Overview
This week Joe discusses Intel’s CET announcement with John Johansen, plus
Alex details recent security fixes including SQLite, fwupd, NSS, DBus and
more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4394-1] SQLite vulnerabilities [00:56]
- 9 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- NULL ptr deref via crafted query, UAF, OOB read, integer overflow when
printing high precision floating point numbers, various minor issues when
handling crafted databases
[USN-4385-2] Intel Microcode regression [01:43]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Episode 78 - SRBDS etc - microcode is specific to processors, and is
identified by the triplet of CPU Family, Model and Stepping - this is
listed in /proc/cpuinfo - mine say is 6, 142, 10 - in hex - 06-8E-0A -
would cause a specific Skylake processor type to fail to boot
(06-4e-03) - we reverted this back to the previous release version from
November 2019
[USN-4395-1] fwupd vulnerability [03:39]
[USN-4315-2] Apport vulnerabilities [06:11]
- 2 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 70
[USN-4396-1] libexif vulnerabilities [06:24]
- 6 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- UAF due to uninitialised memory, various buffer over-reads, integer
overflow, etc
[USN-4397-1] NSS vulnerabilities [07:24]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Possible timing side-channel attack during DSA key generation - due to
the difference in time of various operations (dependent on the contents
of the private key) - the key value could be inferred by an attacker
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- DBus can be used to send file-descriptors - client sends to server via
the dbus daemon - daemon will validate that messages only contain a
certain number of file-descriptors - if too may, will reject BUT fail to
close those file-descriptors - eventually would accumulate too many open
files itself and so the daemon would not be able to accept new
connections -> DoS from a local unprivileged user
Goings on in Ubuntu Security Community
Joe discusses Intel CET with John Johansen (aka JJ) [09:28]
-
LLVM/Clang
-
CET on windows
-
Pre CET software based CFI on windows
-
Papers/talks on attacking CET/CFI
-
Smashing the stack for fun and profit
-
StackClash
Get in contact