Episode 90

Overview

This week we look at security updates for the X server, the Linux kernel and GnuTLS plus we preview the upcoming AppArmor3 release that is slated for Ubuntu 20.10 (Groovy Gorilla).

This week in Ubuntu Security Updates

20 unique CVEs addressed

[USN-4487-1, USN-4487-2] libx11 vulnerabilities [00:58]

• 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-14363
  • CVE-2020-14344
• 2 privilege escalation attacks
  • integer overflow -> double free -> memory corruption
  • integer overflow -> heap buffer overflow
  • privilege escalation may be possible since in both cases could cause arbitrary code exec with a binary that is using libX11 and running with root privileges (setuid / sudo etc) - this is why we often advise don’t run graphical applications via sudo etc

[USN-4488-1, USN-4490-1] X.Org X Server vulnerabilities [02:29]

• 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-14362
  • CVE-2020-14361
  • CVE-2020-14347
  • CVE-2020-14346
  • CVE-2020-14345
• Various memory corruption vulnerabilities all discovered by Jan-Niklas Sohn - on some older releases (xenial and earlier) X server runs as root

[USN-4449-2] Apport vulnerabilities [03:28]

• 3 CVEs addressed in Trusty ESM (14.04 ESM)
  • CVE-2020-15702
  • CVE-2020-15701
  • CVE-2020-11936
• Episode 85

[USN-4474-2] Firefox regressions [03:38]

• 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-15668
  • CVE-2020-6829
  • CVE-2020-12401
  • CVE-2020-12400
  • CVE-2020-15670
  • CVE-2020-15666
  • CVE-2020-15665
  • CVE-2020-15664
• Episode 89
• 80.0.1 - upstream release to fix regressions in 80.0 release -> crashes on GPU resets, WebGL rendering issues, performance issue in processing CA certs &c

[USN-4489-1] Linux kernel vulnerability [04:09]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-14386
• AF_PACKET (layer 2) socket did not perform bounds checks in some places - requires CAP_NET_RAW or root - BUT can be root in a user namespace and these are enabled by default in Ubuntu and other Linux distros -> can disable by sysctl `kernel.unprivileged_userns_clone=0`

[USN-4491-1] GnuTLS vulnerability [06:01]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-24659
• Malicious server can trigger a NULL ptr deref in client during TLS 1.3 negotiation - DoS

Goings on in Ubuntu Security Community

AppArmor3 slated for Ubuntu 20.10 [06:32]

• Beta version of AppArmor3 is being prepared for Ubuntu 20.10 Groovy Gorilla - should land in -proposed next week and then main soon after
• Provides ABI feature pinning - so upgrading to kernels with newer additional features will not break existing profiles
• Rewrites of a number of tools into different languages to make their use and packaging easier
• Support for new kernel features such as v8 ABI network socket rules, xattr attachment conditionals, PERFMON and BPF capabilities
• Improved compilar warnings and semantic checks
• Improved support for kernels that support LSM stacking
• Profile modes - enforce (default), kill and unconfined

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter