Episode 62

Overview

This week Alex and Joe take an indepth look at the recent Sudo vulnerability CVE-2019-18634 plus we look at security updates for OpenSMTPD, systemd, Mesa, Yubico PIV tool and more. We also look at a recent job opening for a Robotics Security Engineer to join the Ubuntu Security team.

This week in Ubuntu Security Updates

33 unique CVEs addressed

[USN-4263-2] Sudo vulnerability [00:41]

• 1 CVEs addressed in Precise ESM, Trusty ESM
  • CVE-2019-18634
• See Episode 61 and discussion later in episode

[USN-4268-1] OpenSMTPD vulnerability [01:02]

• 1 CVEs addressed in Bionic, Eoan
  • CVE-2020-7247
• Logic bug caused existing sanity checks on MAIL FROM field to be skipped under certain scenarios - so by failing to perform this validation, could allow an attacker to input shell metacharacters to obtain command execution in smtpd (which runs as root) -> remote root command execution.
• Fixed to always perform sanity checks on MAIL FROM

[USN-4269-1] systemd vulnerabilities [02:06]

• 5 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2020-1712
  • CVE-2019-3844
  • CVE-2019-3843
  • CVE-2019-20386
  • CVE-2018-16888
• Heap UAF when handing asynchronous policykit queries and dbus messages - could allow possible root privesc
• Possible sandbox escape through DynamicUser property on services via setuid binaries to gain new privileges or created setgid binaries
• Also DynamicUser services can create setuid/setgid binaries which could then be used to escalate privileges after
  • Both low priority since not many users of DynamicUser services plus requires cooperation between the service and a helper so can’t be directly exploited
• Memory leak in logind when executing udevadm trigger command
• Possible to get systemd to kill the wrong process if can write to it’s PIDFile since the pid specified here is not validated

[USN-4267-1] ARM mbed TLS vulnerabilities [03:26]

• 5 CVEs addressed in Xenial
  • CVE-2018-0498
  • CVE-2018-0497
  • CVE-2018-0488
  • CVE-2018-0487
  • CVE-2017-18187
• lightweight crypto / TLS library
• integer overflow -> heap overflow -> RCE / DoS
• read buffer overflow in handling of certificate chains -> DOS
• 2 different cache side-channel attacks which could allow a remote attacker to recover partial plaintext for CBC modes

[USN-4270-1] Exiv2 vulnerability [04:22]

• 1 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2019-20421
• Infinite loop in JP2 image metadata parser -> CPU DoS

[USN-4271-1] Mesa vulnerability [04:38]

• 1 CVEs addressed in Bionic, Eoan
  • CVE-2019-5068
• Created a shared memory segment with world readable and writable permissions - so any local user could interfere with or access shared memory buffers which are often used for back buffers to improve performance - changed to open as only user readable / writable

[USN-4272-1] Pillow vulnerabilities [05:24]

• 6 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2020-5313
  • CVE-2020-5311
  • CVE-2020-5310
  • CVE-2020-5312
  • CVE-2019-19911
  • CVE-2019-16865
• Python Image Library
• Various errors in handling image formats -> Crash -> DoS, RCE etc

[USN-4273-1] ReportLab vulnerability [05:48]

• 1 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2019-17626
• Python library used for creating PDFs
• RCE via a crafted XML document - would eval() an argument which comes from a document and so would execute arbitrary python code from the document as a result

[USN-4250-2] MariaDB vulnerability [06:21]

• 1 CVEs addressed in Bionic, Eoan
  • CVE-2020-2574
• Episode 60 for MySQL - similar update for MariaDB - unfortunately no details from upstream

[USN-4275-1] Qt vulnerabilities [06:45]

• 4 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2020-0570
  • CVE-2020-0569
  • CVE-2019-18281
  • CVE-2018-19872
• 2 possible code execution bugs where Qt would search for plugins and libraries in incorrect locations, allowing a local attacker to get code execution
• 2 different buffer overflow vulnerabilities in handling PPM images and in text files with many unicode directional characters

[USN-4274-1] libxml2 vulnerabilities [07:20]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2020-7595
  • CVE-2019-19956
• Infinite loop for crafted XML documents -> CPU DoS
• Memory leak

[USN-4276-1] Yubico PIV Tool vulnerabilities [07:41]

• 2 CVEs addressed in Bionic
  • CVE-2018-14780
  • CVE-2018-14779
• Yubico PIV (personal identity verificatiion) smart card driver - can be used with a Yubikey to do authentication
• 2 different buffer overflows able to be triggered by a malicious USB device - could lead to possible code execution

[USN-4277-1] libexif vulnerabilities [08:14]

• 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2019-9278
  • CVE-2017-7544
  • CVE-2016-6328
• Buffer overflow (crash or RCE) and 2 buffer over reads (crash / info disclosure)

Goings on in Ubuntu Security Community

Alex and Joe discuss the recent sudo vulnerability (CVE-2019-18634) [08:46]

• https://threatpost.com/docker-registries-malware-data-theft/152734/

Hiring [22:07]

Robotics Security Engineer

• https://canonical.com/careers/1550997

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter