Episode 1
Posted on Monday, Aug 20, 2018
Another week, another speculative execution vulnerablity… and more!
Show Notes
Overview
- Security fixes for 39 CVEs this week including L1TF and FragmentSmack
This week in Ubuntu Security Updates
GDM (USN-3737-1) (CVE-2018-14424)
- Found by Ubuntu Security Team member Chris Coulson during audit of gdm3 source code
- Local user can exploit via DBus to crash GDM via use-after-free (create a transient display which is automatically cleaned up, then try to query info for the previously created display)
- Bionic only so far
libarchive (USN-3736-1)
- 6 CVEs addressed across Bionic, Xenial and Trusty
- All local crashes / DoS / unspecified impact via specially crafted archives in various formats
Samba (USN-3738-1)
- 4 CVEs addressed across Bionic, Xenial and Trusty
- Includes vulnerabilities in both the samba client and server
- Likely to affect most Ubuntu users
libxml2 (USN-3739-1) (USN-3739-2)
- XML parsing library used across lots of different software packages
- 5 CVEs fixed across releases for Bionic, Xenial and Trusty
- 2 CVEs fixed for Precise ESM
- CVE-2016-9318
- CVE-2017-16932
- CVE-2017-18258
- CVE-2018-14404
- CVE-2018-14567
- Includes information disclosure and DoS
L1TF and FragmentSmack vulnerabilities in Linux Kernel (USN-3740-1) (USN-3740-2) (USN-3741-1) (USN-3741-2) (USN-3742-1) (USN-3742-2)
L1TF (CVE-2018-3620) (CVE-2018-3646)
- Latest speculative execution cache side channel attack affecting Intel processors
- Allows to access contents from L1 Data Cache via speculative execution, can then be read by cache side channel
- 3 variants, SGX, SMM and VMM but only 2 affect Ubuntu
- Processors access virtual addresses which need to be translated to physical addresses
- Page Table Entries map from one to the other (contains metadata of page including offset and present bit)
- Pages can be swapped in our out of memory (Present or not) - so if not present then need to do a full page table walk to look up physical address
- But Intel processor will use offset value from PTE even on non-present pages speculatively
- For non-present pages, this value is usually junk so can essentially speculatively read arbitrary memory from L1D cache depending on PTE value
- SGX doesn’t affect Ubuntu since not used
- SMM fixed via ensuring PTEs of not present pages always refer to non-cacheable memory and hence can’t be used for this
- VMM is trickier
- VMs maintain their own PTEs so also need to ensure they are doing the right thing
- OR if running untrusted VMs need to do a full L1D flush on switching from host to VM
- Made more trickier by Hyper Threading since sibling hyper-threads share the L1D cache
- So if have different trust domains on sibling hyper-threads may have to disable HT in certain circumstances
FragmentSmack (CVE-2018-5391)
- Last week was SegmentSmack in TCP fragment reassembly, this week is FragmentSmack
- Similar but for IP fragmentation reassembly
- Exploiting high algorithmic complexity of IP fragment reassembly code paths to cause DoS
GnuPG (USN-3733-2) (CVE-2017-7526)
- Last week GnuPG was fixed for Xenial and Trusty for RSA cache side-channel issue
- This is corresponding fix for Precise ESM
WebKitGTK+ vulnerabilities (USN-3743-1)
- 14 CVEs fixed in web content renderer used in many desktop apps
- Fixes for Bionic and Xenial
PostgreSQL (USN-3744-1) (CVE-2018-10915) (CVE-2018-10925)
- 2 CVEs fixed in popular relational database across Bionic, Xenial and Trusty
procps-ng (USN-3658-3)
- 3 CVEs fixed in Precise ESM procps-ng package
Linux kernel livepatch (LSN-0042-1)
- No Livepatch possible for L1TF so a LSN to advise to do an update and reboot
Goings on in Ubuntu Security Community
Hiring
Ubuntu Security Manger
Ubuntu Security Engineer
Get in contact
Special thanks
- Thanks to Emily Ratliff - a great manager of the team (and a good friend too)
- We will miss you :)