Episode 69

Overview

This week we cover security updates for a Linux kernel vulnerability disclosed during pwn2own, Timeshift, pam-krb5 and more, plus we have a special guest, Vineetha Kamath, to discuss security certifications for Ubuntu.

This week in Ubuntu Security Updates

10 unique CVEs addressed

[USN-4308-2] Twisted vulnerabilities [00:42]

• 4 CVEs addressed in Trusty ESM
  • CVE-2020-10109
  • CVE-2020-10108
  • CVE-2019-12855
  • CVE-2019-12387
• Episode 68 - 4 of the 7 CVEs described there affect Twisted in 14.04 ESM

[USN-4310-1] WebKitGTK+ vulnerability [01:09]

• 1 CVEs addressed in Bionic, Eoan
  • CVE-2020-10018
• UAF - discovered by CloudFuzz

[USN-4312-1] Timeshift vulnerability [01:49]

• 1 CVEs addressed in Eoan
  • CVE-2020-10174
• Reuses predictably named temporary directory to execute scripts - and runs as root - so a local attacker could replace the script in this predictably named directory with one containing malicious commands, to get code execution as root. Fixed by using a randomly named directory and setting the permissions on it so other users can’t write to it.

[USN-4313-1] Linux kernel vulnerability [02:43]

• 1 CVEs addressed in Bionic, Eoan
  • CVE-2020-8835
• pwn2own - Manfred Paul discovered the BPF verifier in the Linux kernel did not properly calculate register bounds for 32-bit operations - so if allow unprivileged users to load BPF, this could be used to read or write kernel memory. Can then use this to elevate privileges to root.
• https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results

[USN-4311-1] BlueZ vulnerabilities [03:52]

• 2 CVEs addressed in Xenial, Bionic, Eoan
  • CVE-2016-7837
  • CVE-2020-0556
• Didn’t handle bonding of HID and HOGP (HID over GATT - Generic Attribute Profile) devices - local attacker could use this to impersonate non-bonded devices
• Buffer overflow in parse_line function used by some CLI-based userland utils

[USN-4314-1] pam-krb5 vulnerability [04:50]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
  • CVE-2020-10595
• Single-byte buffer overflow could potentially allow RCE - buffer is provided by underlying kerberos library - attacker can supply input of special length to overflow this and then cause memory corruption - possible heap or stack corruption. Only used in code-paths where Kerberos lib does supplemental prompting, or if running PAM with no_prompt configured.

Goings on in Ubuntu Security Community

Joe and Vineetha discuss security certifications for Ubuntu [06:14]

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter