Overview
A massive 85 CVEs addressed this week, including updates for Exim, the
Linux Kernel, Samba, systemd and more, plus we discuss hacking BMCs via
remote USB devices and password stashes.
This week in Ubuntu Security Updates
85 unique CVEs addressed
[USN-4124-1] Exim vulnerability [00:49]
- 1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-15846
- When doing TLS negotiation, parses the Server Name Indication
headers - would try and handle escape sequences in this string.
- Does so by looking at the character after a backslash to determine
what escape sequence is (\b etc) and then returns that actual value
(in string_interpret_escape())
- This gets called by the function string_unprinting() which is used to
translate escaped characters into their proper form in a new string -
and this will run over the bounds of the original string if it ends
with a backslash - since string_interpret_escape() would assume there
was contents afterwards to interpret
- Qualsys were able to develop a PoC which leverages this OOB behaviour
into a remote root exploit (since this part of the code runs as root
and they were able to use a combination of heap corruption and OOB
writes to get code execution)
- Fixed to first check if reached end of string (NUL) before trying to
handle the escaped character
- Able to be mitigated by setting ACLs to deny connections which contain
a trailing backslash in the SNI field - see CVE-2019-15846 in the Ubuntu CVE Tracker
- Lots of press coverage:
[USN-4114-1] Linux kernel vulnerabilities [03:49]
- 5 CVEs addressed in Bionic (HWE), Disco
- CVE-2019-3900
- Infinite loop in virtio network driver - guest VM cause host DoS by stalling vhost_net kernel thread
- CVE-2019-14284
- Divide by zero in floppy driver ioctl() handler (created by default by qemu)
- CVE-2019-14283
- Integer overflow and OOB read in floppy driver
- CVE-2019-13648
- DoS for PowerPC if user calls sigreturn() with crafted signal stack
frame - exception and system crash (requires transactional memory to
be disabled)
- CVE-2019-10638
- Kernel tries to randomise IP ID values (used for de-fragmentation of
IP packets) for connection-less protocols to avoid tracking
- Is meant to be random across source + dest address + protocol
- But if an attacker can observe traffic to multiple hosts, can infer
the hashing key used to generate the ID values
- And then can associate different streams of packets back to the same
source host and hence can track devices
- Fixed to used an actual random value for the base of the hash and use
a better hashing algorithm (siphash) for ID generation
[USN-4115-1] Linux kernel vulnerabilities [06:42]
- 28 CVEs addressed in Xenial (HWE), Bionic
- 5 negligible (not enabled by default), 11 low (very unlikely to trigger -
module unload after proc initialization failure etc), 12 medium
[USN-4116-1] Linux kernel vulnerabilities [09:12]
- 6 CVEs addressed in Xenial
[USN-4117-1] Linux kernel (AWS) vulnerabilities [09:43]
- 9 CVEs addressed in Disco
[USN-4118-1] Linux kernel (AWS) vulnerabilities [10:17]
- 61 CVEs addressed in Xenial, Bionic
[USN-3934-2] PolicyKit vulnerability [10:36]
- 1 CVEs addressed in Precise ESM
- Episode 27 - PolicyKit could get confused via PID reuse - fix was 2
parts - 1 kernel to ensure can’t race kernel on PID assignment, and
second was in PolicyKit itself to check on PID, UID and start time.
[USN-4119-1] Irssi vulnerability [11:23]
- 1 CVEs addressed in Disco
- CVE-2019-15717
- UAF if server sends two CAP commands (used by client and server to negotiate
capabilities - ie sasl support etc)
[USN-4121-1] Samba vulnerability [11:52]
- 1 CVEs addressed in Disco
- CVE-2019-10197
- Possible directory share escape by unauthenticated users - allows
attackers to gain access to the host filesystem outside the share
root (limited as per underlying file-system permissions)
- Needs the server to have explicitly enabled ‘wide links’ and not be
using ‘unix extensions’ OR to have also set ‘allow insecure wide
links’
[USN-4120-1] systemd vulnerability [12:40]
- 1 CVEs addressed in Bionic, Disco
- CVE-2019-15718
- systemd-resolved failed to properly setup access controls on its DBus
server socket, whic allows unprivileged users to execute DBus methods
that should only be executable by privileged users - such as changing
the systems DNS resolver settings
[USN-4122-1] Firefox vulnerabilities [13:10]
- 17 CVEs addressed in Xenial, Bionic, Disco
- Upstream Firefox 69.0 release
[USN-4123-1] npm/fstream vulnerability [13:29]
- 1 CVEs addressed in Bionic, Disco
Goings on in Ubuntu Security Community
Joe and Alex discuss hacking BMCs via a remote USN attack [13:53]
Joe and Alex also discuss password stashes [20:33]
Get in contact