Episode 14

Show Notes

Overview

This week we look at some details of the 32 unique CVEs addressed across the supported Ubuntu releases and talk open source software supply chain integrity and how this relates to Ubuntu compared to the recent npm event-stream compromise.

This week in Ubuntu Security Updates

32 unique CVEs addressed

[USN-3826-1] QEMU vulnerabilities

• 10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-19364
  • CVE-2018-18954
  • CVE-2018-18849
  • CVE-2018-17963
  • CVE-2018-17962
  • CVE-2018-17958
  • CVE-2018-16847
  • CVE-2018-12617
  • CVE-2018-11806
  • CVE-2018-10839
• 7 medium, 3 low priority
  • Integer overflow in virtual network interface driver, able to be triggered by user process in guest -> crash -> DoS
  • Heap based buffer overflow in SLiRP, user-based networking stack (default) during reassembly of fragmented datagrams
  • Integer overflow when reading large blocks from files - nice PoC on github
  • NVMe emulator missing checks on read / write parameters - OOB heap buffer r/w - guest user/process could trigger -> DoS (crash) or possible arbitrary code execution on host as qemu process
  • Integer type mismatch in rtl8139 and pcnet drivers - (from size_t to int) - unsigned to signed - INT_MAX -> -ve -> OOB read - crash / DoS
    • Copy-pasta?

[USN-3827-1, USN-3827-2] Samba vulnerabilities

• 4 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-16851
  • CVE-2018-1685
  • CVE-2018-16841
  • CVE-2018-14629
• CNAME records could point to themselves - infinite recursion in internal AD DNS server
  • Users can add CNAME records -> user triggerable
  • Fix ensures CNAMEs can’t refer to themselves
• If using smartcard authentication for AD, double free could occur due to mismatch in certificate vs authentication request parameters
  • talloc - robust against heap corruption - assert() fail - exit - DoS
• Null pointer dereference when reading more than 256MB of LDAP entries - DoS crash

[USN-3828-1] WebKitGTK+ vulnerabilities

• 3 CVEs addressed in Bionic, Cosmic
  • CVE-2018-4386
  • CVE-2018-4372
  • CVE-2018-4345
• Minimal details provided by upstream webkit regarding these advisories:
  • XSS due to improper URL validation
  • Multiple memory corruption issues which could lead to arbitrary code execution

[USN-3816-3] systemd regression

• 3 CVEs addressed in Xenial
  • CVE-2018-15687
  • CVE-2018-15686
  • CVE-2018-6954
• Episode 12 & 13 - backport of large upstream patches to better handle symlink resolution in systemd-tmpfiles
• New code uses openat with O_PATH flag internally
• O_PATH was only introduced in Linux kernel 2.6.39
• Fails on pre-2.6.39 kernels - eg. OpenVZ
• So if running an Ubuntu Xenial kernel on OpenVZ systemd would fail to work correctly
• OpenVZ have released updated kernel as well to support O_PATH

[USN-3829-1] Git vulnerabilities

• 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-19486
  • CVE-2017-15298
• Previously would execute commands from CWD, rather than from PATH
  • Could allow arbitrary code execution if using a malicious repository
• DoS due to large memory usage (Git Bomb) with specially crafted repository
  • Small repo with only 12 unique objects inside but that which are duplicated across the repo tree
  • Git would usually crash due to running out of memory BUT if did manage to survive and write to disk could consume a lot of disk space too
  • Only Trusty and Xenial affected (fixed already in Bionic etc)

[USN-3830-1] OpenJDK regression

• Recent OpenJDK update (Episode 10) add stricter checking for JAR files
  • As a result, failed to find JAR files during build resulting in failed project builds
• New option should have been disabled by default to give time for other packages to be updated etc to deal wth new behaviour
  • Is now :)

[USN-3831-1] Ghostscript vulnerabilities

• 4 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-19477
  • CVE-2018-19476
  • CVE-2018-19475
  • CVE-2018-19409
• Even more gs - (Episode 10, 7, 5)

[USN-3795-3] libssh regression

• CVE-2018-10933 - covered in Episode 8
• Upstream fix introduced a regression which broke server-side keyboard authentication
• Server-side, not client-side
  • Not a common scenario used so unlikely to affect many users as need to use multiple interactive keyboard-based prompts to trigger (say password and token)
  • Server would be stuck
• Backport upstream fix

[USN-3832-1, USN-3833-1] Linux kernel (AWS) vulnerabilities

• 6 CVEs addressed in Cosmic, first 2 in Bionic as well
  • CVE-2018-6559
  • CVE-2018-18955
  • CVE-2018-18653
  • CVE-2018-18445
  • CVE-2018-18281
  • CVE-2018-17972
• Philipp Wendler discovered Ubuntu specific flaw in the way user namespaces interact with overlayfs
• Allows regular users to list contents of directories which they do not have read-access to (ie could list /root)
• Create a user and a mount namespace and then mount an overlay via overlayfs within it
  • Within the overlayed mount, if say contained “root” and was mounted at the filesystem root (/), overlayfs would get confused about which permissions to use when running and would not use the real underlying permissions but would instead use the user supplied ones from the overlayed fs
• Relates to the fix for a previous CVE (CVE-2015-1328)
  • This fix got dropped during Bionic development cycle so reintroduced this similar vulnerability
  • New test added to Ubuntu kernel test suite to ensure this does not regress again in the future

Open Source Software Supply Chain Integrity

• NPM package (event-stream) got hijacked to inject code to target users of copay (Bitcoin wallet)
• Author of event-stream had lost interest, was emailed by a small contributor to take over maintenance and gave them ownership of the repo
  • Pushed a small change to add a new dependency to the package
  • This then contained code to try and bundle itself with target application - copay-dash
  • Targetted software supply chain at 2 points - event-stream repo / package AND getting into the build-system for copay-dash as a result
    • So would bundle bitcoin wallet stealing code into copay-dash
• 2 software supply chain attacks
  • Hard to fix first one since maintainers can lost interest and hand over to anyone
    • New owner may not have trust the old one did
    • npm doesn’t care - is uncurated
  • Copay bundled and distributed dependencies so perhaps should have some responsibility to check those etc
• Ubuntu is based on Debian and both are curated repos
  • Packages are maintained by trusted developers
  • Much harder to mount a similar attach on Ubuntu / Debian archives due to barrier to entry as a trusted developer
  • Smaller dependency chains as well compared to npm so harder to hide such an attack as well
• Snap store is a different story though
• Bottom line - have to trust your software suppliers
  • Ubuntu - Canonical / trusted maintainers
  • Snap store - individual publishers

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter