Overview
In the second to last episode for 2019, we look at security updates for
Samba, Squid, Git, HAProxy and more, plus Alex and Joe discuss Evil Corp
hacker indictments, unsecured AWS S3 buckets and more.
This week in Ubuntu Security Updates
43 unique CVEs addressed
[USN-4212-1] HAProxy vulnerability [00:50]
- 1 CVEs addressed in Bionic, Disco, Eoan
- Failed to treat malformed headers as invalid - HTTP/2 allows encoding
headers as binary and these can then contain characters which would be
invalid when converted to HTTP/1.1 - as such these should be treated as
invalid, otherwise allows to send on invalid headers to HTTP/1.1 servers
and could be used to launch attacks against them - so test for and reject
in valid chars (CR, LF and NUL)
[USN-4213-1] Squid vulnerabilities [01:37]
- 7 CVEs addressed in Xenial, Bionic, Disco, Eoan
- 2 issues in URN handling (uniform resource name, globally unique
identifier within a particular namespace - e.g. urn:ietf:rfc:2648):
- When handling URN requests Squid makes a corresponding HTTP request but
the various access control checks that are normally done for HTTP
weren’t done so could end up accessing restricted HTTP resources (such
as servers that listen to localhost etc)
- Heap buffer overflow if response received from a server that is
handling a URN request does not fit within the buffer
- Failure to NUL terminal strings - buffer overflow on read -> crash in
cachemgr cgi process - DoS to all clients using the cachemgr
- Able to redirect traffic to origins that should be disallowed due to use
of append_domain setting
- HTTP request smuggling (Episode 52 for HAProxy)
- Nonces used for HTTP digest authentication were generated from a raw byte
value of a pointer from a heap memory allocation - this allows attackers
to deduce this pointer value and therefore help to defeat ASLR
[USN-4214-1] RabbitMQ vulnerability [03:54]
- 1 CVEs addressed in Trusty ESM, Disco, Eoan
- Integer overflow if a client sent a frame of size close to UINT32_MAX - a
resulting size is calculated that could overflow, and then memory
allocated with this overflowed (and hence small) size, resulting in a
heap buffer overflow when the frame is copied to that resulting buffer -
so instead just reject frames greater than INT32_MAX
[USN-4215-1] NSS vulnerability [04:38]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- NULL pointer dereference -> crash -> DoS when handling Netscape
Certificate Sequences (a type of encoded certificate) handled by NSS
[USN-4216-1] Firefox vulnerabilities [05:07]
- 9 CVEs addressed in Bionic, Disco, Eoan
- Latest upstream firefox release (71.0)
- Includes fix for NSS issue discussed last week plus other sorts of issues:
- UAFs
- Stack memory corruption
- Heap buffer overflows etc
[USN-4217-1] Samba vulnerabilities [05:45]
- 2 CVEs addressed in Xenial, Bionic, Disco, Eoan
- Kerberos delegation allows to be configured as non-forwardable - but this
would not be honored properly by the Samba AD DC - so could allow
delegation to be forwarded by clients even when was disabled by config
- Able to read invalid memory and so crash AD DC if a DNS record was
created that matched the name of a DNS zone due to type confusion
[USN-4218-1] GNU C vulnerability [06:43]
- 1 CVEs addressed in Precise ESM, Trusty ESM
- eglibc was used as the standard libc in Ubuntu in older releases like
Trusty/Precise etc - posix_memalign integer overflow - allocates memory
of a given size aligned to a certain size - could return a smaller area
than requested -> heap overflow as a result
[USN-4219-1] libssh vulnerability [07:30]
- 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- libssh ssh_scp_new() function takes a 3rd argument - if this could be
attacker influenced then could possible inject arbitrary commands which
will then be run on the server - so requires the API to be used in a
particular way - but could then allow users to execute commands on the
server even if they should only have been able to copy files
[USN-4220-1] Git vulnerabilities [08:16]
- 9 CVEs addressed in Xenial, Bionic, Disco, Eoan
- RCE if clone a malicious repo with a crafted .gitmodules file (used to
specify git submodules for the parent repo)
- Mishandling of CLI arguments during cloning of repos via SSH URLs allowed
possible RCE
- Arbitrary path overwrite during a fast-import due to incorrect handling
of the export-marks option
- WSL relevant issues:
- On Windows would write out filenames that contained backslashes even
though these then act as directory separators on Windows
- Wouldn’t enforce NTFS protections in the working directory
- Didn’t take into account NTFS Alternate Data Streams, allowing files
inside the .git dir to be overwritten during clone (file attribute
specific to NTFS, allowing to store data for a file alongside the
actual file itself)
- Second attack via NTFS ADS via name squatting on the git~2 short-name
- Didn’t handle Window virtual drives which can be named as not just say
A: but a full name - git would handle these as relative paths, allowing
writing outside the worktree during a clone
[USN-4202-2] Thunderbird regression [10:15]
- 10 CVEs addressed in Bionic, Eoan
- Upstream regression - previous update 68.2.1 could result in a new
profile being created for some users so would appear to lose settings etc
[USN-4221-1] libpcap vulnerability [10:37]
- 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
- Possible buffer overflow when handling PHB headers - confusion upstream
about which commit fixes which part but have included all the various
commits from upstream - thanks Steve for taking the time to dig into this
issue
Goings on in Ubuntu Security Community
Alex and Joe discuss Evil Corp hackers and unsecured S3 buckets [11:06]
Get in contact