Overview
This week we look at security updates for Keepalived, Corosync, GnuTLS, libseccomp and more, plus we talk insider threats with Joe McManus.
This week in Ubuntu Security Updates
32 unique CVEs addressed
- Affecting Trusty ESM, Xenial, Bionic
- Episode 32 - discussed privilege escalation vuln and fix for Samba
- Original update caused a regression where Samba might crash - fixed
[USN-3994-1] gnome-desktop vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- Thumbnailers could possibly escape bubblewrap sandbox by using TIOCSTI
ioctl to send characters to the controlling terminals input buffer and
hence escape the sandbox
- Requires to compromise a thumbnailer in the first place so less impact
- Similar to CVE-2019-10063 for flatpak and CVE-2019-7303 for snapd
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic
- Heap based buffer overflow when parsing HTTP response code - would
potentially write an unlimited amount of attacker controlled data to the
heap for a 10-byte long buffer
- Crash -> DoS, RCE
- Fixed to properly parse and expect at most a 3 digit long response code
[USN-3845-2] FreeRDP vulnerabilities
- 6 CVEs addressed in Bionic, Cosmic
- Back in December published update for FreeRDP (USN-3845-1 - Episode 16)
- In Bionic and Cosmic freerdp2 is in main, so that update was for freerdp2
- This update is for freerdp (v1), which is in universe in bionic + cosmic
- Corresponding update
[USN-3997-1] Thunderbird vulnerabilities
- 14 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Thunderbird 60.7.0 - latest upstream release includes a heap of security fixes
- Most all come from Firefox (DoS, bypass same-origin restrictions or RCE)
[USN-3996-1] GNU Screen vulnerability
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Old low priority issue fixed for ESM releases (fixed back in 2015
upstream so screen in Xenial, Bionic etc not affected)
- Attacker could cause a crash due to stack overrun via recursion due to
large number of repeated ANSI escape sequences in output
[USN-3968-2] Sudo vulnerability
- 1 CVEs addressed in Trusty ESM
- Episode 31 - updated sudo in xenial - corresponding update for Trusty ESM
[USN-3998-1] Evolution Data Server vulnerability
- 1 CVEs addressed in Xenial, Bionic
- Research from Marcus Brinkmann showed it was possible to create an
encrypted email with a zero-length encrypted section along with
unencrypted contents which Evolution (and other email clients) would show
as being encrypted.
- Mail clients call out to gpg (gnupg) to decrypt the email but are lax in
parsing GPGs output and so confuse the whole email as being encrypted
- Due to SW arch of evolution, part of this fix is done in Evolution itself
(to better highlight to the user that the email contains unencrypted
portions) and part is done in the backend (Evolution Data Server) to
properly parse output of gnupg
[USN-3999-1] GnuTLS vulnerabilities
- 5 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- 3 CVEs related to “Lucky Thirteen” attack (originally published in 2013)
- Timing attack against TLS implementations that use CBC
- One countermeasure was to use “psuedo constant time”
- New research showed this is not sufficient (incidentally one of the
researchers was Adi Shamir, co-inventor of the RSA algorithm - the “S”
in RSA)
- 1 CVE from Tavis Ormandy (double-free when handling X.509 certificates) -
crash -> DoS, code execution
- Last CVE - uninitialized pointer could be dereferenced when handling
certain post-handshake messages - likely crash -> DoS
[USN-4000-1] Corosync vulnerability
- 1 CVEs addressed in Xenial, Bionic
- Integer overflow leading to a buffer overflow (read), able to be
triggered by an unauthenticated user - crash -> DoS
- 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Seccomp allows to write policies to act on system calls arguments via
BPF - includes comparison operators like less than (LT) etc - Jann Horn
discovered that on 64-bit platforms it did not generate correct BPF to
perform comparisons correctly
- In this case, the updates from upstream relied on other upstream changes
so we chose to upgrade seccomp entirely rather than try and backport the
fixes as they were too involved and so less risk overall in upgrading the
version than in backporting
Goings on in Ubuntu Security Community
Alex and Joe talk about insider threats
Hiring
Robotics Security Engineer
Security Certifications Engineer
Get in contact