Overview
This week we look at updates for vulnerabilities in wpa_supplicant, Samba, systemd, wget and more and we talk to Joe about IoT security (or the prevailing lack-thereof).
This week in Ubuntu Security Updates
27 unique CVEs addressed
- 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- Symlink path traversal vulnerability in the Windows Registry service emulation RPC API end-point
- Allows a local user to create a new registry file anywhere they have Unix
permissions to do so within the Samba share
- Bypasses share restrictions such as read-only and share ACLs
- Also allows to create the file outside the share itself if there is
already a symlink pointing outside the shared areas
- Fixed by removing the ability to save or restore registry keys at all via
this RPC API end-point
- 3 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
- 3 file-handling issues
- 2 OOB heap read when handling PE (Windows EXE and DLL) and PDF files ->
crash -> DoS
- OOB heap write when scanning OLE2 files (old format Microsoft Office
documents), crash -> DoS or possible code execution
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- UAF if calling debug.upvaluejoin() with the same function for both function parameters
[USN-3938-1] systemd vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Failure to properly sanitize environment before using XDG_SEAT
- Attacker could set XDG_SEAT such that they can have actions checked
against the wrong PolicyKit policy
- Allows a remotely logged in attacker (SSH) to run commands which should
be restricted to only physically present users
- Fixed by using secure_getenv() rather than just getenv() - so that if
running via su the existing value is effectively scrubbed from the
environment and ignored
[USN-3942-1] OpenJDK 7 vulnerability
- 1 CVEs addressed in Trusty
- Information leak allows a remote attacker to possibly leverage this to
bypass the Java sandbox
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic (1 in Precise ESM)
- Heap buffer overflow due to improper memory management - crash -> DoS or possible code execution
- By default wget would store the origin URL in an extended attribute on the downloaded file
- Could include username / password
- getfattr -d to dump
- changed to NOT store extended attributes by default AND to strip out
any credentials when doing so
- doesn’t effect Precise ESM
[USN-3937-2] Apache vulnerabilities
- 4 CVEs addressed in Precise ESM
- Episode 27 covered mod_auth_digest bypass for other supported releases
- Also includes 3 other issues:
- Nonce generated to prevent reply attacks for HTTP digest authentication
challenenge wasn’t sufficiently random
- Could allow and attacker to reply across a cluster of servers with
the same common digest authentication configuration
- changed to actually use a proper random source
- Possible OOB read -> crash -> DoS
- Possible one-byte memory corruption if specify a character encoding of
only 1 byte (since assumes is at least 2 bytes and so writes a NULL at
index +2 which could be past the end of the header) - crash, DoS
[USN-3944-1] wpa_supplicant and hostapd vulnerabilities
- 5 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Fix fallback to low-quality PRNG if failed to get an actual random value for a WPS pin
- Multiple vulnerabilities discovered in the implementation of WPA3 in
hostapd and wpa_supplicant (aka Dragonblood)
- 2 apply to SAE (Simultaneous Authentication of Equals , also known as
Dragonfly Key Exchange) not relevant since we don’t enable SAE support
in our builds (this is used for initial key exchange instead of PSK)
- 4 apply to the use of EAP-PWD - Extensible Authentication Protocol
Password
- cache side channel attack
- reflection attack
- may allow an attacker to authenticate without the password but
likely not derive session key or complete the key exchange so no
loss of confidentiality
- 2 failure to validate crypto components
- could allow attacker to authenticate AND gain access to session key
and get network access
[USN-3945-1] Ruby vulnerabilities
- 6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Symlink directory traversal issue - gem would delete the target
destination before creating any new directories or files when extracting
a Gem - as this is often run via sudo could allow to delete anything on
target system
- Fixed to check target paths are symlinks
- 5 different code-injection attacks:
- 4 via injection of terminal escape sequences in debug code paths to stdout
- one via eval() of the stub line in a gemspec file
[USN-3946-1] rssh vulnerabilities
- 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Possible to execute arbitrary shell commands since failed to properly
sanitize environment variables and command-line arguments when executing
rsync or scp
- Removed from archive in disco since dead upstream
Goings on in Ubuntu Security Community
IoT Security discussion with Joe McManus
Hiring
Ubuntu Security Generalist
Robotics Security Engineer
Get in contact