaviour of mincore() to only report pages which have been faulted into the cache by the calling process
      • So at best can now observe when a page is evicted from the cache but can’t see when another process faults in a page
    • Breaks user-space API of mincore() and hence some existing programs (as noted in the commit)
      • Linus’ primary rule is to never break userspace BUT in this case as is a security vulnerability this is okay
      • This might also likely affect other programs that use mincore in Ubuntu etc (fincore, e4defrag, qemu etc)
  • Fix is not in the stable upstream kernel yet as waiting to see what fallout there is and so also has not been applied to Ubuntu kernels yet
  • Also good discussion on LWN https://lwn.net/Articles/776801/ which highlights other avenues for inferring the contents of the page cache and other possible changes to mincore to protect against this attack
  • Will be interesting to see where this all ends up

Get in contact

Kategorier
Förekommer på
00:00 -00:00