Episode 119
Posted on Friday, Jun 11, 2021
This week we cover security updates for the Linux kernel, PolicyKit, Intel
Microcode and more, plus we look at a report of an apparent malicious snap
in the Snap Store and some of the mechanics behind snap confinement.
Show Notes
Overview
This week we cover security updates for the Linux kernel, PolicyKit, Intel Microcode and more, plus we look at a report of an apparent malicious snap in the Snap Store and some of the mechanics behind snap confinement.
This week in Ubuntu Security Updates
42 unique CVEs addressed
[USN-4979-1] Linux kernel vulnerabilities [01:04]
- 13 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
- 4.15 based kernel
- integer overflow in ext4 extent handling -> could be triggered by mounting an malicious ext4 image -> crash (DoS)
- reference counting error in firewire packet sniffer driver - UAF
- NFC LLCP issues above
[USN-4982-1] Linux kernel vulnerabilities [02:23]
- 13 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 based kernel
[USN-4984-1] Linux kernel vulnerabilities [02:39]
- 13 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
- 5.8 based kernel
[USN-4977-1] Linux kernel vulnerabilities
- 6 CVEs addressed in Hirsute (21.04)
- 5.11 based kernel
- OOB write in KVM VMX implementation (crash -> DoS, RCE)
- eBPF Spectre side-channel attack - info leak
- NFC LLCP (logical link control protocol) - allows to multiplex a single
connection between two NFC devices
- infinite loop on error condition -> DoS
- memory leak
- reference count mishandling -> crash -> DoS
[USN-4983-1] Linux kernel (OEM) vulnerabilities [03:32]
- 4 CVEs addressed in Focal (20.04 LTS)
- 5.10 based kernel
- OOB write in KVM VMX implementation (crash -> DoS, RCE)
- eBPF Spectre side-channel attacks - verifier fails to stop loading of eBPF programs which could cause speculative loads -> info leak
- eBPF pointer limit error - OOB read/write - crash / RCE
[USN-4978-1] Firefox vulnerabilities [03:40]
- 5 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- 89.0 upstream release
- not only the new visual UI PLUS enhanced private browsing mode via
“Total Cookie Protection” - confines cookies to the site where they
were created to avoid tracking across sites - PLUS a bunch of security
fixes including
- cached the last filename of a printed file even in private browsing mode - would then surface this next time you choose to print a file
- Various memory safety issues - RCE / crash etc
- not only the new visual UI PLUS enhanced private browsing mode via
“Total Cookie Protection” - confines cookies to the site where they
were created to avoid tracking across sites - PLUS a bunch of security
fixes including
[USN-4980-1] polkit vulnerability [04:43]
- 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Daemons often use policykit to ask whether a user’s application is permitted to perform an action - to do this, they send the DBus name of the process to polkit and it looks up the resulting uid/pid via an internal function polkit_system_bus_name_get_creds_sync() - logic error within policykit when looking if the process in question were to disconnect from DBus at the right time, policykit would return an error but also a boolean TRUE value indicating success (depends on how the daemon interpreted this value with an associated error). This could then allow an application which was not privileged to be able to perform more privileged actions. Fixed to actually return FALSE in this case and avoid any potential confusion.
[USN-4981-1] Squid vulnerabilities [06:11]
- 7 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- All DoS issues - memory leaks, OOB reads etc, able to be triggered by remote attackers
[USN-4969-3] DHCP regression [06:28]
- Affecting Hirsute (21.04)
- Episode 118 - update for 21.04 only introduced a regression where valid config files would be seen as invalid and rejected and hence isc-dhcp-server would fail to start - actually caused as a result of the newer toolchain used in 21.04 - has stricter aliasing checking and so would treat certain operations introduced in this change as UB and change code-flow as a result. Fixed by disabling this stricter aliasing checking in the build to restore the original behaviour.
[USN-4937-2] GNOME Autoar regression [07:22]
- Episode 115
- Affecting Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- upstream regression where when extracting an archive, only an empty directory would be created if an archive contained a file of the same name as the archive itself - fixed to avoid creating this directory first so that files would then actually get created as expected
[USN-4985-1] Intel Microcode vulnerabilities [07:48]
- 5 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10), Hirsute (21.04)
- Latest intel-microcode release from upstream, fixes a number of security
issues for particular processors PLUS potential stability issues that
have been seen in previous microcode releases (processor would hang if
tried to load a too new microcode version compared to the one contained
within the BIOS)
- potential cross-domain issue with Intel VT-d (priv esc) plus a fix for an issue which would result in EIBRS (Spectre) mitigations not being applied, cache-lines not being flushed properly and a speculative execution issue specific to Atom processors via micro-arch buffers.
[USN-4986-1] rpcbind vulnerability [09:02]
- 1 CVEs addressed in Bionic (18.04 LTS)
- DoS since would fail to free memory allocated during particular requests - could then be made to crash by allocating too much memory