Episode 46

Overview

A massive 85 CVEs addressed this week, including updates for Exim, the Linux Kernel, Samba, systemd and more, plus we discuss hacking BMCs via remote USB devices and password stashes.

This week in Ubuntu Security Updates

85 unique CVEs addressed

[USN-4124-1] Exim vulnerability [00:49]

• 1 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-15846
    • When doing TLS negotiation, parses the Server Name Indication headers - would try and handle escape sequences in this string.
    • Does so by looking at the character after a backslash to determine what escape sequence is (\b etc) and then returns that actual value (in string_interpret_escape())
    • This gets called by the function string_unprinting() which is used to translate escaped characters into their proper form in a new string - and this will run over the bounds of the original string if it ends with a backslash - since string_interpret_escape() would assume there was contents afterwards to interpret
    • Qualsys were able to develop a PoC which leverages this OOB behaviour into a remote root exploit (since this part of the code runs as root and they were able to use a combination of heap corruption and OOB writes to get code execution)
    • Fixed to first check if reached end of string (NUL) before trying to handle the escaped character
  • Able to be mitigated by setting ACLs to deny connections which contain a trailing backslash in the SNI field - see CVE-2019-15846 in the Ubuntu CVE Tracker
  • Lots of press coverage:
    • https://www.zdnet.com/article/millions-of-exim-servers-vulnerable-to-root-granting-exploit/
    • https://threatpost.com/critical-exim-flaw-opens-millions-of-servers-to-takeover/148108/
    • https://www.theregister.co.uk/2019/09/06/exim_vulnerability_patch/
    • https://www.bleepingcomputer.com/news/security/critical-exim-tls-flaw-lets-attackers-remotely-execute-commands-as-root/

[USN-4114-1] Linux kernel vulnerabilities [03:49]

• 5 CVEs addressed in Bionic (HWE), Disco
  • CVE-2019-3900
    • Infinite loop in virtio network driver - guest VM cause host DoS by stalling vhost_net kernel thread
  • CVE-2019-14284
    • Divide by zero in floppy driver ioctl() handler (created by default by qemu)
  • CVE-2019-14283
    • Integer overflow and OOB read in floppy driver
  • CVE-2019-13648
    • DoS for PowerPC if user calls sigreturn() with crafted signal stack frame - exception and system crash (requires transactional memory to be disabled)
  • CVE-2019-10638
    • Kernel tries to randomise IP ID values (used for de-fragmentation of IP packets) for connection-less protocols to avoid tracking
    • Is meant to be random across source + dest address + protocol
    • But if an attacker can observe traffic to multiple hosts, can infer the hashing key used to generate the ID values
    • And then can associate different streams of packets back to the same source host and hence can track devices
    • Fixed to used an actual random value for the base of the hash and use a better hashing algorithm (siphash) for ID generation

[USN-4115-1] Linux kernel vulnerabilities [06:42]

• 28 CVEs addressed in Xenial (HWE), Bionic
• 5 negligible (not enabled by default), 11 low (very unlikely to trigger - module unload after proc initialization failure etc), 12 medium
  • CVE-2019-3819
  • CVE-2019-3701
  • CVE-2019-15221
  • CVE-2019-15218
  • CVE-2019-15216
  • CVE-2019-9506
    • Bluetooth KNOB attack
  • CVE-2019-3900
    • Infinite loop in virtio net driver (guest VM cause host DoS)
  • CVE-2019-15292
  • CVE-2019-15220
  • CVE-2019-15215
  • CVE-2019-15214
  • CVE-2019-15212
  • CVE-2019-15211
  • CVE-2019-15090
    • OOB read in debug functions of QLogic QEDI iSCSI Initiator Driver (allows to read kernel memory - KASLR defeat?)
  • CVE-2019-14763
  • CVE-2019-14284
    • See above (Divide by zero in floppy driver)
  • CVE-2019-14283
    • See above (Integer overflow and OOB read in floppy driver)
  • CVE-2019-13648
    • See above (PowerPC DoS on sigreturn())
  • CVE-2019-13631
  • CVE-2019-11810
  • CVE-2019-11599
    • Core dump race (Episode 41)
  • CVE-2019-11487
  • CVE-2019-10639
    • Related to CVE-2019-10638 - since used base address of kernel structure in memory as hash base, could allow attacker to infer this address and so defeat KASLR
  • CVE-2019-10638
    • See above (IP ID randomisation)
  • CVE-2019-10207
    • NULL pointer address execution (call function pointer which is NULL since is not initializated) - Ubuntu defaults to a non-zero mmap_min_addr value which means can’t map a page at 0 address so this is just a NULL pointer dereference in default config (otherwise is arbitrary kernel code execution)
  • CVE-2019-0136
    • Intel Wifi Driver Tunneled Direct Link Setup (allows devices to communicate directly with one-another on the same network without going via AP) - flaw allows a peer to cause wifi disconnection (DoS)
  • CVE-2018-20784
    • Infinite loop in CFS schedular - DoS
  • CVE-2018-19985

[USN-4116-1] Linux kernel vulnerabilities [09:12]

• 6 CVEs addressed in Xenial
  • CVE-2019-3900
    • Infinite loop in virtio net driver (guest VM cause host DoS)
  • CVE-2019-14284
    • See above (Divide by zero in floppy driver)
  • CVE-2019-14283
    • See above (Integer overflow and OOB read in floppy driver)
  • CVE-2019-13648
    • See above (PowerPC DoS on sigreturn())
  • CVE-2019-10638
    • See above (IP ID randomisation)
  • CVE-2018-20856
    • UAF in block-layer under particular failure conditions

