Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 28

22 min • 15 april 2019

Overview

This week we look at updates for vulnerabilities in wpa_supplicant, Samba, systemd, wget and more and we talk to Joe about IoT security (or the prevailing lack-thereof).

This week in Ubuntu Security Updates

27 unique CVEs addressed

[USN-3939-1, USN-3939-2] Samba vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Symlink path traversal vulnerability in the Windows Registry service emulation RPC API end-point
  • Allows a local user to create a new registry file anywhere they have Unix permissions to do so within the Samba share
    • Bypasses share restrictions such as read-only and share ACLs
    • Also allows to create the file outside the share itself if there is already a symlink pointing outside the shared areas
  • Fixed by removing the ability to save or restore registry keys at all via this RPC API end-point

[USN-3940-1, USN-3940-2] ClamAV vulnerabilities

  • 3 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • 3 file-handling issues
    • 2 OOB heap read when handling PE (Windows EXE and DLL) and PDF files -> crash -> DoS
    • OOB heap write when scanning OLE2 files (old format Microsoft Office documents), crash -> DoS or possible code execution

[USN-3941-1] Lua vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • UAF if calling debug.upvaluejoin() with the same function for both function parameters

[USN-3938-1] systemd vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Failure to properly sanitize environment before using XDG_SEAT
  • Attacker could set XDG_SEAT such that they can have actions checked against the wrong PolicyKit policy
  • Allows a remotely logged in attacker (SSH) to run commands which should be restricted to only physically present users
  • Fixed by using secure_getenv() rather than just getenv() - so that if running via su the existing value is effectively scrubbed from the environment and ignored

[USN-3942-1] OpenJDK 7 vulnerability

  • 1 CVEs addressed in Trusty
  • Information leak allows a remote attacker to possibly leverage this to bypass the Java sandbox

[USN-3943-1, USN-3943-2] Wget vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic (1 in Precise ESM)
  • Heap buffer overflow due to improper memory management - crash -> DoS or possible code execution
  • By default wget would store the origin URL in an extended attribute on the downloaded file
    • Could include username / password
    • getfattr -d to dump
    • changed to NOT store extended attributes by default AND to strip out any credentials when doing so
    • doesn’t effect Precise ESM

[USN-3937-2] Apache vulnerabilities

  • 4 CVEs addressed in Precise ESM
  • Episode 27 covered mod_auth_digest bypass for other supported releases
  • Also includes 3 other issues:
    • Nonce generated to prevent reply attacks for HTTP digest authentication challenenge wasn’t sufficiently random
      • Could allow and attacker to reply across a cluster of servers with the same common digest authentication configuration
      • changed to actually use a proper random source
    • Possible OOB read -> crash -> DoS
    • Possible one-byte memory corruption if specify a character encoding of only 1 byte (since assumes is at least 2 bytes and so writes a NULL at index +2 which could be past the end of the header) - crash, DoS

[USN-3944-1] wpa_supplicant and hostapd vulnerabilities

  • 5 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Fix fallback to low-quality PRNG if failed to get an actual random value for a WPS pin
  • Multiple vulnerabilities discovered in the implementation of WPA3 in hostapd and wpa_supplicant (aka Dragonblood)
    • 2 apply to SAE (Simultaneous Authentication of Equals , also known as Dragonfly Key Exchange) not relevant since we don’t enable SAE support in our builds (this is used for initial key exchange instead of PSK)
    • 4 apply to the use of EAP-PWD - Extensible Authentication Protocol Password
      • cache side channel attack
      • reflection attack
        • may allow an attacker to authenticate without the password but likely not derive session key or complete the key exchange so no loss of confidentiality
      • 2 failure to validate crypto components
        • could allow attacker to authenticate AND gain access to session key and get network access

[USN-3945-1] Ruby vulnerabilities

  • 6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Symlink directory traversal issue - gem would delete the target destination before creating any new directories or files when extracting a Gem - as this is often run via sudo could allow to delete anything on target system
    • Fixed to check target paths are symlinks
  • 5 different code-injection attacks:
    • 4 via injection of terminal escape sequences in debug code paths to stdout
    • one via eval() of the stub line in a gemspec file

[USN-3946-1] rssh vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Possible to execute arbitrary shell commands since failed to properly sanitize environment variables and command-line arguments when executing rsync or scp
  • Removed from archive in disco since dead upstream

Goings on in Ubuntu Security Community

IoT Security discussion with Joe McManus

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00