Overview
This week we look security updates for a heap of packages including
Firefox & Thunderbird, PHP & QEMU, plus we discuss Facebook’s recent
password storage incident as well as some listener hardening tips and
more.
This week in Ubuntu Security Updates
48 unique CVEs addressed
[USN-3919-1] Firefox vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 66.0.1 (mentioned briefly last week) - fixes two vulnerabilities discovered during Pwn2Own
- Both in the IonMonkey JIT compiler
- Incorrect alias information for the Array.prototype.slice method
leads to missing bounds check and a buffer overflow - code execution
as a result
- Type confusion in handling of ,__proto__ mutations - ,__proto__ is
used to modify the Prototype of an object to be mutated - used for
object inheritance in JavaScript - allows arbitrary memory
read/write and therefore code execution as a result
[USN-3918-2] Firefox vulnerabilities
- 17 CVEs addressed in Trusty
- Firefox 66 & 66.0.1 - Episode 25 covered for Xenial, Bionic and Cosmic
[USN-3918-3] Firefox regression
- 17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 66 & 66.0.1 contained a regression - so upstream released 66.0.2
- Broke keyboard handling in Office 365, iCloud and IBM WebMail -
Firefox 66 changed the way keycode handling works so these websites
and others which use older, deprecated methods to get the keycode have
been added to an internal fallback list to use the old method
[USN-3927-1] Thunderbird vulnerabilities
- 10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Thunderbird 60.6.1
- Rolls in security fixes covered previous for Firefox (66.0, 66.0.1)
- Both the Pwn2Own and previous fixes
- As for Firefox, listen back to Episode 25 for details of 66.0 fixes
[USN-3921-1] XMLTooling vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Crash due to uncaught DOMException able to be triggered by a malformed
XML document - DoS
- Thanks to Etienne Dysli Metref who provided debdiff’s as well as
testing for this update
[USN-3922-1] PHP vulnerabilities
- 5 CVEs addressed in Xenial, Bionic, Cosmic
- Integer overflow on 32-bit archs when processing malformed EXIF image
data - crash, DoS
- Failure to check available data length when processing image
thumbnails - OOB read -> crash -> DoS
- OOB read of 1 byte when handling EXIF image data - crash -> DoS
- During file rename, if file is moved across file-systems, the new file
briefly is world readable allowing anyone to read it - fixed by
ensuring umask is used correctly so that the new file always has
restrictive permissions from the outset
[USN-3923-1] QEMU vulnerabilities
- 11 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Heap-based buffer overflow in TCP emulation
- OOB read in i2c handling allowing a local attacker within a guest who
has permission to execute i2c commands could read qemu host process
stack memory
- Plan9 FS host-directory sharing race-condition on file rename -> crash
-> DoS
- 2 issues in USB MTP handling:
- time-of-check to time-of-use error allows attacker with write access
to the shared host filesystem can use this to navigate host FS in
context of QEMU host process and read any therefore read any file
which QEMU can on the host
- Path traversal flaw due to improper filename sanitisation - allow to
read-write arbitrary host files -> Dos or code execution on the host
- Updates for Paravirtualised RDMA subsystem:
- DoS due to infinite loop
- NULL pointer dereference due to missing read method
- Fix various memory leaks
- Various other NULL pointer dereferences plus a failure to check
parameters leading to possible extreme memory allocation
- Fix OOB read triggerable by guest
[USN-3924-1] mod_auth_mellon vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic
- Apache module to provide authentication and authorisation via SAML 2.0 IdP
- Possible to bypass authorisation checks when also using mod_proxy
- Fix an open-redirect via the logout endpoint - could encode an
absolute URL using backward-slashes (\) in place of forward-slashes
(/) and this would be propagated by the endpoint to the client where
the browser would convert these and follow the redirect - due to
mismatch in how browsers will convert these but apache’s own internal
URI parsing does not
[USN-3925-1] FreeImage vulnerability
- 1 CVEs addressed in Trusty, Xenial
- OOB write in XMP image handling - code execution
[USN-3926-1] GPAC vulnerabilities
- 8 CVEs addressed in Xenial, Bionic, Cosmic
- Various memory safety issues, including OOB buffer reads and writes
due to missing bounds checks (was using strcpy without checking
lengths…)
Goings on in Ubuntu Security Community
Joe McManus on Facebook insecure password storage
Ubuntu Hardening Tips
- Paul Waring got in touch to mention his tips for hardening new Ubuntu installations:
- Install and configure unattended-upgrades
- Install UFW and block all incoming connections except specific services
- Can be done easily via ansible from just a few lines of YAML
- For servers:
- Install SSHGuard to ban IP addresses with too many failed login attempts
- Require TLS for all services via LetsEncrypt + certbot
- Configure SSH to permit only key-based authentication
- For wordpress installations - install wp-cli to auto-update themes
and plugins
- Automate as much of this as possible for automatic hardening
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact