Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 22

16 min • 4 mars 2019

Overview

This week we cover security updates including Firefox, Thunderbird, OpenSSL and another Ghostscript regression, plus we look at a recent report from Capsule8 comparing Linux hardening features across various distributions and we answer some listener questions.

This week in Ubuntu Security Updates

16 unique CVEs addressed

[USN-3893-2] Bind vulnerabilities

[USN-3866-3] Ghostscript regression

  • Affecting Trusty, Xenial, Bionic, Cosmic
  • Mentioned last week briefly
  • Previous update to Ghostscript introduced a regression (blue background)
    • See later for information

[USN-3894-1] GNOME Keyring vulnerability

  • 1 CVEs addressed in Trusty, Xenial
  • Already fixed upstream (hence doesn’t apply to Bionic / Cosmic etc)
  • User’s login password kept in memory of child process after pam session is opened
  • Could be dumped by root user or captured in crash dump etc and possibly exposed
    • Other tools exist to try and extract from memory as well (minipenguin etc)
  • Fix is to simply reset this after pam session is opened

[USN-3895-1] LDB vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • LDAP-like embedded database (used by Samba and others)
  • Authenticated user can cause OOB read when searching LDAP backend of AD DC with a search string containing multiple wildcards - crash -> DoS

[USN-3896-1] Firefox vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Firefox 65
  • Use-after-free and integer overflow in Skia library (vector graphics library, similar to cairo)
  • Cross-origin image theft - able to read from canvas element in violation of same-origin policy using transferFromImageBitmap() method

[USN-3897-1] Thunderbird vulnerabilities

[USN-3898-1, USN-3898-2] NSS vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Several NULL pointer dereferences -> crash -> DoS

[USN-3899-1] OpenSSL vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Possible padding oracle (an application which uses OpenSSL could behave differently based on whether a record contained valid padding or not)
    • Attacker can learn plaintext by modifying ciphertext and observing different behaviour

[USN-3900-1] GD vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Double free if failed to properly extract image file - crash -> DoS
  • Heap-based buffer overflow in color matching (able to be triggered by a specially crafted image) - crash -> DoS, possible code execution

Goings on in Ubuntu Security Community

Comparison of Linux Hardening across distributions

  • https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/
  • Analyses binaries from various Linux distributions looking for hardening features (OpenSUSE, Debian, CentOS, RHEL & Ubuntu)
  • Compare kernel configuration vs KSPP recommendations
  • Ubuntu 18.04 ranks highest, due to proactive hardening features baked into toolchain and newer kernel taking advantage of KSPP upstream features
    • gcc is patched so anyone building on Ubuntu gets these features
    • build.snapcraft.io too
    • however is missing stack clash mitigation
  • Plan to add more hardening features for 19.10 (stack clash and control-flow integrity support via gcc) and review kernel options cf. KSPP

Q&A

Does numerous bugs and regressions in Ghostscript indicate it is reaching it’s EOL?

  • doc-E-brown via twitter
  • Lots of recent focus -> finds bugs
  • ghostscript codebase is old and gnarly and some fixes have been quite invasive
  • Any new code could introduce new bugs - particularly complicated fixes -> creates more bugs (regressions)
    • (as doc-E-brown suggests, regressions indicate old code-base)
  • Tavis (and others) seem to be looking elsewhere but likely still more bugs to be found
  • Would be great if GS could either be made safer or a safer alternative but no-one is stepping up
  • Sadly No good viable alternative currently

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Security Automation Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00