Overview
After the recent release of Ubuntu 20.04 LTS, we look at security fixes for
OpenJDK, CUPS, the Linux kernel, Samba and more, plus Joe and Alex discuss
robot kits and the Kaiji botnet.
This week in Ubuntu Security Updates
86 unique CVEs addressed
[USN-4337-1] OpenJDK vulnerabilities [01:21]
- 13 CVEs addressed in Xenial, Bionic, Eoan
- openjdk 11.0.7 and 8u252b09-1
- Errors in regex handling and XML handling -> DoS
- Various issues in TLS handshake handling -> bypass certification
verification or allow to compromise secure connections
- Insecure handling of CRLF in HTTP headers -> info disclosure via
bypassing access controls
- Possible sandbox bypass
- 1 CVEs addressed in Eoan, Focal
- Used to generate fast C code for parsing regular expressions
- Heap buffer overflow if parsing a very long input due to incorrect length
checks
[USN-4339-1] OpenEXR vulnerabilities [02:59]
- 12 CVEs addressed in Xenial, Bionic, Eoan, Focal
- Last mentioned back in Episode 49 - handles image format developed by ILM
with a high definition range for computer imaging applications - used by
opencv, gimp and others
- Project Zero fuzzing OpenEXR - usual types of issues in large C++ code
base - OOB reads / writes - usual effects -> crashes, info leaks, RCE
[USN-4340-1] CUPS vulnerabilities [04:09]
- 2 CVEs addressed in Xenial, Bionic, Eoan, Focal
- Heap buffer overflow when parsing ppd files - so if added a printer with
a crafted ppd file could crash / RCE - since cupsd runs as root could be
possible RCE as root
- OOB read -> info leak / crash
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan, Focal
- Stack overflow able to be triggered by an unauthenticated user when Samba
is acting as an AD DC -> crash, code exec?
- UAF in Samba AD DC LDAP server
[USN-4342-1] Linux kernel vulnerabilities [06:02]
- 7 CVEs addressed in Bionic, Eoan
- 5.3 kernel for eoan + bionic hwe
- s390 specific race-condition in page table handling -> local attacker arbitrary
code exec
- race-condition -> UAF in block io tracing -> OOB read -> info leak / crash
- stack buffer overflow in vhost-net driver -> able to be triggered by a
local attacker via ioctl() on /dev/vhost-net
- race-condition -> UAF in tty (virtual terminal) subsystem
- low priority (DoS etc via crafted file-systems)
[USN-4344-1] Linux kernel vulnerabilities [07:58]
- 7 CVEs addressed in Bionic
- 5.0 gke / oem kernel
- Same issues reported earlier
[USN-4343-1] Linux kernel vulnerability [08:13]
- 1 CVEs addressed in Focal
- 5.4 kernel
- s390 page-table issue
[USN-4345-1] Linux kernel vulnerabilities [08:25]
- 9 CVEs addressed in Xenial, Bionic
- 4.15 kernel - xenial hwe + bionic
- Same as above plus a few OOBs read when handing invalid USB camera device
descriptors in various drivers - so a local attacker could cause a crash
etc
[USN-4346-1] Linux kernel vulnerabilities [09:00]
- 5 CVEs addressed in Trusty ESM, Xenial
- 4.4 kernel - trusty hwe + xenial
- tty and blk io subsystem race-conditions -> UAFs
[USN-4347-1] WebKitGTK vulnerability [09:26]
- 1 CVEs addressed in Bionic, Eoan, Focal
[USN-4348-1] Mailman vulnerabilities [09:47]
- 3 CVEs addressed in Xenial, Bionic
- Possible XSS when viewing list archives since mailman does not track the
mime-type of attachments -> so HTTP reply may lack a MIME type and so the
receiving browser may assume that content-type is text/html and so
execute contained Javascript code
[USN-4349-1] EDK II vulnerabilities [10:36]
- 9 CVEs addressed in Xenial, Bionic, Eoan
- UEFI firmware stack for x86-64 virtual machines - huge amount of code with a
large attack surface -> network stack, disk device and file-system
handling, cryptographic signature parsing etc
- Buffer overflow in network stack and block io system
- stack overflow, fail to clear memory containing passwords, memory leaks,
failure to properly check EFI signatures, memory corruption via a double
free etc
[USN-4350-1] MySQL vulnerabilities [12:05]
[USN-4330-2] PHP vulnerabilities [12:46]
[USN-4332-2] File Roller vulnerability [13:05]
[USN-4333-2] Python vulnerabilities [13:06]
Goings on in Ubuntu Security Community
Release of Ubuntu 20.04 LTS (Focal Fossa) [13:16]
- Supported as LTS for 5 years and as ESM for 5 years -> 10 years of
security support
- Kernel changes -> based on upstream 5.4 LTS kernel, includes Lockdown
LSM, Wireguard as built-in to the kernel
- SSH client / server supports hardware based 2 factor auth (like Yubikeys) OOTB
- More stringent TLS default parameters to blacklist insecure ciphers /
key-lengths etc
Joe and Alex discuss Kaiji Botnet targeting Linux IoT devices [16:00]
Get in contact