[USN-4117-1] Linux kernel (AWS) vulnerabilities [09:43]

• 9 CVEs addressed in Disco
  • CVE-2019-3900
    • Infinite loop in virtio net driver (guest VM cause host DoS)
  • CVE-2019-3846
    • Marvell Wifi OOB write (Episode 43)
  • CVE-2019-10126
    • Marvell Wifi OOB write (Episode 43)
  • CVE-2019-14284
    • See above (Divide by zero in floppy driver)
  • CVE-2019-14283
    • See above (Integer overflow and OOB read in floppy driver)
  • CVE-2019-13272
    • ptrace race (Episode 43)
  • CVE-2019-13233
    • UAF in handling of x86 LDT entries (Episode 43)
  • CVE-2019-12984
    • NULL ptr dereference in NFC subsystem (Episode 43)
  • CVE-2019-10638
    • See above (IP ID randomisation)

[USN-4118-1] Linux kernel (AWS) vulnerabilities [10:17]

• 61 CVEs addressed in Xenial, Bionic
  • CVE-2019-3819
  • CVE-2019-3701
  • CVE-2019-15221
  • CVE-2019-15218
  • CVE-2019-15216
  • CVE-2018-20511
  • CVE-2019-9506
  • CVE-2019-3900
  • CVE-2019-3846
  • CVE-2019-2101
  • CVE-2019-2024
  • CVE-2019-15292
  • CVE-2019-15220
  • CVE-2019-15215
  • CVE-2019-15214
  • CVE-2019-15212
  • CVE-2019-15211
  • CVE-2019-15090
  • CVE-2019-14763
  • CVE-2019-14284
  • CVE-2019-14283
  • CVE-2019-13631
  • CVE-2019-13272
  • CVE-2019-13233
  • CVE-2019-12984
  • CVE-2019-12819
  • CVE-2019-12818
  • CVE-2019-11884
  • CVE-2019-11833
  • CVE-2019-11815
  • CVE-2019-11810
  • CVE-2019-11599
  • CVE-2019-11487
  • CVE-2019-11085
  • CVE-2019-10639
  • CVE-2019-10638
  • CVE-2019-10207
  • CVE-2019-10126
  • CVE-2019-0136
  • CVE-2018-5383
  • CVE-2018-20856
  • CVE-2018-20784
  • CVE-2018-20169
  • CVE-2018-19985
  • CVE-2018-16862
  • CVE-2018-14617
  • CVE-2018-14613
  • CVE-2018-14612
  • CVE-2018-14611
  • CVE-2018-14610
  • CVE-2018-14609
  • CVE-2018-14616
  • CVE-2018-14615
  • CVE-2018-14614
  • CVE-2018-13100
  • CVE-2018-13099
  • CVE-2018-13098
  • CVE-2018-13097
  • CVE-2018-13096
  • CVE-2018-13093
  • CVE-2018-13053

[USN-3934-2] PolicyKit vulnerability [10:36]

• 1 CVEs addressed in Precise ESM
  • CVE-2019-6133
• Episode 27 - PolicyKit could get confused via PID reuse - fix was 2 parts - 1 kernel to ensure can’t race kernel on PID assignment, and second was in PolicyKit itself to check on PID, UID and start time.

[USN-4119-1] Irssi vulnerability [11:23]

• 1 CVEs addressed in Disco
  • CVE-2019-15717
    • UAF if server sends two CAP commands (used by client and server to negotiate capabilities - ie sasl support etc)

[USN-4121-1] Samba vulnerability [11:52]

• 1 CVEs addressed in Disco
  • CVE-2019-10197
    • Possible directory share escape by unauthenticated users - allows attackers to gain access to the host filesystem outside the share root (limited as per underlying file-system permissions)
    • Needs the server to have explicitly enabled ‘wide links’ and not be using ‘unix extensions’ OR to have also set ‘allow insecure wide links’

[USN-4120-1] systemd vulnerability [12:40]

• 1 CVEs addressed in Bionic, Disco
  • CVE-2019-15718
    • systemd-resolved failed to properly setup access controls on its DBus server socket, whic allows unprivileged users to execute DBus methods that should only be executable by privileged users - such as changing the systems DNS resolver settings

[USN-4122-1] Firefox vulnerabilities [13:10]

• 17 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-11747
  • CVE-2019-11741
  • CVE-2019-9812
  • CVE-2019-11752
  • CVE-2019-11750
  • CVE-2019-11749
  • CVE-2019-11748
  • CVE-2019-11746
  • CVE-2019-11744
  • CVE-2019-11743
  • CVE-2019-11742
  • CVE-2019-11740
  • CVE-2019-11738
  • CVE-2019-11737
  • CVE-2019-11735
  • CVE-2019-11734
  • CVE-2019-5849
• Upstream Firefox 69.0 release
  • https://www.mozilla.org/en-US/security/advisories/mfsa2019-25/

[USN-4123-1] npm/fstream vulnerability [13:29]

• 1 CVEs addressed in Bionic, Disco
  • CVE-2019-13173

Goings on in Ubuntu Security Community

Joe and Alex discuss hacking BMCs via a remote USN attack [13:53]

• https://thehackernews.com/2019/09/hacking-bmc-server.html

Joe and Alex also discuss password stashes [20:33]

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter