Episode 33

Overview

Updated Intel microcode for Cherry + Bay Trial CPUs, fixes for vulnerabilities in curl, Firefox, PHP and MariaDB, plus we talk configuration of virtualised guests to mitigate speculative execution vulnerabilities as well as plans for the Ubuntu 19.10 development cycle.

This week in Ubuntu Security Updates

43 unique CVEs addressed

[USN-3977-2] Intel Microcode update

• 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • CVE-2019-11091
  • CVE-2018-12126
  • CVE-2018-12127
  • CVE-2018-12130
• Corresponding Intel microcode updates for Cherry Trail and Bay Trail CPU families

[USN-3989-1] LibRaw vulnerabilities

• 7 CVEs addressed in Xenial, Bionic, Cosmic
  • CVE-2018-5819
  • CVE-2018-5818
  • CVE-2018-5817
  • CVE-2018-20365
  • CVE-2018-20364
  • CVE-2018-20363
  • CVE-2018-20337
• Multiple issues fixed:
  • 2*NULL pointer dereference
  • Heap-based buffer overflow
  • Stack-based buffer overflow
  • 3 different cases of possible infinite loop - CPU DoS

[USN-3990-1] urllib3 vulnerabilities

• 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-11324
  • CVE-2019-11236
  • CVE-2018-20060
• When validating certs for HTTPS, could specify a set of certs to validate against - however it would always include the system CA certs as well - so could validate successfully even if cert is not in chain of explicitly desired set - fixed to NOT include system certs in this case
• Possible CRLF injection
• Would possibly expose HTTP authorization credentials across different origin hosts as after authenticating, if being redirected to a different origin host, would still include the Authorization header from the old host to the new host - fixed by ensuring this defaults to being off

[USN-3991-1] Firefox vulnerabilities

• 17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-9816
  • CVE-2019-11698
  • CVE-2019-11697
  • CVE-2019-9821
  • CVE-2019-9820
  • CVE-2019-9819
  • CVE-2019-9817
  • CVE-2019-9814
  • CVE-2019-9800
  • CVE-2019-7317
  • CVE-2019-11701
  • CVE-2019-11699
  • CVE-2019-11696
  • CVE-2019-11695
  • CVE-2019-11693
  • CVE-2019-11692
  • CVE-2019-11691
• Latest upstream Firefox release (67.0)
• Includes fixes for various issues including:
  • DoS, spoofing of browser UI, tricking users into launching local executables, XSS and RCE
  • Tricking users into installing a malicious add-on by disabling the UI prompt
  • History exposure via bookmark handling

[USN-3566-2] PHP vulnerabilities

• 5 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2016-10712
  • CVE-2017-11362
  • CVE-2017-12933
  • CVE-2019-11036
  • CVE-2018-20783
• In February 2018, and March 2018, released updates for PHP5 in Trusty fixing multiple CVEs - this update is a corresponding update which fixes some new CVEs in both Precise ESM and Trusty ESM and some of the same older CVEs in Precise ESM.

[USN-3992-1] WebKitGTK+ vulnerabilities

• 3 CVEs addressed in Bionic, Cosmic, Disco
  • CVE-2019-8615
  • CVE-2019-8607
  • CVE-2019-8595
• New upstream release (2.24.2) - like most WebKitGTK+ updates, contains little information on the new vulnerabilities - so assume the worst - DoS, XSS, RCE
• Used by GNOME Shell for captive portal handling etc

[USN-3993-1, USN-3993-2] curl vulnerabilities

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic and Disco
  • CVE-2019-5436
• TFTP receive heap-based buffer overflow
• 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-5435
• Integer overflow for 32-bit arches when handling a very large URL (>2GB) via the libcurl API (curl_url_set())

[USN-3957-2] MariaDB vulnerabilities

• 2 CVEs addressed in Trusty ESM
  • CVE-2019-2627
  • CVE-2019-2614
• Episode 30 mentioned an update for MariaDB for the standard support releases fixing 8 CVEs - 2 of those applied to MariaDB in Trusty ESM - both where a privileged attacker can crash server

Goings on in Ubuntu Security Community

Clarifications to documentation regarding latest Intel MDS vulnerabilities

• https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/TechFAQ
• Updated to describe situation when doing virtualisation:
  • To enable guest to mitigate various speculative execution vulnerabilities, need to ensure the guest CPU emulates the various CPU features (such as pcid, ssbd etc).
  • Depends on workloads - if running untrusted code in guests or not etc.
  • Previously QEMU would define various CPU models such as Broadwell-IBRS which would include support for this emulation. However, most of the newer features ssbd, md_clear etc are not included in these CPU models.
  • So instead need to explicitly enable them - this can be done in a few ways:
    • Can just passthrough host CPU features directly - recommended approach if NOT going to migrating guests across hosts (since if has different features will cease to work)
    • Otherwise manually enable features directly as a subset of the supported features from all the various hosts in your datacenter - depending on whether using QEMU on the command-line or libvirt to configure has different ways to specify this but same idea for both

Security Team plans for 19.10 development cycle

• 19.10 cycle roadmap meeting was held in Lyon a 2 weeks ago - each Ubuntu team presented on the progress etc from the 19.04 cycle as well as their plans for the 19.10 cycle
• Security team highlights for 19.10:
  • Automate more parts of our processes around triage of code reviews, reactive package updates etc
  • Review and incorporate KSPP recommendations for kernel hardening
  • GCC -fstack-clash-protection and -fcf-protection as default
  • Various snapd enhancements (daemon user, OpenGL support, audio migration)
  • AppArmor features - prompting, more groundwork for fine-grained network mediation

Hiring

Robotics Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1550997

Security Certifications Engineer

• https://boards.greenhouse.io/canonical/jobs/1660658

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter