Episode 61

Overview

Joe is back to discuss a recent breach against Wawa, plus we detail security updates from the past week including Apache Solr, OpenStack Keystone, Sudo, Django and more.

This week in Ubuntu Security Updates

23 unique CVEs addressed

[USN-4259-1] Apache Solr vulnerability [00:50]

• 1 CVEs addressed in Xenial
  • CVE-2017-12629
• Enterprise search server based on Lucene with XML/HTTP and JSON APIs
• Was vulnerable to an XML External Entity (XXE) attack - XML can include a reference to another XML resource which might then be fetched - this could then be combined with another flaw (use of Config API to obtain access to the RunExecutableListener class) to allow remote code fetched from the remote XML

[USN-4261-1] WebKitGTK+ vulnerabilities [01:44]

• 3 CVEs addressed in Bionic, Eoan
  • CVE-2019-8846
  • CVE-2019-8844
  • CVE-2019-8835
• Various memory management issues which could be triggered via a malicious websites - possible remote code execution as a result

[USN-4262-1] OpenStack Keystone vulnerability [02:13]

• 1 CVEs addressed in Eoan
  • CVE-2019-19687
• Keystone provides identity services (client authentication etc) for OpenStack
• credentials API allowed any user with a role on a project to list all credentials when enforce_scope was false - so could view other users credentials.
• Was introduced in keystone 15 so didn’t affect bionic or older releases - only eoan

[LSN-0062-1] Linux kernel vulnerability [03:01]

• 7 CVEs addressed in Xenial and Bionic
  • CVE-2019-18885
  • CVE-2019-14901
  • CVE-2019-14897
  • CVE-2019-14896
  • CVE-2019-14895
  • CVE-2019-14615
  • CVE-2019-2214
• Heap and stack buffer overflows in Marvell Wifi drivers, Intel GPU info leak on context switch, binder IPC heap buffer overflow

[USN-4263-1] Sudo vulnerability [03:50]

• 1 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2019-18634
• Lots of press around this but most people would not be vulnerable since need to run in an non-default configuration
• When pwfeedback enabled in /etc/sudoers, stack buffer overflow able to be triggered in sudo during password authentication
• Not enabled by default in Ubuntu

[USN-4264-1] Django vulnerability [05:00]

• 1 CVEs addressed in Bionic, Eoan
  • CVE-2020-7471
• Possible SQL injection via the PostgreSQL module if was using the StringAgg instance
• Fixed to sanitize the input before processing it

[USN-4265-1, USN-4265-2] SpamAssassin vulnerabilities [05:29]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2020-1931
  • CVE-2020-1930
• Episode 59 - possible RCE via crafted CF file - 2 more similar vulnerabilities fixed - again upstream advise should only use trusted update channels or 3rd parted .cf files

[USN-4266-1] GraphicsMagick vulnerabilities [06:37]

• 7 CVEs addressed in Xenial
  • CVE-2017-18231
  • CVE-2017-18230
  • CVE-2017-18229
  • CVE-2017-18219
  • CVE-2017-17915
  • CVE-2017-17913
  • CVE-2017-17912
• Episode 55, Episode 57, Episode 59, Episode 60
• NULL ptr dereferences -> crash, DoS
• Large memory allocation -> crash, DoS
• Heap + stack based buffer over-read and over-writes too

Goings on in Ubuntu Security Community

Joe and Alex discuss recent Wawa breach [07:26]

• https://krebsonsecurity.com/2020/01/wawa-breach-may-have-compromised-more-than-30-million-payment-cards/

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter