Overview
This week Joe talks Linux Security Modules stacking with John Johansen and
Steve Beattie plus Alex looks at security updates for snapd, the Linux
kernel and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4199-2] libvpx vulnerabilities [01:05]
- 3 CVEs addressed in Trusty ESM (14.04 ESM)
- VP8/VP9 video code (webm)
- Various OOB read on crafted input
[USN-4424-1] snapd vulnerabilities [01:38]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- James Henstridge from Ubuntu Desktop team
- snapd sandbox for strict mode snaps - within sandbox provides xdg-open
implementation which can forward to the real xdg-open outside the
sandbox - but would use XDG_DATA_DIRS env from the snap when launching
xdg-open outside of the snap - XDG_DATA_DIRS could then contain a
directory which the snap itself controls - allows to launch arbitrary
binaries from the snap outside of confinement
- Fixed to not incorporate XDG_DATA_DIRS from the snap
- cloud-init would run on every boot without restriction - supports the
concept of loading meta-data from an external disk - so a local attacker
with physical access could alter the boot sequence - would be an issue
with FDE since could intercept the disk encryption key etc - fixed via
snapd to disable cloud-init after the first boot since cloud-init is
managed by snapd
- Is only an issue for Ubuntu Core 16/18 devices which employed FDE
- Doesn’t affect UC20
[USN-4425-1] Linux kernel vulnerabilities [06:20]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 kernel (focal / bionic hwe)
- Possible bypass of Secure Boot lockdown protections via loading of ACPI
tables via configs - provides a means of arbitrary memory write - allows
root user to bypass lockdown
- aufs inode reference count issue - BUG() -> DoS
- relay subsystem crash (Episode 81)
[USN-4426-1] Linux kernel vulnerabilities [7:32]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- 4.15 kernel (bionic / xenial hwe)
- ACPI lockdown bypass / aufs inode above
- Second lockdown bypass via loading of ACPI tables via the SSDT EFI
variable similar to above
- DAX (direct access to files in persistent memory arrays) huge pages
support - abuse mremap() to gain root privileges - requires the system to
make use of DAX storage to be able to exploit
[USN-4427-1] Linux kernel vulnerabilities [08:30]
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
- 4.4 kernel (xenial / trusty hwe)
- aufs
- Various means to bypass spectre related mitigations
- SSDT ACPI lockdown bypass
[USN-4429-1] Evolution Data Server vulnerability [09:12]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Very similar to recent mutt & Thunderbird vuln from Episode 81 / Episode
82
- Would read extra data after clear-text “begin TLS” when initiating
STARTTLS - would allow an untrusted attacker who could intercept and
modify traffic to inject arbitrary responses that then get processed
later as though they had come from the trusted, encrypted connection to
the server - fixed in same way as mutt by clearing buffered content when
starting TLS
[USN-4430-1] Pillow vulnerabilities [10:24]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- Python Imaging Library - used for image handling by lots of Python GUIs
- All OOB reads on crafted input -> crash, DoS
Goings on in Ubuntu Security Community
John Johansen and Steve Beattie talk Linux Security Modules with Joe [10:51]
Get in contact