Overview
The big new this week is SackPANIC! updates for the Linux kernel, plus we look at vulnerabilities in, and updates for, Samba, SQLite, Bind, Thunderbird and more, and we are hiring!
This week in Ubuntu Security Updates
36 unique CVEs addressed
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- SACK Panic - will be discussed in more detail with Joe later in the show
- Livepatch (LSN-0052-1) also available for Xenial and Bionic
[USN-4018-1] Samba vulnerabilities
- 2 CVEs addressed in Disco
- Two DoS issues (both NULL ptr dereferences) only affecting most recent Samba versions
- One in AD DC DNS mgmt server RPC process
- Only an authenticated user could trigger this
- Other in LDAP server - user with read access to the directory could
trigger NULL ptr dereference via the paged search control
- 12 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- 7 CVEs addressed in Precise ESM, Trusty ESM
- Mix of various issues, most involving various memory corruption problems
- UAFs, DoS (crash), heap-based buffer over-reads (crash -> DoS or
possible information disclosure), incorrect use of temporary
directories, race-condition leading to NULL pointer dereference,
integer overflow -> buffer overflow -> crash / code execution
[USN-4021-1] libvirt vulnerabilities
- 2 CVEs addressed in Cosmic, Disco
- DoS where some APIs in the guest agents could be accessed by read-only
users - this would cause libvirt to block and cause a DoS
- Privilege escalation due to insecure permissions on the virt-lockd and
virt-logd UNIX domain sockets - these are created by systemd unit files
but were created as world writable - and the daemons don’t try and
authenticate the user - so anyone could use these sockets to potentially
elevate privileges - so fixed by ensuring the systemd socket definitions
specify the right mode.
[USN-4020-1] Firefox vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Firefox 67.0.3 which fixes a remotely exploitable crash or possible code
execution problem due to type confusion in the Javascript engine -
reports this was used to target various cryptocurrency exchanges by
delivering Windows and Mac malware to them
- Affecting Xenial, Bionic
- Updated the AppArmor profile for evince to ensure it restricts access to
various private file directories, and to address various issues raised by
Jann Horn of GPZ - in particular limiting access to various DBus services
[USN-4026-1] Bind vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- DoS (crash due to assertion failure) caused by a race condition when
handling malformed packets
[USN-4028-1] Thunderbird vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Various issues in handling of iCal data - all remotely triggerable by crafted emails:
- Crash due to type-confusion
- Both a stack and 2 separate heap buffer overflows - either could
potentially be exploitable to execute arbitrary code
[USN-4027-1] PostgreSQL vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- “Stack buffer overflow by setting a password” - authenticated user could
set their password to a specially constructed value which when processed
by PostgreSQL would cause it to crash, or possible execute arbitrary code
in the context of the PostgreSQL server
[USN-4023-1] Mosquitto vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic
- Remotely triggerable memory leak (by unauthenticated users) could be used
to crash the Mosquitto Broker -> DoS
- Different DoS where one client could cause others to be disconnected by
sending invalid an UTF-8 topic string - which would cause other clients
which do reject invalid UTF-8 to disconnect themselves
[USN-3977-3] Intel Microcode update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Episode 32 covered most recent Intel CPU vulnerabilities (MDS) -
mitigated by a combination of microcode and kernel updates - this
provides microcode updates for the Sandy Bridge family of Intel
processors
[USN-4030-1] web2py vulnerabilities
- 5 CVEs addressed in Xenial
- Various issues including:
- Possible RCE (was serializing encryption key info into a session
cookie) which could then be read by an attacker since it also made
session cookie accessible via an API endpoint
- Sample web application used a hard-coded encryption key which could
also allow attackers to do RCE as they could easily interpose on the
session
- Environment variables were exposed by an example API endpoint which
exposed host info and so remote attackers could then possibly gain
admin access
- Lacked brute-force password protection as wouldn’t reject already
denied hosts from repeatedly trying
Goings on in Ubuntu Security Community
Alex and Joe talk about the SACK Panic issues discovered by Netflix
Hiring
Robotics Security Engineer
Ubuntu Security Engineer
Get in contact