Episode 1

Posted on Monday, Aug 20, 2018
Another week, another speculative execution vulnerablity… and more!

Show Notes


  • Security fixes for 39 CVEs this week including L1TF and FragmentSmack

This week in Ubuntu Security Updates

GDM (USN-3737-1) (CVE-2018-14424)

  • Found by Ubuntu Security Team member Chris Coulson during audit of gdm3 source code
  • Local user can exploit via DBus to crash GDM via use-after-free (create a transient display which is automatically cleaned up, then try to query info for the previously created display)
  • Bionic only so far

libarchive (USN-3736-1)

Samba (USN-3738-1)

libxml2 (USN-3739-1) (USN-3739-2)

L1TF and FragmentSmack vulnerabilities in Linux Kernel (USN-3740-1) (USN-3740-2) (USN-3741-1) (USN-3741-2) (USN-3742-1) (USN-3742-2)

L1TF (CVE-2018-3620) (CVE-2018-3646)

  • Latest speculative execution cache side channel attack affecting Intel processors
  • Allows to access contents from L1 Data Cache via speculative execution, can then be read by cache side channel
  • 3 variants, SGX, SMM and VMM but only 2 affect Ubuntu
  • Processors access virtual addresses which need to be translated to physical addresses
  • Page Table Entries map from one to the other (contains metadata of page including offset and present bit)
  • Pages can be swapped in our out of memory (Present or not) - so if not present then need to do a full page table walk to look up physical address
  • But Intel processor will use offset value from PTE even on non-present pages speculatively
  • For non-present pages, this value is usually junk so can essentially speculatively read arbitrary memory from L1D cache depending on PTE value
  • SGX doesn’t affect Ubuntu since not used
  • SMM fixed via ensuring PTEs of not present pages always refer to non-cacheable memory and hence can’t be used for this
  • VMM is trickier
    • VMs maintain their own PTEs so also need to ensure they are doing the right thing
    • OR if running untrusted VMs need to do a full L1D flush on switching from host to VM
  • Made more trickier by Hyper Threading since sibling hyper-threads share the L1D cache
  • So if have different trust domains on sibling hyper-threads may have to disable HT in certain circumstances

FragmentSmack (CVE-2018-5391)

  • Last week was SegmentSmack in TCP fragment reassembly, this week is FragmentSmack
  • Similar but for IP fragmentation reassembly
    • Exploiting high algorithmic complexity of IP fragment reassembly code paths to cause DoS

GnuPG (USN-3733-2) (CVE-2017-7526)

  • Last week GnuPG was fixed for Xenial and Trusty for RSA cache side-channel issue
  • This is corresponding fix for Precise ESM

WebKitGTK+ vulnerabilities (USN-3743-1)

PostgreSQL (USN-3744-1) (CVE-2018-10915) (CVE-2018-10925)

  • 2 CVEs fixed in popular relational database across Bionic, Xenial and Trusty

procps-ng (USN-3658-3)

Linux kernel livepatch (LSN-0042-1)

  • No Livepatch possible for L1TF so a LSN to advise to do an update and reboot

Goings on in Ubuntu Security Community


Ubuntu Security Manger

Ubuntu Security Engineer

Get in contact

Special thanks

  • Thanks to Emily Ratliff - a great manager of the team (and a good friend too)
  • We will miss you :)