Overview
This week we look at updates to the Linux kernel in preparation for the 18.04.2 release, plus updates for Open vSwitch, Firefox, Avahi, LibVNCServer and more. We also revisit and discuss upstream changes to the mincore() system call to thwart page-cache side-channel attacks first discussed in Episode 17.
This week in Ubuntu Security Updates
40 unique CVEs addressed
[USN-3870-1] Spice vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Out-of-bounds read - off-by-one - likely crash on segmentation violation but possible code-execution
[USN-3871-1] Linux kernel vulnerabilities
- 13 CVEs addressed in Bionic
- NULL pointer dereference in KVM able to be triggered by a local user (crash -> DoS)
- mremap() TLB flush leaving stale entries in page cache - covered previously in Episode 15
- Episode 15 covered CVE-2018-17972 (procfs kernel stack disclosure)
- UAF in KVM when using nested virtualisation (not enabled by default for Ubuntu kernels) able to be trigered by gust VM to crash host (DoS) or possibly elevate privileges etc.
- Race condition between connect() and close() in AF_VSOCK (used for communication between guest and host machines) could allow to read 4 bytes of memory (UAF) from host kernel or possibly corrupt other AF_VSOCK messages to other guests - information leak
- 7 ext4 issues discovered by Wen Xu (fuzzing ext4 with KASAN enabled):
- OOB write during update of journal metadata when mounting specially crafted ext4 image - crash -> DoS (privilege esc?)
- OOB write to stack when processing xattrs of specially crafted ext4 image - crash -> DoS
- OOB write when mounting
- OOB write unmounting specially crafted ext4 image
- OOB read when mounting
- UAF when processing xattrs of renamed file in specially crafted image
- General UAF when mouting a specially crafted image
- Reproducers provided in upstream kernel bug reports
[USN-3872-1] Linux kernel (HWE) vulnerabilities
- 4 CVEs addressed in Bionic
- Info leak from crypto subsystem - regression of CVE-2013-2547 - fail to fully initialise structure members copied to userspace - unlike CVE-2013-2547, able to be exploited by a standard user without any capabilities
- Failure to ensure ioapics were initialised - possible NULL pointer dereference -> crash -> DoS
- KVM UAF w/ nested virtualisation and AF_VSOCK race condition UAF
[USN-3873-1] Open vSwitch vulnerabilities
- 3 CVEs addressed in Xenial, Bionic
- Remotely triggerable OOB read and 2 different assertion failures -> crash -> DoS
[USN-3874-1] Firefox vulnerabilities
- 7 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 65 for all supported platforms
- Proxy autoconfig file (PAC) could allow proxy requests to localhost to go via remote proxy - if enabled proxy-autodetection - then possible for remote attacker to conduct attacks against local services etc
- Various memory safety issues - crash -> DoS, UAF, code execution
- Sandbox escape via IPC channels due to failure to properly apply authentication to IPC channels in some situations
- IPC channels used in new multiprocess architecture etc
[USN-3875-1] OpenJDK vulnerability
- 1 CVEs addressed in Xenial, Cosmic
- Info leak from Java SE VM in OpenJDK library subsystem able to be triggered by a remote attacker - possible sandbox bypass as well
[USN-3876-1, USN-3876-2] Avahi vulnerabilities
- 2 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Both the same vulnerability - duplicate CVE
- Traffic reflection and amplification - possible to leverage for DDoS attack since avahi-daemon would inadvertently respond to unicast IPv6 queries to source addresses which were not on the local link
[USN-3877-1] LibVNCServer vulnerabilities
- 12 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Various memory management issues:
- Heap UAF -> crash -> DoS, possible RCE in server from malicious client
- Heap OOB write (incomplete fix for previous CVE-2018-15127) - crash -> DoS, possible RCE
- Multiple heap OOB writes in client (incomplete fix for previous CVE-2018-20019)
- NULL pointer dereferences in client -> crash -> DoS
- Failure to properly initialise structures on stack -> info leak, possible ASLR bypass (disclose stack memory layout)
- Infinite loop in client -> DoS
Goings on in Ubuntu Security Community
An update on mincore()
- In Episode 17 discussed changes to mincore() mitigate page cache side-channel attack
- Linus Torvalds committed a change to change the behaviour of mincore() to mitigate the vulnerability
- Recently reverted that change citing too much breakage to existing users:
- In particular Netflix have a use-case where they dump page cache across processes to aid in migration of Cassandra workloads across machines
- Instead an alternate approach to limit cache residency reporting only to processes which have write access to the particular file in question
- ie. so if a process has write access to a file which it has open for writing it will be able to read back from mincore() which pages are mapped in the cache and which are not - so will still work for the Netflix and others case of databases wanting to know which pages are mapped or not from disk
- will stop the case of being able to know which pages of shared system libraries etc are mapped and hence stop the original side-channel attack
- patches not yet submitted for mm tree or others but should be soon
Get in contact