Overview
With Alex and Joe having been away at a Canonical sprint last week, we look back at the past fortnight’s security updates including new Linux kernel releases, MySQL, VLC, Django and more plus we discuss a recent Citrix password spraying attack.
This week in Ubuntu Security Updates
90 unique CVEs addressed
[USN-4066-2] ClamAV vulnerability
- 1 CVEs addressed in Precise ESM, Trusty ESM
- Episode 40 - libmspack buffer overflow - ClamAV contains own copy of
libmspack in older releases so is affected
[USN-4065-2] Squid vulnerabilities
- 2 CVEs addressed in Precise ESM
Episode 40 (memory corruption issues)
[USN-4067-1] Evince vulnerability
- 1 CVEs addressed in Xenial
- Integer overflow -> buffer overflow when handling embedded tiff content in PDF documents
- DoS -> possible RCE
- 4 CVEs addressed in Bionic and Xenial (HWE)
- 2 information disclosure vulnerabilities:
- Exposes kernel memory to user-space which could expose sensitive
information (keys, pointers to help defeat ASLR etc)
- Bluetooth Human Interface Device Protocol (HIDP) socket ioctl() failed
to NUL terminate the name field
- Ext4 file-system did not zero out unused regions in extents tree blocks
which are returned to user-space
- Use-after-free due to a race-condition in the reliable datagram socket
(RDS) protocol module -> crash / code exec
- Blacklisted by default in Ubuntu and contrary to the original CVE
description, this is not likely to be remotely exploitable since the
use-after-free only occurs on namespace cleanup
- Intel i915 graphics driver failed to validate ranges for mmap() in some places
- Local attacker who already has access to the device could use this to
crash / code execution -> privilege escalation
[USN-4076-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Xenial
- Freescale Hypervisor Manager (HVM) for PowerPC - used invalid size
parameter from ioctl() for page size calculations - local attacker could
use this to cause various memory corruption issues possibly resulting in
privilege escalation or code execution (only enabled in Xenial 4.4
kernel)
- Broadcom wifi driver would possibly pass through firmware events received
on-the-air to the local USB wifi device - allows a remote attacker to
send firmware events to the device having unspecified impact
- Possible seccomp bypass for policies that use ptrace on ARM - a tracing
process could modify a syscall parameter after the seccomp decision for
that syscall had been made - so could violate the policy
- Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
- Race condition in Serial Attached SCSI (SAS) could possibly result in a
UAF -> crash, or code execution
[LSN-0053-1] Linux kernel vulnerability
- 5 CVEs addressed in Xenial, Bionic
- RDS UAF, Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
- Seccomp bypass on ARM
- Separate bluetooth info disclosure via ioctl() for a similar non-NUL
terminated string
- 4 CVEs addressed in Disco and Bionic (HWE)
- 2 information disclosure issues mentioned for the Bionic/Xenial HWE above
(4.15 kernel) - Bluetooth HIDP + Ext4 extents information disclosure
vulns covered earlier
- Race condition in coredump generation - local user can trigger coredump
for a process which can race with other memory managment handling and so
could result in access to invalid memory regions - crash -> DoS or
information disclosure
- Integer overflow for page reference counts -> UAF
- Requires at least 140GB of RAM to be affected
[USN-4070-1] MySQL vulnerabilities
- 13 CVEs addressed in Xenial, Bionic, Disco
- Latest upstream version 5.7.27 - various vulnerabilities including:
- Multiple variants of low privileged remote attacker could gain complete
access to all MySQL server data (modify / access etc)
- Multiple versions of privileged AND unprivileged attacker could hang /
crash MySQL server
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
- OS shell command injection via a crafted patch file - uses shell meta
characters to take control of patch
- Mishandles symlinks which allows a crafted patch file to overwrite
arbitrary files
[USN-4072-1] Ansible vulnerabilities
- 8 CVEs addressed in Xenial, Bionic, Disco
- Path traversal vulnerability in fetch module - allows an attacker to
overwrite files outside of the specified destination
- Configuration or inventory variables read from CWD - local attacker could
point to an arbitrary module / plugin under their control and so gain
code-execution as the ansible daemon
- Various issues with variable substitution which could result in any
variable being substituted and thus an information disclosure
[USN-4073-1] libEBML vulnerability
- 1 CVEs addressed in Xenial, Bionic
- VLC related issue - lots of media attention - “uninstall VLC now” etc - overblown
- Heap-based buffer over-read in the Matroska decoder - crash -> DoS - not
code-execution
- However, VLC itself had a number of outstanding vulnerabilities
[USN-4074-1] VLC vulnerabilities
- 4 CVEs addressed in Bionic, Disco
- 2 different heap-based buffer overflow - possible RCE but likely mitigated with ASLR (according to upstream)
- Double free -> crash -> DoS (glibc heap-protector ensures can’t cause heap corruption -> abort)
- Invalid pointer dereference (uninitialized) -> crash or infoleak
[USN-4075-1] Exim vulnerability
- 1 CVEs addressed in Xenial, Bionic, Disco
- Possible RCE as root if configuration used the ${sort } expansion on
items that can be controlled by an attacker - ie. $domain etc
[USN-4054-2] Firefox regressions
- 21 CVEs addressed in Xenial, Bionic, Disco
- Episode 40 - Firefox update for 68.0 contained some minor regressions
- Upstream released 68.0.1 to fix these
[USN-3990-2] urllib3 vulnerability
- 1 CVEs addressed in Trusty ESM
- Episode 33 covered for standard support releases
[USN-4077-1] tmpreaper vulnerability
- 1 CVEs addressed in Xenial, Bionic
- Race condition when performing a bind-mount via rename() - local
privilege escalation since can result in a file being placed elsewhere on
the fs hierarchy - so could drop a file in etc/cron.d for example to
get root code execution
[USN-4078-1] OpenLDAP vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Disco
- Would confuse authorisation for one user with another - so other user
could then perform operations which they were not entitled to - in SASL
authentication code paths
- 4 CVEs addressed in Xenial, Bionic and Disco
- CLI audio converter etc - usual sorts of issues for a C based application handling complex input file formats:
- NULL ptr dereference
- Stack-based buffer overflow
- 2 separate integer overflows -> heap overflow
[USN-4080-1] OpenJDK 8 vulnerabilities
- 7 CVEs addressed in Xenial
- New upstream Java release 8u2222-b10
[USN-4083-1] OpenJDK 11 vulnerabilities
- 7 CVEs addressed in Bionic, Disco
- New upstream Java release 11.0.4
[USN-4081-1] Pango vulnerability
- 1 CVEs addressed in Disco
- Heap-based buffer overflow -> code execution for applications which pass
invalid utf8 to Pango APIs like pango_itemize()
[USN-4082-1] Subversion vulnerabilities
- 2 CVEs addressed in Xenial
- 2 remote DoS issues against svnserve
[USN-4084-1] Django vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Disco
- DoS via memory exhaustion when encoding an attacker controlled URI
- SQL injection in key and index lookups in JSON handling
- 2 different CPU based DoS - 1 in strip_tags() function if input contained
large sequence of nested, incomplete HTML entities, other in truncating
due to use of regex with backtracking
[USN-4085-1] Sigil vulnerability
- 1 CVEs addressed in Xenial, Bionic, Disco
- Zip slip vulnerability discovered by Mike Salvatore (Episode 40)
Goings on in Ubuntu Security Community
Alex and Joe discuss the recent Citrix password spraying attack
Get in contact