Overview
It’s CVE bankruptcy! With a deluge of CVEs to cover from the last 2 weeks,
we take a particular look at the ZeroLogon vulnerability in Samba this
week, plus Alex covers the AppArmor 3 release and some recent / upcoming
webinars hosted by the Ubuntu Security team.
This week in Ubuntu Security Updates
121 unique CVEs addressed
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
- “ZeroLogon”
- Would allow an attacker who already can communicate with the domain
controller to reset it’s password and so then take control of the DC and
obtain the domain admin’s credentials
- Flaw in the NetLogon protocol would allow the attacker to impersonate any
computer in the domain, even the DC itself, and execute calls on that
computer’s behalf
- This flaw was in the cryptographic authentication scheme employed by
the NetLogon protocol
- Samba also implements this protocol - and so contained the same flaw
- In both cases (Window AD vs Samba) there is an option to use a more
secure authentication mechanism - for older Ubuntu releases like Trusty,
Xenial and Bionic the default configuration as specified by upstream
Samba did not enforce the use of this bu default
- So the fix is a simple configuration change to enable this by default
- This is done by patching Samba directly (rather than trying to say update
everyone’s deployed /etc/samba.conf or similar) - which still allows a
local admin to turn this off if they so desire (although this is
definitely not recommended)
- One example of how Ubuntu tries to be secure by default - when known
better security configuration options become available we try and enable
them (whilst weighing up the likelihood of breaking existing installs -
we try very hard not to do this)
- Similarly we have done the same for the various spec exec mitigations -
almost all default to on even at the expense of a performance hit in that
case
[USN-4504-1] OpenSSL vulnerabilities
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4505-1] PHPMailer vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS)
[USN-4506-1] MCabber vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4507-1] ncmpc vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4508-1] StoreBackup vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4509-1] Perl DBI module vulnerabilities
- 2 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-4511-1] QEMU vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4512-1] util-linux vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS)
[USN-4513-1] apng2gif vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4514-1] libproxy vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4515-1] Pure-FTPd vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4516-1] GnuPG vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS)
USN-4518-1] xawtv vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4519-1] PulseAudio vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4520-1] Exim SpamAssassin vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4521-1] pam_tacplus vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4522-1] noVNC vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4523-1] LibOFX vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4524-1] TNEF vulnerabilities
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4525-1] Linux kernel vulnerabilities
- 5 CVEs addressed in Focal (20.04 LTS)
[USN-4526-1] Linux kernel vulnerabilities
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4527-1] Linux kernel vulnerabilities
- 8 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
[USN-4528-1] Ceph vulnerabilities
- 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4529-1] FreeImage vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS)
[USN-4531-1] BusyBox vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4530-1] Debian-LAN vulnerabilities
- 1 CVEs addressed in Bionic (18.04 LTS)
[USN-4532-1] Netty vulnerabilities
- 3 CVEs addressed in Bionic (18.04 LTS)
[USN-4533-1] LTSP Display Manager vulnerabilities
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-4534-1] Perl DBI module vulnerability
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4535-1] RDFLib vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4537-1] Aptdaemon vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4538-1] PackageKit vulnerabilities
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-4536-1] SPIP vulnerabilities
- 7 CVEs addressed in Bionic (18.04 LTS)
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-4540-1] atftpd vulnerabilities
- 2 CVEs addressed in Bionic (18.04 LTS)
[USN-4542-1] MiniUPnPd vulnerabilities
- 5 CVEs addressed in Xenial (16.04 LTS)
[USN-4543-1] Sanitize vulnerability
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-4541-1] Gnuplot vulnerabilities
- 3 CVEs addressed in Xenial (16.04 LTS)
[USN-4545-1] libquicktime vulnerabilities
- 7 CVEs addressed in Xenial (16.04 LTS)
[USN-4546-1] Firefox vulnerabilities
- 6 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
[USN-3968-3] Sudo vulnerabilities
- 2 CVEs addressed in Trusty ESM (14.04 ESM)
[USN-4549-1] ImageMagick vulnerabilities
- 2 CVEs addressed in Focal (20.04 LTS)
[USN-4548-1] libuv vulnerability
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-4547-1] iTALC vulnerabilities
- 12 CVEs addressed in Bionic (18.04 LTS)
[USN-4553-1] Teeworlds vulnerability
- 1 CVEs addressed in Focal (20.04 LTS)
[USN-4552-1] Pam-python vulnerability
- 1 CVEs addressed in Bionic (18.04 LTS)
[USN-4550-1] DPDK vulnerabilities
- 5 CVEs addressed in Focal (20.04 LTS)
[USN-4551-1] Squid vulnerabilities
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
[USN-4554-1] libPGF vulnerability
- 1 CVEs addressed in Xenial (16.04 LTS)
[USN-4547-2] SSVNC vulnerabilities
- 5 CVEs addressed in Xenial (16.04 LTS)
[USN-4556-1] netqmail vulnerabilities
- 5 CVEs addressed in Focal (20.04 LTS)
Goings on in Ubuntu Security Community
AppArmor 3.0 Release
Ubuntu Security Related Webinars
FIPS certification and CIS compliance with Ubuntu Webinar
- <2020-10-01 Thu>
- More on the Ubuntu FIPS certification for cryptographic modules in Ubuntu
18.04 LTS and 16.04 LTS and the Ubuntu FIPS public cloud images
- The difference between FIPS certified and FIPS compliant modules
- More on compliance benchmark documentation for Ubuntu CIS compliance
- How to quickly harden Ubuntu systems and easily view which rules your
systems are not compliant with using the CIS automation tooling from
Canonical [demo]
- Presented by Vineetha Kamatha (Security Engineering Manager), Shaun
Murphy (Public Cloud Sr Product Manager) & Lech Sandecki (Product
Manager)
- https://www.brighttalk.com/webcast/6793/432536/fips-certification-and-cis-compliance-with-ubuntu
Best Practices for Securing Open Source Webinar
Get in contact