Overview
This week we look at updates to cover the latest Intel CPU vulnerabilities
(MDS - aka RIDL, Fallout, ZombieLoad), plus other vulnerabilies in
PostgreSQL, ISC DHCP, Samba and more, whilst special guest this week is
Seth Arnold from the Ubuntu Security Team to talk Main Inclusion Review
code audits.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-3972-1] PostgreSQL vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Stores statistics for columns by sampling values from that column
- Security policy allows to restrict users from viewing particular rows
- But sampling would not take into account security policy
- User could craft a leaky operator which would return the sampled data
and effectively bypass the security policy
- Fixed to only allow non-leakproof operators to use sampled data when no
relevant row security policies in place
- Arbitrary server memory able to be read by executing a crafted INSERT
statement on a partitioned table (only affects PostgreSQL 11 so only
Disco)
[USN-3973-1] DHCP vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- DHCP server could crash due to mismatch in BIND internal memory
management and DHCP server code
- BIND in Bionic + Cosmic contained a change which zeroed out an internal
index to indicate it was unused - however 0 is still a valid index in the
DHCP server codebase - and so this could cause a use-after free (since
would be free’d, index set to 0 by BIND lib but then still used later
since 0 is valid). Instead changed to track indexes correctly to account
for this behaviour.
[USN-3974-1] VCFtools vulnerabilities
- 3 CVEs addressed in Xenial
- Tools for working with VCF files (1000 Genomes Project)
- Fuzzed in conjunction with AddressSanitizer in clang using crafted VCF files
- Read-based heap buffer overflow - crash, DoS
- 2 * use after free -> crash, DoS / code execution
[USN-3975-1] OpenJDK vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- 2 affecting both openjdk-11 and openjdk-8
- CPU DoS via BigDecimal implementation operating on particular values
- Sandbox escape due to incorrect skeleton class selection in the RMI registry
- 2 sandbox escapes affecting only openjdk-8 via the 2D graphics component
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Kerberos (as used in AD) contains an extension to allow a service to
request a Kerberos ticket to itself on behalf of a non-Kerberos
authenticated user (allows to use Kerberos for all internal code-paths)
- Can be proxied over the network so that a privileged server can proxy on
behalf of the non-Kerberos authenticated user
- This proxied request contains a checksum (which can be keyed to prevent
spoofing) - BUT this is not enforced - so an attacker can intercept the
proxied request and rewrite the user name to any other one in the KDC AND
replace the checksum with a simple CRC32 - as this can be computed
without any prior knowledge
[USN-3986-1] Wireshark vulnerabilities
- 9 CVEs addressed in Xenial, Bionic, Cosmic
- Updated to latest 2.6.8 release to fix many issues in various packet
dissectors that would cause wireshark to crash
[USN-3988-1] MediaInfo vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic, Disco
- CLI tool for reading metadata from various audio/video files
- 2* OOB read -> crash, DoS
[LSN-0051-1] Linux kernel vulnerability
- 4 CVEs for Microarchitectural Data Sampling (MDS) vulnerabilities
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
- https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
- https://www.redhat.com/en/blog/deeper-look-mds-vulnerability
- Too invasive to be addressed by Livepatch - requires updates to the
kernel and new microcode to fix
- Intel CPUs contain various microarchitectural elements - store buffers,
load ports, fill buffers - which get used to complete architectural
operations (read from an address etc)
- 4 CVEs due to the different use of these different buffers in the
various techniques
- RIDL (Rogue in-flight data load) - fill buffers and load ports
- Fallout - store buffers
- ZombieLoad - independent discovery of fill-buffer variant of RIDL
- These get reused across operations, and in particular get reused across
hyperthreads executing on the same CPU core
- A malicious process can use speculative execution sampling techniques to
infer the contents of one of these microarchitectural buffers - so could
see data from a process that had previously been executing on the same
CPU core OR in the case of HT can see data from a process executing
concurrently on the same core
- In the case of a single core can be fixed by first adding new behaviour
to the unused VERW instruction to clear these buffers as a microcode
update
- Then updating the Linux kernel to call this new VERW instruction when
switching tasks, VMs etc
- However, does not mitigate in the case of SMT
- So only way to properly mitigate is to disable SMT as well
- In the case of virtualisation, the guest does the task switching so it
needs to clear these buffers - update to QEMU + libvirt to expose this
new CPU capability to the guest so that it can perform the flushing
itself
- Kernel + QEMU updates also contain fixes for other CVEs
- Kernels updated for all supported releases including the HWE kernels
[USN-3977-1] Intel Microcode update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- 7 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
[USN-3979-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Disco
- 10 CVEs addressed in Bionic (HWE), Cosmic
[USN-3981-1, USN-3981-2] Linux kernel vulnerabilities
- 9 CVEs addressed in Trusty ESM (HWE), Xenial (HWE), Bionic
- 6 CVEs addressed in Trusty ESM (Xenial HWE), Xenial
- 4 CVEs addressed in Precise ESM (Trusty HWE), Trusty ESM
[USN-3984-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Precise ESM
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
Goings on in Ubuntu Security Community
Main inclusion review security code audits discussion with Seth Arnold
Hiring
Robotics Security Engineer
Security Certifications Engineer
Get in contact