Sveriges mest populära poddar
Start / Ubuntu Security Podcast / Episode 41

Ubuntu Security Podcast

Episode 41

26 min • 5 augusti 2019

Overview

With Alex and Joe having been away at a Canonical sprint last week, we look back at the past fortnight’s security updates including new Linux kernel releases, MySQL, VLC, Django and more plus we discuss a recent Citrix password spraying attack.

This week in Ubuntu Security Updates

90 unique CVEs addressed

[USN-4066-2] ClamAV vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM
  • Episode 40 - libmspack buffer overflow - ClamAV contains own copy of libmspack in older releases so is affected

[USN-4065-2] Squid vulnerabilities

Episode 40 (memory corruption issues)

[USN-4067-1] Evince vulnerability

  • 1 CVEs addressed in Xenial
  • Integer overflow -> buffer overflow when handling embedded tiff content in PDF documents
  • DoS -> possible RCE

[USN-4068-1, USN-4068-2] Linux kernel vulnerabilities

  • 4 CVEs addressed in Bionic and Xenial (HWE)
  • 2 information disclosure vulnerabilities:
    • Exposes kernel memory to user-space which could expose sensitive information (keys, pointers to help defeat ASLR etc)
    • Bluetooth Human Interface Device Protocol (HIDP) socket ioctl() failed to NUL terminate the name field
    • Ext4 file-system did not zero out unused regions in extents tree blocks which are returned to user-space
  • Use-after-free due to a race-condition in the reliable datagram socket (RDS) protocol module -> crash / code exec
    • Blacklisted by default in Ubuntu and contrary to the original CVE description, this is not likely to be remotely exploitable since the use-after-free only occurs on namespace cleanup
  • Intel i915 graphics driver failed to validate ranges for mmap() in some places
    • Local attacker who already has access to the device could use this to crash / code execution -> privilege escalation

[USN-4076-1] Linux kernel vulnerabilities

  • 6 CVEs addressed in Xenial
  • Freescale Hypervisor Manager (HVM) for PowerPC - used invalid size parameter from ioctl() for page size calculations - local attacker could use this to cause various memory corruption issues possibly resulting in privilege escalation or code execution (only enabled in Xenial 4.4 kernel)
  • Broadcom wifi driver would possibly pass through firmware events received on-the-air to the local USB wifi device - allows a remote attacker to send firmware events to the device having unspecified impact
  • Possible seccomp bypass for policies that use ptrace on ARM - a tracing process could modify a syscall parameter after the seccomp decision for that syscall had been made - so could violate the policy
  • Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
  • Race condition in Serial Attached SCSI (SAS) could possibly result in a UAF -> crash, or code execution

[LSN-0053-1] Linux kernel vulnerability

[USN-4069-1, USN-4069-2] Linux kernel vulnerabilities

  • 4 CVEs addressed in Disco and Bionic (HWE)
  • 2 information disclosure issues mentioned for the Bionic/Xenial HWE above (4.15 kernel) - Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
  • Race condition in coredump generation - local user can trigger coredump for a process which can race with other memory managment handling and so could result in access to invalid memory regions - crash -> DoS or information disclosure
  • Integer overflow for page reference counts -> UAF
    • Requires at least 140GB of RAM to be affected

[USN-4070-1] MySQL vulnerabilities

[USN-4071-1, USN-4071-2] Patch vulnerabilities

  • 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
  • OS shell command injection via a crafted patch file - uses shell meta characters to take control of patch
  • Mishandles symlinks which allows a crafted patch file to overwrite arbitrary files

[USN-4072-1] Ansible vulnerabilities

  • 8 CVEs addressed in Xenial, Bionic, Disco
  • Path traversal vulnerability in fetch module - allows an attacker to overwrite files outside of the specified destination
  • Configuration or inventory variables read from CWD - local attacker could point to an arbitrary module / plugin under their control and so gain code-execution as the ansible daemon
  • Various issues with variable substitution which could result in any variable being substituted and thus an information disclosure

[USN-4073-1] libEBML vulnerability

  • 1 CVEs addressed in Xenial, Bionic
  • VLC related issue - lots of media attention - “uninstall VLC now” etc - overblown
  • Heap-based buffer over-read in the Matroska decoder - crash -> DoS - not code-execution
  • However, VLC itself had a number of outstanding vulnerabilities

[USN-4074-1] VLC vulnerabilities

  • 4 CVEs addressed in Bionic, Disco
  • 2 different heap-based buffer overflow - possible RCE but likely mitigated with ASLR (according to upstream)
  • Double free -> crash -> DoS (glibc heap-protector ensures can’t cause heap corruption -> abort)
  • Invalid pointer dereference (uninitialized) -> crash or infoleak

[USN-4075-1] Exim vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Possible RCE as root if configuration used the ${sort } expansion on items that can be controlled by an attacker - ie. $domain etc

[USN-4054-2] Firefox regressions

[USN-3990-2] urllib3 vulnerability

[USN-4077-1] tmpreaper vulnerability

  • 1 CVEs addressed in Xenial, Bionic
  • Race condition when performing a bind-mount via rename() - local privilege escalation since can result in a file being placed elsewhere on the fs hierarchy - so could drop a file in etc/cron.d for example to get root code execution

[USN-4078-1] OpenLDAP vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Disco
  • Would confuse authorisation for one user with another - so other user could then perform operations which they were not entitled to - in SASL authentication code paths

[USN-4079-1, USN-4079-2] SoX vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic and Disco
  • CLI audio converter etc - usual sorts of issues for a C based application handling complex input file formats:
    • NULL ptr dereference
    • Stack-based buffer overflow
    • 2 separate integer overflows -> heap overflow

[USN-4080-1] OpenJDK 8 vulnerabilities

[USN-4083-1] OpenJDK 11 vulnerabilities

[USN-4081-1] Pango vulnerability

  • 1 CVEs addressed in Disco
  • Heap-based buffer overflow -> code execution for applications which pass invalid utf8 to Pango APIs like pango_itemize()

[USN-4082-1] Subversion vulnerabilities

[USN-4084-1] Django vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic, Disco
  • DoS via memory exhaustion when encoding an attacker controlled URI
  • SQL injection in key and index lookups in JSON handling
  • 2 different CPU based DoS - 1 in strip_tags() function if input contained large sequence of nested, incomplete HTML entities, other in truncating due to use of regex with backtracking

[USN-4085-1] Sigil vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Zip slip vulnerability discovered by Mike Salvatore (Episode 40)

Goings on in Ubuntu Security Community

Alex and Joe discuss the recent Citrix password spraying attack

Get in contact

Kategorier
PoddarTeknologi
Förekommer på
Teknik
00:00 -00:00
Hur lyssnar jag på podcast?

En liten tjänst av I'm With Friends. Finns även på engelska.