Episode 99

Overview

This week we look at security updates for Mutt, Thunderbird, Poppler, QEMU, containerd, Linux kernel & more, plus we discuss the 2020 State of the Octoverse Security Report from Github, Launchpad GPG keyserver migration, a new AppArmor release & some open positions on the team.

This week in Ubuntu Security Updates

68 unique CVEs addressed

[USN-4645-1] Mutt vulnerability [00:59]

• 1 CVEs addressed in Precise ESM (12.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-28896
• When connecting to an IMAP server, if the first reponse from the server was invalid, would fail to properly terminate the connection and could continue trying to authenticate and hence send credentials in the clear.

[USN-4646-1] poppler vulnerabilities [01:44]

• 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2020-27778
  • CVE-2019-9959
  • CVE-2019-13283
  • CVE-2019-10871
  • CVE-2018-21009
• Various memory corruption issues, all DoS-able, some RCE?

[USN-4646-2] poppler regression

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2019-10871
  • Some applications linked against poppler would fail - backed out this fix for future

[USN-4647-1] Thunderbird vulnerabilities [02:25]

• 13 CVEs addressed in Groovy (20.10)
  • CVE-2020-26968
  • CVE-2020-26965
  • CVE-2020-26961
  • CVE-2020-26960
  • CVE-2020-26959
  • CVE-2020-26958
  • CVE-2020-26956
  • CVE-2020-26953
  • CVE-2020-26951
  • CVE-2020-26950
  • CVE-2020-16012
  • CVE-2020-15969
  • CVE-2020-15683
• 78.5.0
• Usual web rendering type vulns - denial of service, obtain sensitive information across origins, bypass security restrictions, conduct phishing attacks, conduct cross-site scripting (XSS) attacks, bypass Content Security Policy (CSP) restrictions, conduct DNS rebinding attacks, or execute arbitrary code.

[USN-4648-1] WebKitGTK vulnerabilities [03:21]

• 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-9983
  • CVE-2020-9952
  • CVE-2020-9951
  • CVE-2020-9948
  • CVE-2020-13753
• dejavu with thunderbird above - latest upstream version (2.30.3) and same sorts of vulns - including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

[USN-4649-1] xdg-utils vulnerability [03:54]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-27748
• Could cause files to be attached by not sanitizing mailto:?attach= - particularly relevant to TB - so if a user is not paying attention, could attach say a sensitive local file to the outgoing email

[USN-4382-2] FreeRDP vulnerabilities [05:09]

• 13 CVEs addressed in Bionic (18.04 LTS)
  • CVE-2020-13398
  • CVE-2020-13397
  • CVE-2020-13396
  • CVE-2020-11526
  • CVE-2020-11525
  • CVE-2020-11523
  • CVE-2020-11522
  • CVE-2020-11521
  • CVE-2020-11058
  • CVE-2020-11048
  • CVE-2020-11046
  • CVE-2020-11045
  • CVE-2020-11042
• Episode 78 - covered this for xenial, now for bionic

[USN-4650-1] QEMU vulnerabilities [05:29]

• 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-27617
  • CVE-2020-27616
  • CVE-2020-25723
  • CVE-2020-25625
  • CVE-2020-25624
  • CVE-2020-25085
  • CVE-2020-25084
  • CVE-2020-17380
• Possible host RCE from guest via incorrect handling of SDHCI device emulation but mitigated when using libvirt by AppArmor profile
• Various issues with USB and other device emulation, crash -> DoS

[USN-4651-1] MySQL vulnerabilities [06:14]

• Affecting Focal (20.04 LTS)
• Tom Reynolds (tomreyn in #ubuntu-hardened) reported issue with MySQL on 20.04 had the new MySQLX plugin enabled and listenting on all network interfaces by default -> violates no open ports principle - this update insteads changes the configuration to bind it to localhost only - if you were using it you may now need to change your local configuration to purposefully change this so it is remotely accessible

[USN-4653-1] containerd vulnerability [07:27]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-15257
• containerd-shim API exposed from abstract unix socket to host network containers (in same network namespace) - would validate the effective UID of a connecting process as 0 but did not apply other access controls - so a malicious container in same network namespace with effective UID 0 but otherwise reduced privileges could spawn new processes via containerd-shim with full root privileges
• upstream advise against running containers in the hosts network namespace
• docker.io stops on upgrade of containerd
  • https://discourse.ubuntu.com/t/usn-4653-1-containerd-vulnerability/19607
  • manual restart
  • server team working on a fix for this

[USN-4652-1] SniffIt vulnerability

• 1 CVEs addressed in Xenial (16.04 LTS)
  • CVE-2014-5439

[USN-4654-1] PEAR vulnerabilities

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-28949
  • CVE-2020-28948

[USN-4655-1] Werkzeug vulnerabilities

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2020-28724
  • CVE-2019-14806

[USN-4656-1] X.Org X Server vulnerabilities

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-25712
  • CVE-2020-14360

[USN-4657-1] Linux kernel vulnerabilities [09:11]

• 12 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
  • CVE-2020-4788
  • CVE-2020-28915
  • CVE-2020-25705
  • CVE-2020-25645
  • CVE-2020-25643
  • CVE-2020-25284
  • CVE-2020-25211
  • CVE-2020-14390
  • CVE-2020-14351
  • CVE-2020-12352
  • CVE-2020-10135
  • CVE-2020-0427
• Most interesting is Power 9 processers could end up exposing information via L1 cache -> spectre-like attack could allow this to be read - fix is similar to spectre etc - flush L1 cache when transitioning between privilege boundaries
• Thanks to Daniel Axtens from IBM for doing a lot of the heavy lifting, working with the kernel team to provide backports etc

[USN-4658-1] Linux kernel vulnerabilities

• 11 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • CVE-2020-4788
  • CVE-2020-28915
  • CVE-2020-25705
  • CVE-2020-25645
  • CVE-2020-25643
  • CVE-2020-25284
  • CVE-2020-25211
  • CVE-2020-14390
  • CVE-2020-14351
  • CVE-2020-10135
  • CVE-2020-0423

[USN-4659-1] Linux kernel vulnerabilities

• 7 CVEs addressed in Groovy (20.10)
  • CVE-2020-4788
  • CVE-2020-28915
  • CVE-2020-27152
  • CVE-2020-25705
  • CVE-2020-14351
  • CVE-2020-10135
  • CVE-2020-0423

Goings on in Ubuntu Security Community

GitHub state of open source security report 2020 [10:43]

• https://octoverse.github.com/static/2020-security-report.pdf
• Scanned packages in Composer (PHP), Maven (Java), npm (JS), NuGet (.NET), PyPI and RubyGems
• Found 94% of projects on GitHub relied on open source components - JS packages have a median of nearly 700 transitive dependencies - cf Python with 19
• 17% of advisories sampled related to explicitly malicious behaviour (almost all in npm packages) - but most are just mistakes
• Vulns go undetected for just over 4 years (218 weeks) before disclosure, fixes though then come quick in ~4.4 weeks and then 10 weeks to alert users of the fix
• A line of code written today is just as likely to contain a vulnerability today as 4 years ago - so we are not getting more secure over time

Migrating Launchpad PGP keyservers from SKS to Hockeypuck [15:03]

• https://ubuntu.com/blog/migrating-the-launchpad-keyservers-from-sks-to-hockeypuck

AppArmor 3.0.1 Released [16:27]

• https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1
• cap checkpoint_restore for 5.9 kernels onwards plus bug fixes etc

Hiring [16:52]

AppArmor Security Engineer

• https://canonical.com/careers/2114847

Engineering Director - Ubuntu Security

• https://canonical.com/careers/2439068

Engineering Manager - Ubuntu Security

• https://canonical.com/careers/2439058

Get in contact

• [email protected]
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter