Overview
We look at vulnerabilities and updates for Exim, the Linux kernel, Berkeley DB, Qt and more, plus Joe and Alex discuss some recent malware campaigns including Hiddenwasp, and we cover some open positions too.
This week in Ubuntu Security Updates
34 unique CVEs addressed
[USN-4002-1] Doxygen vulnerability
- 1 CVEs addressed in Xenial
- Generates HTML code documentation from code comments
- Includes a field to search across the documentation
- Doesn’t treat this as untrusted input and blindly displays the input in resulting pages
- Allows possible XSS or iframe injection
- Fix is simple - whitelist allowed characters to avoid injection etc
[USN-4003-1] Qt vulnerabilities
- 3 CVEs addressed in Xenial, Bionic, Cosmic
- 3 likely DoS issues:
- Buffer overflow when handling invalid BMP images - didn’t check for valid
/ sensible width or height parameters
- NULL pointer dereference on malformed GIF images
- Double free when parsing a specially crafted (illegal format) XML
document
- 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Contains an embedded copy of sqlite which was vulnerable to a heap-based
out-of-bounds read when handling invalid rtree tables
[USN-4005-1] Linux kernel vulnerabilities
- 2 CVEs addressed in Disco
- Reliable Datagram Sockets (RDS) module was vulnerable to a race-condition
during network namespace cleanup that could lead to a UAF.
- RDS is blacklisted by default in Ubuntu AND this is only able to be
exploited by a local attacker
- NULL pointer dereference in LSI Logic MegaRAID driver
- 1 CVEs addressed in Cosmic & Bionic HWE
- Old a.out binary format for 32-bit platforms - so only affects i386
kernel users, and only affects setuid a.out binaries (none in archive)
- Kernel would not setup permissions early enough and so could allow ASLR
to be bypassed, weakening system protections to then more easily exploit
some other existing vulnerablity in the given setuid a.out binary
- Have also disabled a.out support in general going forward as this is a
relic of the past
- 1 CVEs addressed in Bionic & Xenial HWE
- Same a.out issue
- 4 CVEs addressed in Xenial, Trusty ESM (HWE)
- a.out issue, plus RDS and MegaRAID NULL ptr dereference
- Similar to a.out issue, in general ASLR could be bypassed on setuid
binaries due to a similar race-condition
- This fix also requires some AppArmor profile changes
- 4 CVEs addressed in Xenial
- Updated AppArmor profiles to handle new kernel behavoiur as a result of
the fix for CVE-2019-11190 (ASLR bypass on setuid executables).
- When executing a binary, will then appear to require mmap privileges of
the resulting binary, so ensure all current profiles are updated to add
this permission on the appropriate rules
- 2 CVEs addressed in Precise ESM, Trusty ESM
- 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Heap buffer overflow in handling crafted JPEG files
- Integer overflow, leading to possible OOB read when handling crafted mime
encoded data
- (Xenial, Bionic, Cosmic and Disco only) - OOB read when handling crafted
EXIF data -> crash, DoS or possible information disclosure form other
memory
[USN-4010-1] Exim vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- Possible remote exploit of popular MTA
- Embargo broke early - was expected to be public 11th June - as a
consequence, we released our update once the details were publicly known
- It was possible to include shell directives in the recipients email
address which would be evaluated by the exim process (and hence as
root) - but would require the attacker to keep a connection open to the
server for 7 days by transmitting 1 byte every few minutes.
[USN-3957-3] MariaDB vulnerabilities
- 2 CVEs addressed in Bionic
- Corresponding fixes for flaws originally reported in MySQL - fixed in
MariaDB (community maintained fork of MySQL) - Episode 30
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Sandbox is used when rendering user-provided templates (ie untrusted)
- Possible to escape the sandbox by reading arbitrary python objects via
Python’s internal string format method (by referencing the globals
array)
- Was originally fixed in 2016 for the str.format method - but at the time
missed the similar str.format_map method - so both fixed in this update
[USN-3991-2] Firefox regression
- 17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Previous FF 67.0 had broken code for checking versions on upgrades, and
could potentially think you had downgraded the browser when it was in
fact upgraded and therefore think the old profile data was invalid
Goings on in Ubuntu Security Community
Alex and Joe talk about recent malware campaigns
Hiring
Robotics Security Engineer
Security Certifications Engineer
Get in contact