Episode 85

Overview

Dr. Levi Perigo is our special guest this week to discuss SDN and NFV with Joe, plus Alex does the weekly roundup of security updates, including Ghostscript, Squid, Apport, Whoopsie, libvirt and more.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-4444-1] WebKitGTK vulnerabilities [00:48]

• 6 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-9925
  • CVE-2020-9915
  • CVE-2020-9895
  • CVE-2020-9894
  • CVE-2020-9893
  • CVE-2020-9862
• Various issues in web / JS engines - remote attacker with a malicious website could cause XSS, DoS, RCE etc

[USN-4445-1] Ghostscript vulnerability [01:22]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-15900
• Integer overflow via `rsearch` operator - could allow to override file access controls and hence get code execution as the user who is viewing / processing the PS file - only affects most recent versions

[USN-4446-1] Squid vulnerabilities [02:24]

• 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2019-18676
  • CVE-2019-12524
  • CVE-2019-12523
  • CVE-2019-12520
• Jeriko One & Kristoffer Danielsson - incorrect cache handling -> cache injection attacks. Incorrect URN / URL handling -> bypass access / rule checks. Input validation failure -> crash, DoS

[USN-4298-2] SQLite vulnerabilities [03:07]

• 6 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2019-19926
  • CVE-2019-13751
  • CVE-2019-13753
  • CVE-2019-13752
  • CVE-2019-13750
  • CVE-2019-13734
• Episode 66

[USN-4447-1] libssh vulnerability [03:27]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-16135
• Under low memory conditions, could fail to allocate a buffer, would result in a NULL pointer dereference and hence crash

[USN-4448-1] Tomcat vulnerabilities [04:01]

• 3 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2020-9484
  • CVE-2020-1935
  • CVE-2020-13935
• Infinite loop if sent a WebSocket frame with an invalid payload length -> DoS if then sent multiple requests

[USN-4449-1] Apport vulnerabilities [04:23]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-15702
  • CVE-2020-15701
  • CVE-2020-11936
• 2 from Ryota Shiga:
  • Failed to drop privileges correctly when invoking gdbus to determine if the user is closing their session -> would be invoked with root group privileges and using the environement of the user - they could override the DBUS_SESSION_BUS_ADDRESS environment variable, causing gdbus to connect to a spoofed dbus server and in the process to read a 16-byte nonce from a file of their choosing - allows to read arbitrary files that are 16-bytes of length
  • TOCTOU issue when handling crash dump - if process PID gets recycled apport could include the wrong processes details in a crash dump that is then readable by other users - fixed to check process start time is at least before the time apport itself was invoked
• 1 from Seong-Joong Kim
  • Unhandled exception when parsing users preferences configuration file -> crash, DoS

[USN-4450-1] Whoopsie vulnerabilities [07:24]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-15570
  • CVE-2020-12135
  • CVE-2020-11937
• All 3 from Seong-Joong Kim
  • Crash when trying to process a crafted crash file (tries to allocate too large amount of memory and crashes) -> DoS
  • Integer overflow in vendored bson library when parsing a crafted crash dump -> heap overflow -> crash, RCE
  • Memory leak when parsing crash dumps -> crafted report with many repeated key / value pairs -> OOM, crash -> DoS

[USN-4451-1] ppp vulnerability [09:18]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-15704
• Ubuntu specific patch - pppd is setuid() root and would helpfully modprobe ppp_generic module when needed - but would not clear MODPROBE_OPTIONS environment module and so this could be used to either load other modules or read other files as root etc - fixed by removing this functionality since this has not been needed for a long time as ppp_generic has been built into the kernel since 2012 (ie there is no ppp_generic module to even load via modprobe)

[USN-4452-1] libvirt vulnerability [10:31]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-15708
• libvirt package sets up the libvirt socket via systemd - systemd unit specifies a SocketMode=0666 so is world writable :( - fixed to ensure systemd unit specifies this as only owner/group writable and ensures the owner is root and group is libvirt

[USN-4432-2] GRUB2 regression [11:10]

• 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-15707
  • CVE-2020-15705
  • CVE-2020-14308
  • CVE-2020-14311
  • CVE-2020-14310
  • CVE-2020-14309
  • CVE-2020-15706
  • CVE-2020-10713
• Legacy BIOS systems - grub core (in MBR) and modules (in file-system) could get out of sync if grub was not being installed onto the correct disk (this was the case for some users with manually configured RAID setups / particular cloud images etc) - fixed to just not do the grub install on the update to ensure they don’t get out of sync (since these vulnerabilities only are relevant to UEFI secure boot, no need for the update in BIOS boot systems).

[USN-4441-2] MySQL regression [12:58]

• Affecting Focal (20.04 LTS)
• Compiler options changed upstream and this could affect other libraries / apps which link against libmysqlclient - reverted this change since is not security relevant anyway

Goings on in Ubuntu Security Community

Joe talks SDN & NFV with Dr. Levi Perigo of the University of Colorado [13:28]

• https://www.colorado.edu/cs/levi-perigo
• https://www.raveninnovation.com/our-team

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter