Overview
This week we look at the latest security updates for the Linux kernel, Firefox, ImageMagick, OpenStack and more, plus we have a special guest, the maintainer and lead developer of the AppArmor project, John Johansen, to talk about the project and some of the upcoming features.
This week in Ubuntu Security Updates
55 unique CVEs addressed
[USN-4031-1] Linux kernel vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- 64-bit PowerPC (ppc64el) memory management issue - introduced in the 4.17
kernel - so only affects Cosmic/Disco or Bionic when using the HWE kernel
- Different processes might be able to read / write to each others virtual
memory
- Requirements:
- Must be using the hash page table MMU - eg. PowerPC 970 (G5), PA6T,
Power5/6/7/8/9
- By default Power9 bare-metal use the Radix MMU so are not affected
unless have explicitly disabled this via the kernel command-line
- KVM guests would also be affected in this case or if also
explicitly configured to use the HPT MMU
- Logical partitions (LPARs) under PowerVM on Power9 would be
affected as they always use HPT MMU
- Need to allocate memory above 512TB - only possible via mmap()
- Any child process (fork()) receives same context-id for the memory
mapping so can just read/write to the mappings above 512TB
- If child exits, a 3rd process could be reallocated the same
context-id and so could then read/write also
- Only a subset of PowerPC systems will be affected by this and would need
to be running applications which allocate above 512TB so whilst is high
impact, low probability of being at risk
[USN-4032-1] Firefox vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Firefox 67.0.4 - latest upstream release
- Possible for a sandboxed child process to escape the sandbox by using IPC
to send a Prompt:Open message to the parent which would then process
web-content on behalf of the child
- Since parent is not sandboxed, it could be then exploited (say by
leveraging another vulnerability such as the one discussed last week for
Firefox) for arbitrary code execution
[USN-4033-1] libmysofa vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- C library to read SOFA (Spatially Oriented Format for Acoustics) files
- Used by lots of different applications that handle audio, like
gstreamer, ffmpeg, smplayer, blender etc
- Integer overflow leading to buffer overflow - crash -> DoS or possible
code-execution
[USN-4034-1] ImageMagick vulnerabilities
- 30 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Used by many automated systems for image processing etc
- Many memory corruption issues fixed - most able to cause at least a crash
(DoS) but might be possible to also get RCE
- Also updated the default policy to disable support for PostScript and PDF
formats (since these are handle by GhostScript which has a long history
of security issues itself) - Cosmic + Disco
[USN-4035-1] Ceph vulnerabilities
- 4 CVEs addressed in Xenial, Cosmic, Disco
- 2 CVEs affect ceph in Xenial
- dm-crypt disk encryption keys were able to be read by users with
read-only permissions - fixed to ensure need an explicit permission to
read keys
- DoS from authenticated RGW users
- 2 Cosmic+Disco
- Does not properly sanitize encryption keys when outputting debug log
information for v4 auth -so encryption keys would be output in
plaintext to debug logs
- fixed to sanitize before output
- won’t be fixed for Xenial since upstream hasn’t backported this and
there are many instances of other sensitive info being logged there
as well
- DoS by unauthenticated remote users via the civetweb frontend - as they
could create connections to a RADOS gateway to exhaust file descriptors
for the gateway service causing it to run out and fail to create new
connections
[USN-4036-1] OpenStack Neutron vulnerability
- 1 CVEs addressed in Xenial, Cosmic
- Networking abstraction layer of OpenStack
- Allows to define security groups with rules which then get executed by a
driver using a particular underlying technology
- Rules can specify protocols and source / destination ports
- iptables driver would execute rules but if encountered an error (such as
a protocol was specified along with a port but the protocol doesn’t
support ports - like VRRP) then it would error out and not apply further
rules from the security group
- So could block other rules from being applied
- Fixed to ensure port arguments are only applied to protocols which
support them
[USN-4037-1] policykit-desktop-privileges update
- Affecting Xenial, Bionic, Cosmic, Disco
- PolicyKit policy update for USB Creator
- Previously would allow a user with admin privileges (ie. in the
admin/sudo group) to overwrite disks (ie create bootable USB images)
without prompting for authentication
- Now updated to require the user to also authenticate as well
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- UAF via crafted bzip2 file - crash, DoS
- OOB write from crafted bzip2 which contains too many selectors - possible
RCE
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- CPU DoS if XML names contained large number of colons (used to specify
namespace prefix)
[USN-4042-1] poppler vulnerabilities
- 13 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Usual mix of issues
- Memory leak
- Stack exhaustion -> crash, DoS
- 3*Heap-based buffer over-reads
- NULL pointer dereference
- Various floating point exception issues
- Assertion failure
- Heap-based buffer under-write - so write at a negative index of a heap
allocated buffer - crash, DoS or possible RCE via heap metadata or
object corruption
- 1 CVEs addressed in Trusty ESM (HWE), Xenial, Bionic, Cosmic, Disco
- Final SACK Panic issue (Episode 37) - added sysctl to easily set MSS (is
usually hard-coded to 48) - so can be increased to avoid this DoS issue
Goings on in Ubuntu Security Community
AppArmor interview with John Johansen
Hiring
Robotics Security Engineer
Ubuntu Security Engineer
Get in contact