Overview
This week we look at the details of the latest Intel hardware
vulnerabilities, including security updates for the Linux kernel and Intel
microcode, plus Bash, cpio, FriBidi and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4176-1] GNU cpio vulnerability [01:00]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- cpio wouldn’t validate values written to headers of TAR archives - could
use cpio to create a TAR containing another TAR with a big size and will
use wrong context values (ie uses inner TAR values in header) - this
could allow a TAR to be created which has files with permissions not
owned by the original user - when extracted by cpio will overwrite target
files - whereas if using tar to extract will avoid this - fixed to check
and handle header values correctly
[USN-4177-1] Rygel vulnerability [02:18]
- Affecting Eoan
- Added Rygel in Eoan which is off by default but needed GNOME to handle
that - it would disable it dynamically - so if not running GNOME, rygel
would be running and sharing your stuff on the local network - fixed to
disable automatically on upgrade - and then can use the GNOME settings
front-end etc to re-enable if desired
[USN-4178-1] WebKitGTK+ vulnerabilities [03:34]
- 4 CVEs addressed in Bionic, Disco
[USN-4181-1] WebKitGTK+ vulnerabilities [03:34]
- 2 CVEs addressed in Bionic, Disco, Eoan
[USN-4179-1] FriBidi vulnerability [04:00]
- 1 CVEs addressed in Disco, Eoan
- Issue reported about unicode isolated handling in Qt - turns out affected
GTK applications as well - entirely different code with very similar
flaw - stack buffer overflow since didn’t check bounds of a fixed array
used to store details on nested unicode isolate sections - simple fix to
just check bounds before trying to store next element
[USN-4180-1] Bash vulnerability [05:38]
- 1 CVEs addressed in Precise ESM
- Recently announced vuln (heap-based buffer overflow) in bash affecting
old versions - so most releases unaffected except Precise - can trigger
by printing wide characters via echo -e
[USN-4182-1, USN-4182-2] Intel Microcode update [06:12]
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
- Voltage modulation able to be performed by a local privileged user -
disabled via microcode
- TSX Asynchronous Abort (TAA) -
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915
- Another variant of MDS but only affects processsors with Transational
Synchronization Extensions (TSX)
- MDS mitigations also can mitigate this - but needs microcode update -
associated kernel update too
[USN-4183-1] Linux kernel vulnerabilities [07:58]
- 9 CVEs addressed in Eoan
- MCEPSC - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915
- trigger a MCE from a guest by changing page size in a particular way
within the guest -> MCE on host kernel -> DoS
- i915 graphics - userspace can modify PTE via writes to MMIO from blitter
command streamer or expose kernel memory - privesc
- TAA
- Various other issues:
- Realtek wifi driver buffer overflow - able to be triggered OTA - crash
/ RCE
- Buffer overflow in nl80211 config interface (local user) - crash / code exec
- Jann Horn - shiftfs issues
- UID/GID confusion when namespace of lower file-system is not
init_user_ns - DAC bypass
- type confusion -> buffer overflow
- reference count underflow -> UAF
- local user crash / code exec
- i915 graphics - userspace read on GT MMIO -> hang -> DoS (low power state)
[USN-4184-1] Linux kernel vulnerabilities [11:09]
- 14 CVEs addressed in Bionic (HWE), Disco
- See above plus
- Various network based subsystems failed to enforce CAP_NET_RAW for raw
socket creation
- AF_NFC, AF_ISDN, AF_APPLETALK, AF_IEEE802154 (low-rate wireless
network), AF_AX25
[USN-4185-1, USN-4185-2] Linux kernel vulnerabilities [12:06]
- 11 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic
- realtek wifi buffer overflow, AF_XXX CAP_NET_RAW, NULL pointer
dereference in Atheros USB Wifi Driver, Intel hardware issues (2xi915 +
TAA + MCEPSC)
[USN-4186-1, USN-4186-2] Linux kernel vulnerabilities [12:47]
- 13 CVEs addressed in Trusty ESM (HWE), Xenial
- Binder UAF -> crash, DoS -> code exec (CONFIG_DEBUG_LIST mitigates this -
looking to add this in future kernels like 20.04)
- realtek wifi, CAP_NET_RAW, nl80211 config buffer overflow, Intel hardware
issues
[USN-4187-1] Linux kernel vulnerability [13:48]
- 1 CVEs addressed in Trusty ESM
- TAA
[USN-4188-1] Linux kernel vulnerability [13:48]
- 1 CVEs addressed in Precise ESM
- TAA
[LSN-0059-1] Linux kernel vulnerability [14:05]
- 4 CVEs addressed in Xenial and Bionic
- Intel hardware issues - CAN’T BE LIVEPATCHED - need to update kernel and reboot
Goings on in Ubuntu Security Community
20.04 Roadmap Sprint [14:55]
Get in contact