Overview
This week we look at vulnerabilities in MoinMoin, OpenLDAP, Kerberos,
Raptor (including a discussion of CVE workflows and the oss-security
mailing list) and more, whilst in community news we talk about the upcoming
AppArmor webinar, migration of Ubuntu CVE information to ubuntu.com and
reverse engineering of malware by the Canonical Sustaining Engineering
team.
This week in Ubuntu Security Updates
45 unique CVEs addressed
[USN-4629-1] MoinMoin vulnerabilities [00:50]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- RCE via attachment upload - can upload an attachment which is then
cached - a subsequent crafted request can exploit a vulnerability in the
cache handling code to achieve directory traversal and a subsequent RCE
[USN-4630-1] Raptor vulnerability [01:40]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- https://www.openwall.com/lists/oss-security/2017/06/07/1
- Old vulnerability, recently rediscovered that triggered various
discussions on oss-security mailing list
- Shows the value of a CVE - many distros use these as essentially work
items - if a CVE doesn’t exist, the vulnerability won’t get patched
[USN-4622-2] OpenLDAP vulnerability [03:43]
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
- Episode 96 - NULL ptr deref for a remote unauthenticated user in slapd
- Upstream dispute this as a real CVE - say that only unintended info
disclosure is a security issue (what about RCE?)
[USN-4628-2] Intel Microcode regression [04:29]
- 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Episode 96 - Failed to boot on new Tiger Lake platforms
- We took the decision to remove this MCU once we saw the regression and
had updates out within 24h of initial release
- Intel have now reverted this themselves upstream in a fixup release
20201118
[USN-4171-6] Apport regression [05:40]
- 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Previous update could possibly be used to crash Apport itself due to
mishandling of dropping permissions when reading the user’s config file
(note these don’t normally exist unless you manually create one so in
general is not an issue) - this fixes that and introduces some more
hardening measures to try and ensure permissions are always dropped
correctly and this is more robust overall
[USN-4631-1] libmaxminddb vulnerability [06:50]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- Heap based buffer overread -> DoS
[USN-4632-1] SLiRP vulnerabilities [07:03]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- 2 different buffer overflows - 1 due to improper use of return value from
snprintf() - the other due to mishandling of pointer arithmetic -> DoS,
RCE?
[USN-4607-2] OpenJDK regressions
- 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
[USN-4633-1] PostgreSQL vulnerabilities [07:42]
- 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- 1 RCE, 1 arbitrary SQL execution but need to be an authenticated user and
1 DoS via dropping of connection
[USN-4634-1] OpenLDAP vulnerabilities [08:03]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- 2 more DoS bugs against OpenLDAP - both assertion failures able to be
triggered by a remote attacker
[USN-4635-1] Kerberos vulnerability [08:29]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- DoS via unbounded recursion in parsing of ASN.1 encoded message - BER can
specify an indefinite length - so this was parsed recursively but since
it never placed any limit on this if the nesting was deep enough, could
overrun the stack an trigger an abort.
[USN-4636-1] LibVNCServer, Vino vulnerability [09:05]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- Divide by zero -> DoS
[USN-4637-1] Firefox vulnerabilities [09:18]
- 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
- 83.0
Goings on in Ubuntu Security Community
Migration of Ubuntu CVE information from people.canonical.com to ubuntu.com [09:37]
- Long time in the making - worked with the design team at Canonical to
design and prototype display of CVEs in a more human friendly format (for
machine friendly we have OVAL etc)
- ubuntu.com/security/CVE-XXXX-XXXX
- Still includes CVE description, priority, status per-release and other
details - but focusses on the most salient ones rather than the more
engineering style of the old ones
- Redirects in place for old people.canonical.com URLs
Securing Linux Machines with AppArmor Webinar [11:18]
Analysis of the dovecat and hy4 Linux Malware [12:36]
Get in contact