Episode 95

Overview

This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa and more, plus we cover some AppArmor related Ubuntu Security community updates as well.

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4552-3] Pam-python regression [00:40]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2019-16729
• Original update (Episode 92 - bionic), (Episode 94 - xenial) caused was too restrictive and would disallow PAM modules written in python from importing python modules from site-specific directories

[USN-4609-1] GOsa vulnerabilities [01:18]

• 3 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2018-1000528
  • CVE-2019-11187
  • CVE-2019-14466
• PHP based LDAP user admin frontend
• XSS attacks via the change password form
• Could login to any account with a username containing “success” with any arbitrary password
• Cookie mishandling allowed an authenticated user to delete files on the web server in the context of the user account running the web server

[USN-4610-1] fastd vulnerability [02:11]

• 1 CVEs addressed in Focal (20.04 LTS)
  • CVE-2020-27638
• Fast & secure tunnelling daemon
• Failed to free rx buffers in certain circumstances - memory leak -> DoS

[USN-4611-1] Samba vulnerabilities [02:29]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-14383
  • CVE-2020-14323
  • CVE-2020-14318
• 2 different DoS issues - remote attacker could cause DNS server to crash by supplying invalid DNS records, or could cause winbind to crash via crafted winbind requests
• Failed to check permissions on ChangeNotify - so an attacker could subscribe to get notifications on files they did not have permission to read - and so leaks file info

[USN-4605-2] Blueman update [03:22]

• 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-15238
• Episode 94 - this includes additional fix so that on focal and groovy policykit is used to authenticate privileged actions

[USN-4614-1] GDM vulnerability [03:55]

• 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-16125
• Kevin Backhouse - discovered 3 vulnerabilities - one in GDM, 2 in AccountsService
• GDM incorrectly launched the initial setup tool if it could not reach the accountsservice daemon
• If could cause accountsservice to be unresponsive, could get GDM to luanch initial setup tool which then allows a local user to create a privileged users account
• But requires accountsservice to be unresponsive…

[USN-4616-1] AccountsService vulnerabilities [05:00]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2018-14036
  • CVE-2020-16127
  • CVE-2020-16126
• Drops privileges for certain operations but does so where a local unprivileged user can send it SIGSTOP signal - is now unresponsive - so could allow the GDM attack above - or could cause it to crash (send SIGSEGV etc)
• Also would exhaust all memory when reading .pam_environment if it was really large (ie symlink to /dev/zero) - again could cause it to hang / crash -> DoS

[USN-4613-1] python-cryptography vulnerability [06:34]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-25659
• Bleichenbacher timing oracle attack (form of an adaptive chosen-ciphertext attack) against RSA decryption could allow a remote attacker to infer the private key
• https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25

[USN-4615-1] Yerase’s TNEF vulnerabilities [07:23]

• 12 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2017-6802
  • CVE-2017-6801
  • CVE-2017-6800
  • CVE-2017-6306
  • CVE-2017-6305
  • CVE-2017-6304
  • CVE-2017-6303
  • CVE-2017-6302
  • CVE-2017-6301
  • CVE-2017-6300
  • CVE-2017-6299
  • CVE-2017-6298
• libtynef - TNEF stream reader library (proprietary format used by MS Outlook / Exchange Server for email attachments)
• Lots of issues - NULL ptr deref, infinite loop, buffer overflows, OOB reads, directory traversal issues and more :) -> crash / DoS / RCE

Goings on in Ubuntu Security Community

AppArmor 3.0.1 being prepared [08:22]

• Includes fixes for various application profiles as well as a fix to stop aa-notify from exiting after 100s of no activity

Securing Linux Machines with AppArmor Webinar [08:57]

• https://www.brighttalk.com/webcast/6793/440491
• Currently scheduled for Mon 16th Nov at 16:00 UTC
• Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper
• Will cover:
  • Why a ‘defence in depth’ strategy should be employed to mitigate the potential damage caused by a breach
  • An explanation of AppArmor, its key features and why the principle of least privilege is recommended
  • The use of AppArmor in Ubuntu and snaps

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter