Sveriges mest populära poddar

Ubuntu Security Podcast

Episode 37

20 min • 28 juni 2019

Overview

The big new this week is SackPANIC! updates for the Linux kernel, plus we look at vulnerabilities in, and updates for, Samba, SQLite, Bind, Thunderbird and more, and we are hiring!

This week in Ubuntu Security Updates

36 unique CVEs addressed

[USN-4017-1, USN-4017-2] Linux kernel vulnerabilities

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • SACK Panic - will be discussed in more detail with Joe later in the show
  • Livepatch (LSN-0052-1) also available for Xenial and Bionic

[USN-4018-1] Samba vulnerabilities

  • 2 CVEs addressed in Disco
  • Two DoS issues (both NULL ptr dereferences) only affecting most recent Samba versions
    • One in AD DC DNS mgmt server RPC process
      • Only an authenticated user could trigger this
    • Other in LDAP server - user with read access to the directory could trigger NULL ptr dereference via the paged search control

[USN-4019-1, USN-4019-2] SQLite vulnerabilities

[USN-4021-1] libvirt vulnerabilities

  • 2 CVEs addressed in Cosmic, Disco
  • DoS where some APIs in the guest agents could be accessed by read-only users - this would cause libvirt to block and cause a DoS
  • Privilege escalation due to insecure permissions on the virt-lockd and virt-logd UNIX domain sockets - these are created by systemd unit files but were created as world writable - and the daemons don’t try and authenticate the user - so anyone could use these sockets to potentially elevate privileges - so fixed by ensuring the systemd socket definitions specify the right mode.

[USN-4020-1] Firefox vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Firefox 67.0.3 which fixes a remotely exploitable crash or possible code execution problem due to type confusion in the Javascript engine - reports this was used to target various cryptocurrency exchanges by delivering Windows and Mac malware to them

[USN-4024-1] Evince update

  • Affecting Xenial, Bionic
  • Updated the AppArmor profile for evince to ensure it restricts access to various private file directories, and to address various issues raised by Jann Horn of GPZ - in particular limiting access to various DBus services

[USN-4026-1] Bind vulnerability

  • 1 CVEs addressed in Bionic, Cosmic, Disco
  • DoS (crash due to assertion failure) caused by a race condition when handling malformed packets

[USN-4028-1] Thunderbird vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Various issues in handling of iCal data - all remotely triggerable by crafted emails:
    • Crash due to type-confusion
    • Both a stack and 2 separate heap buffer overflows - either could potentially be exploitable to execute arbitrary code

[USN-4027-1] PostgreSQL vulnerability

  • 1 CVEs addressed in Bionic, Cosmic, Disco
  • “Stack buffer overflow by setting a password” - authenticated user could set their password to a specially constructed value which when processed by PostgreSQL would cause it to crash, or possible execute arbitrary code in the context of the PostgreSQL server

[USN-4023-1] Mosquitto vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Cosmic
  • Remotely triggerable memory leak (by unauthenticated users) could be used to crash the Mosquitto Broker -> DoS
  • Different DoS where one client could cause others to be disconnected by sending invalid an UTF-8 topic string - which would cause other clients which do reject invalid UTF-8 to disconnect themselves

[USN-3977-3] Intel Microcode update

[USN-4030-1] web2py vulnerabilities

  • 5 CVEs addressed in Xenial
  • Various issues including:
    • Possible RCE (was serializing encryption key info into a session cookie) which could then be read by an attacker since it also made session cookie accessible via an API endpoint
    • Sample web application used a hard-coded encryption key which could also allow attackers to do RCE as they could easily interpose on the session
    • Environment variables were exposed by an example API endpoint which exposed host info and so remote attackers could then possibly gain admin access
    • Lacked brute-force password protection as wouldn’t reject already denied hosts from repeatedly trying

Goings on in Ubuntu Security Community

Alex and Joe talk about the SACK Panic issues discovered by Netflix

Hiring

Robotics Security Engineer

Ubuntu Security Engineer

Get in contact

Kategorier
Förekommer på
00:00 -00:00