Episode 89

Overview

This week we farewell Joe McManus plus we look at security updates for Firefox, Chrony, Squid, Django, the Linux kernel and more.

This week in Ubuntu Security Updates

59 unique CVEs addressed

[USN-4473-1] libmysofa vulnerabilities [01:01]

• 5 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2019-16095
  • CVE-2019-16094
  • CVE-2019-16093
  • CVE-2019-16092
  • CVE-2019-16091
• OOB, NULL ptr deref, heap buffer overflow etc -> DoS

[USN-4474-1] Firefox vulnerabilities [01:30]

• 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-15668
  • CVE-2020-6829
  • CVE-2020-12401
  • CVE-2020-12400
  • CVE-2020-15670
  • CVE-2020-15666
  • CVE-2020-15665
  • CVE-2020-15664
• 80.0
• Attacker controlled website -> DoS, install malicious extension, spoof URL bar, leak sensitive info across origins, RCE etc
• NSS side-channel attacks etc
• Race condition when importing a cert into the trust store (unspec impact)

[USN-4446-2] Squid regression [02:31]

• 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2019-18676
  • CVE-2019-12524
  • CVE-2019-12523
  • CVE-2019-12520
• Regression in recent squid update would cause issues if using icap or ecap protocols to do content adaptation

[USN-4475-1] Chrony vulnerability [02:51]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-14367
• pid file is created as root before drops privileges and was susceptible to a symlink attack -> could be used to overwrite arbitrary files on the system

[USN-4476-1] NSS vulnerability [03:45]

• 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-12403
• OOB read for CHACHA20 decryption with undersized tag

[USN-4477-1] Squid vulnerabilities

• 3 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-24606
  • CVE-2020-15811
  • CVE-2020-15810
• HTTP request smuggling

[USN-4478-1] Python-RSA vulnerability [04:15]

• 1 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2020-13757
• Ignores leading NUL/zero byte in decryption of ciphertext - fixed to check length matches block size

[USN-4479-1] Django vulnerabilities [04:40]

• 2 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-24584
  • CVE-2020-24583
• Incorrect handling of permissions on directories in caches - caused by a behavioural change in python 3.7 - so only affects Python Django when used with python 3.7 and hence say bionic (which uses python 3.6) is not affected

[USN-4480-1] OpenStack Keystone vulnerabilities [05:25]

• 4 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2020-12692
  • CVE-2020-12690
  • CVE-2020-12691
  • CVE-2020-12689
• Incorrect handling of EC2 permissions could allow an authenticated attacker to create EC2 credentials with elevated permissions
• Incorrect handling of OAUTH1 roles could give an authenticated attacker more role assignments than intended
• Incorrect handling of EC2 signature TTL checks could allow reuse of authorisation headers

[USN-4471-2] Net-SNMP regression [05:51]

• 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2020-15862
  • CVE-2020-15861
• Previous update (Episode 87) caused `nsExtendCacheTime` to be not settable as MIB attribute - instead add cacheTime feature flag to set this

[USN-4481-1] FreeRDP vulnerabilities [06:23]

• 10 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-4033
  • CVE-2020-4032
  • CVE-2020-4031
  • CVE-2020-4030
  • CVE-2020-15103
  • CVE-2020-11099
  • CVE-2020-11098
  • CVE-2020-11097
  • CVE-2020-11096
  • CVE-2020-11095
• Various memory corruption and handling issues -> OOB reads / writes, UAF etc -> crash / RCE

[USN-4482-1] Ark vulnerability [06:54]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-24654
• Crafted TAR with symlinks outside of working directory -> overwrite or creation of arbitrary files (zipslip but for tar - tarslip?)

[USN-4483-1] Linux kernel vulnerabilities [07:22]

• 13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-12656
  • CVE-2020-24394
  • CVE-2020-15393
  • CVE-2020-14356
  • CVE-2020-13974
  • CVE-2020-12771
  • CVE-2020-12655
  • CVE-2020-10781
  • CVE-2020-10768
  • CVE-2020-10767
  • CVE-2020-10766
  • CVE-2020-10757
  • CVE-2019-20810
• 5.4 kernel - focal - raspi / aws / gcp / oracle / azure / gcp etc for bionic
• Memory leak in USB audio and USB testing drivers, DAX mremap, Speculative Store Bypass Disable (SSBD), Indirect Branch Predictor Barrier (IBPB) & Indirect Branch Speculation mitigation bypasses, crafted XFS metadata DoS, cgroupv2 reference count -> NULL ptr deref etc

[USN-4484-1] Linux kernel vulnerability

• 1 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2020-14356
• 5.3 gke/HWE kernel
• cgroupv2 issue

[USN-4485-1] Linux kernel vulnerabilities

• 14 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2020-12656
  • CVE-2020-24394
  • CVE-2020-15393
  • CVE-2020-13974
  • CVE-2020-12771
  • CVE-2020-12655
  • CVE-2020-10781
  • CVE-2020-10768
  • CVE-2020-10767
  • CVE-2020-10766
  • CVE-2020-10732
  • CVE-2019-20810
  • CVE-2019-19947
  • CVE-2018-20669
• 4.15 (bionic / xenial hwe / trusty esm azure)
• Mostly same as above

[USN-4486-1] Linux kernel vulnerability

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
  • CVE-2018-10323
• 4.4 (xenial / trusy esm hwe)
• XFS metadata DoS

Goings on in Ubuntu Security Community

Farewell Joe McManus [09:04]

• Thanks for being the best co-host a bloke could wish for

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter