Episode 82

Overview

With Ubuntu 19.10 going EOL, we have a special interview by Joe with Chris Coulson and Steve Beattie from the Ubuntu Security Team to talk TPMs and Ubuntu Core 20, plus Alex looks at some of the 71 CVEs addressed by the team and more.

This week in Ubuntu Security Updates

71 unique CVEs addressed

[USN-4407-1] LibVNCServer vulnerabilities [01:02]

• 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2017-18922
  • CVE-2019-20788
  • CVE-2019-15690
  • CVE-2019-15681
  • CVE-2019-15680
• Used by gnome-remote-desktop, virtualbox and others
• Provides both a server and client libraries
  • So some issues affect clients when connecting to a malicious server, others could be from a malicious client to the server
• Issues when handling WebSocket frames, cursor shape updates, ServerCutText messages and decompression of zlib compressed data - crash -> DoS, info leak, RCE etc

[USN-4408-1] Firefox vulnerabilities [01:57]

• 11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-12421
  • CVE-2020-12426
  • CVE-2020-12425
  • CVE-2020-12424
  • CVE-2020-12422
  • CVE-2020-12420
  • CVE-2020-12419
  • CVE-2020-12418
  • CVE-2020-12417
  • CVE-2020-12416
  • CVE-2020-12415
• 78.0.1
• Would reject certificate chains for addons which did not terminate in a built-in root certificate - could cause some add-ons to become outdated as it would reject updates for them
• Usual web browser issues -> crafted website DoS, info leak, bypass permission prompts or RCE

[USN-4409-1] Samba vulnerabilities [03:00]

• 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-10760
  • CVE-2020-10745
  • CVE-2020-10730
• 2 separate issues when handling LDAP queries -> both UAF -> crash -> DoS or RCE
• CPU based DoS when processing NetBIOS over TCP/IP

[USN-4410-1] Net-SNMP vulnerability [03:44]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2019-20892
• Double free -> heap memory corruption -> crash / RCE

[USN-4411-1] Linux kernel vulnerabilities [04:02]

• 5 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-12768
  • CVE-2020-13143
  • CVE-2020-12770
  • CVE-2020-10711
  • CVE-2020-10732
• 5.4 kernel
• Various low impact issues - info leak due to failure to initialise memory when handling ELF code, SELinux network label handling NULL ptr deref, SCSI driver OOB read, USB gadget OOB read via configfs etc

[USN-4412-1] Linux kernel vulnerabilities [04:57]

• 5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10)
  • CVE-2020-12768
  • CVE-2020-10751
  • CVE-2020-13143
  • CVE-2020-12770
  • CVE-2020-10711
• 5.3 kernel (bionic HWE)
• Most of above plus an SELinux failure to validate all parts of a multi-part netlink message - could then possibly bypass SELinux access controls - SELinux is not the default LSM in Ubuntu - AppArmor

[USN-4413-1] Linux kernel vulnerabilities [05:58]

• 5 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2020-12768
  • CVE-2020-10751
  • CVE-2020-13143
  • CVE-2020-12770
  • CVE-2020-10711
• 5.0 kernel (gke/oem)

[USN-4414-1] Linux kernel vulnerabilities [06:10]

• 12 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2019-19039
  • CVE-2019-12380
  • CVE-2020-13143
  • CVE-2020-12770
  • CVE-2020-10711
  • CVE-2019-19462
  • CVE-2019-19377
  • CVE-2019-19816
  • CVE-2019-19813
  • CVE-2019-19318
  • CVE-2019-19036
  • CVE-2019-16089
• 4.15 kernel (bionic / xenial hwe)
• Some of above, plus others and a kernel->user space relay bug where local user could trigger a crash -> DoS via improper return values to the kernel

[USN-4419-1] Linux kernel vulnerabilities [06:49]

• 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
  • CVE-2020-8992
  • CVE-2020-13143
  • CVE-2020-12770
  • CVE-2020-10711
  • CVE-2020-10690
• 4.4 kernel (xenial / trusty hwe)
• ptp race condition during device allocation and removal due to a dangling pointer to free’d memory

[USN-4415-1] coTURN vulnerabilities [07:33]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-6062
  • CVE-2020-6061
  • CVE-2020-4067
• TURN / STUN server used to traverse VoIP media traffic over NAT with a telnet / HTTPS management interface
• Info leak due to failure to zero memory used for response buffers
• Improper handling of HTTP POST requests to the web interface -> DoS / info-leak etc

[USN-4416-1] GNU C Library vulnerabilities [08:04]

• 11 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10)
  • CVE-2020-1752
  • CVE-2020-1751
  • CVE-2020-10029
  • CVE-2019-9169
  • CVE-2019-19126
  • CVE-2018-6485
  • CVE-2018-19591
  • CVE-2018-11237
  • CVE-2018-11236
  • CVE-2017-18269
  • CVE-2017-12133
• Failure to handle regex/s, bit patters, path tilde expansion, hostname lookups, memalign & AVX-512 optimised memcpy() etc -> memory corruption -> crash / RCE
• Possible ASLR bypass for setuid() programs since would not respect the LD_PREFER_MAP_32BIT_EXEC environment variable after security transition and so a local attcker could use this to restrict the range of memory addresses used when loading libraries

[USN-4417-1, USN-4417-2] NSS vulnerability [09:38]

• 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-12402
• Possible RSA side-channel due to input-dependent code flow - would allow possible RSA private key extraction via electromagnetic-based side-channel measurements

[USN-4418-1] OpenEXR vulnerabilities [10:06]

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-15306
  • CVE-2020-15305
• Heap buffer overflow and UAF

[USN-4420-1] Cinder and os-brick vulnerability [10:13]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-10755
• Possible exposure of credentials when using the Dell EMC ScaleIO or VxFlex OS backend storage drivers - credentials would be accessible via the connection_info element in various API calls - instead credentials get moved to a file on disk so may require some changes on various deployed environments as a result

[USN-4421-1] Thunderbird vulnerabilities [10:52]

• 10 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-12421
  • CVE-2020-12399
  • CVE-2020-12398
  • CVE-2020-12420
  • CVE-2020-12419
  • CVE-2020-12418
  • CVE-2020-12417
  • CVE-2020-12410
  • CVE-2020-12406
  • CVE-2020-12405
• 68.10.0
• Most firefox issues mentioned earlier, plus a specific TB one where if an attacker could potentially intercept and modify traffic across a STARTTLS IMAP server by responding with a PREAUTH.

[USN-4376-2] OpenSSL vulnerabilities [11:33]

• 3 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
  • CVE-2019-1563
  • CVE-2019-1559
  • CVE-2019-1547
• Episode 77

[USN-4422-1] WebKitGTK+ vulnerabilities [11:40]

• 8 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • CVE-2020-9850
  • CVE-2020-9843
  • CVE-2020-9807
  • CVE-2020-9806
  • CVE-2020-9805
  • CVE-2020-9803
  • CVE-2020-9802
  • CVE-2020-13753

[USN-4423-1] Firefox vulnerability [11:52]

• Affecting Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
• 78.0.2
• Possible click-jacking attack via crafted X-Frame-Options bypass when visiting a specially crafted website (no CVE..)

Goings on in Ubuntu Security Community

Joe talks TPMs and Ubuntu Core 20 with Chris Coulson and Steve Beattie [12:30]

• https://forum.snapcraft.io/t/uc20-beta1-released/18631

Ubuntu 19.10 Eoan Ermine goes end-of-life [23:12]

• https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-July/005494.html

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter