Overview
Security updates for DBus, vim, elfutils, GLib and more, plus Joe and Alex look at another npm package hijack as well as some wider discussions around the big vim RCE of this week.
This week in Ubuntu Security Updates
43 unique CVEs addressed
[USN-4012-1] elfutils vulnerabilities
- 9 CVEs addressed in Xenial, Bionic, Cosmic
- Mix of issues found via fuzzing with ASAN - all resulting in crash -> DoS
from crafted input files
- multiple heap-based buffer over-reads in various libraries (libelf,
libdw) on crafted ELF input
- divide-by-zero on crafted ELF input in arlib (used by ar, ranlib and
other tools to process .a archive files)
- multiple invalid pointer dereferences
- double-free in libelf on crafted ELF input
[USN-4013-1] libsndfile vulnerabilities
- 13 CVEs addressed in Xenial, Bionic, Cosmic
- Range of issues from crashes (DoS) to possible RCE again found via fuzzing with ASAN
- Multiple heap-based buffer over-reads on crafted audio files (WAV, ALAW, AIFF) files
- NULL pointer dereference
- Stack-based buffer overflow - crash -> DoS or possible RCE on crafted
- Divide by zeros
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- GLib contains GIO which is library to abstract file-IO operations
- During file copying, would create the new file with default permissions
and then once copy was done would then set the correct permissions (based
on the original files permissions)
- Could allow other users to read the file during the copy process
- Instead fix to create new file with restrictive permissions (only
accessible by the current user) to avoid this
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- DBus includes multiple authentication mechanisms - usually would just use
credentials passed via UNIX sockets (is secure as is enforced by the
kernel), but this is not supported on all platforms (Windows etc)
- So includes another authentication mechanism - DBUS_COOKIE_SHA1
- In this case, the authenticating user has to prove they are who they
say by being able to read and provide a magic value from a keyring file
which dbus drops in the user’s home directory
- By abusing symlinks, it would be possible to point the local users
keyring at some other file and cause DBus to read / write to some other
file which was not intended
- This could further be abused to point your local dbus keyring to root’s
and cause DBus to eventually confuse the local user’s authentication to
the bus as that of the root user and so allow an unprivileged user to
authenticate as root and so then perform operations as root via DBus
- Fixed by simply only allowing DBUS_COOKIE_SHA1 to authenticate as the
same user as the DBus server owner - ie. if running DBus as root you can
only authenticate as root, not as your local user (since this use-case is
not actually used in practice)
[USN-4016-1] Vim vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Most over-hyped bug of the week
- Will discuss with Joe later in the episode, but briefly:
- Vim includes support for ‘modelines’
- This allows files to include custom settings such as indentation, file
type etc so that editing is consistent
- Only a subset of vim commands can be permitted - ie. set - and then not
everything can be set by modelines - and is meant to be side-effect
free
- However, the source! command is still allowed - this reads extra
commands from a file as though typed by the user and is done so outside
the sandbox
- So is possible to bypass the sandbox and execute arbitrary commands via
the modeline (since vim supports running external commands from the
editor itself)
- PoC included running a reverse shell by just opening a crafted file
- However, modelines are disabled by default in Debian (and hence Ubuntu)
so unless a user had specifically enabled it in their own vimrc they are
safe
- Patched to disable sourcing a file from the modeline or from within the
sandbox at all
- One extra low priority issue when vim could be made to crash via a
crafted spell file (this is used to store locally spelling additions etc)
[USN-4016-2] Neovim vulnerability
- 1 CVEs addressed in Cosmic, Disco
- See above from vim :)
[USN-3991-3] Firefox regression
- 17 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Episode 33 - Firefox update to version 67.0 - contained a regression so
updated to 67.0.1 (Episode 35) - this also contained another regression
where Firefox would fail to load correctly if run in safe-mode. So
upstream released 67.0.2 which is this new update.
Goings on in Ubuntu Security Community
Alex and Joe talk about another npm package hijack attack and the vim issue
Hiring
Robotics Security Engineer
Get in contact