Overview
This week we look at some details of the 46 unique CVEs addressed across the supported Ubuntu releases and take a deep dive into the recent apt security bug.
This week in Ubuntu Security Updates
46 unique CVEs addressed
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- MITM allowing RCE as root in the context of apt
- Due to mishandling of HTTP redirect which would allow malicious mirror / MITM to inject content and then could allow arbitrary command execution
- Fixed by simply disallowing control characters in HTTP redirect responses
- See detailed discussion later in show
[USN-3864-1] LibTIFF vulnerabilities
- 7 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Multiple NULL pointer dereferences and assertion failures (crash -> DoS)
- Multiple heap-based buffer overflows and an integer overflow (crash -> DoS / possible RCE)
[USN-3865-1] poppler vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Assertion failure and NULL pointer dereference triggered by crafted PDFs (crash -> DoS)
[USN-3707-2] NTP vulnerabilities
- 9 CVEs addressed in Precise ESM
- NTP updated for Bionic, Artful, Xenial and Trusty in July 2018 - this is the corresponding update for Precise ESM
- Multiple issues including: RCE in ntpq from a crafted response from
the server, various DoS at both protocol level between client and
server (disrupt a client talking to server) and at application level
(to crash the application)
[USN-3866-1] Ghostscript vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Another week, another Ghostscript vulnerability courtesy of Tavis Ormandy (GPZ) (after a random look at the latest GS release 9.26)
- See Episodes 5, 7, 10, 14 for more
- Code execution via subroutine operators
- Patches to fix quite invasive
- Ghostscript is included in evince, ImageMagick, nautilus, GIMP, even less so able to target various commands to exploit
[USN-3867-1] MySQL vulnerabilities
- 15 CVEs addressed in Xenial, Bionic, Cosmic
- Updated to latest MySQL version (5.7.25) in all releases to fix numerous issues including:
- Multiple DoS via low privileged attacker, multiple unauthorized access to complete MySQL server data etc
[USN-3869-1] Subversion vulnerability
- 1 CVEs addressed in Cosmic
- DoS against Subversion server (mod_dav_svn) (only affects 1.10.0+ -> Cosmic)
- Triggered by listing remote recursive directory contents BUT not
providing the path to list - NULL pointer dereference -> crash
[USN-3868-1] Thunderbird vulnerabilities
- 10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Latest Thunderbird release (60.4) to resolve multiple issues
Goings on in Ubuntu Security Community
apt / apt-get RCE (CVE-2019-3462)
- Discovered by Max Justicz (provides a detailed write-up on his blog)
- apt uses worker processes which communicate back to the main process when fetching content
- workers get told what to download and where to put it and communicate back with parent via stdin/stdout
- protocol is like HTTP, human readable text
- can include directives from workers regarding redirects, completion (DONE) etc
- when handling a HTTP Redirect from the server, apt http worker would append this contents in message sent back to parent
- expect just a URI as the redirect content but could be anything - so could contain directives in the apt worker protocol which then get interpreted by the main apt process
- so could signal DONE to parent as well as follow-up directives such as reporting false hashes for debs or even falsifying the location of the deb on the filesystem
- So could use the Releases.gpg file as the location of the package on the filesystem - and actually inject our malicious package into the start of Releases.gpg - with trusted Releases.gpg content afterwards
- Releases.gpg will still validate (since it ignores junk at the start) AND apt will still use the package since it will ignore the signature at the end
- So can get malicious package installed - which due to debian packaging can run scripts on install etc and hence get RCE as root :(
- Fixed by simply disallowing control characters in HTTP redirect responses
- If we assume the mirrors are trusted, could have been mitigated via HTTPS
- Since HTTPS would stop MITM attacks
- Some Ubuntu mirrors offer HTTPS but this is not enabled by default since not all mirrors offer HTTPS
- Official mirrors do not currently offer HTTPS - this is being reevaluated but is difficult for a number of reasons
- Users can still easily enable HTTPS themselves by choosing an appropriate mirror with a HTTPS URI
- If assume mirrors are untrusted then they could still have exploited this
- So whilst HTTPS could help in this case is not a panacea
Get in contact