Episode 17

Posted on Tuesday, Jan 22, 2019
First episode of 2019! This week we look “System Down” in systemd, as well as updates for the Linux kernel, GnuPG, PolicyKit and more, and discuss a recent cache-side channel attack using the mincore() system call.

Show Notes

Overview

First episode of 2019! This week we look “System Down” in systemd, as well as updates for the Linux kernel, GnuPG, PolicyKit and more, and discuss a recent cache-side channel attack using the mincore() system call.

This week in Ubuntu Security Updates

51 unique CVEs addressed across the supported Ubuntu releases.

[USN-3846-1, USN-3847-1, USN-3847-2, USN-3847-3] Linux kernel vulnerabilities

  • Kernel updates as part of normal 3-weekly SRU cycle - includes various fixes across the supported releases
  • Info leak in CDROM driver, XFS DoS via writing of extended attributes causing an error condition that leaves the fs in an error state until next mount
  • Bounds check bypass in BPF verifier (mentioned in Episode 15)
  • Incorrect bounds checking in Yurex USB driver (Episode 7)
  • UAF in infiniband -> Crash -> DoS
  • Integer overflow in POSIX timers overrun accounting due to type confusion (int vs 64-bit signed)
  • Double free in AMD GPIO pinctrl driver - DoS / privilege escalation
  • Race condition in midi driver - double free -> privilege escalation
  • NULL pointer dereference in kernel keyring -> crash -> DoS

[LSN-0046-1] Linux kernel livepatch for vulnerabilities

[USN-3850-1] NSS vulnerabilities

[USN-3851-1] Django vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Attacker could craft a malicious URL to make spoofed content appear on the generated 404 page

[USN-3852-1] Exiv2 vulnerabilities

[USN-3853-1] GnuPG vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • GnuPG includes support for Web Key Directories (WKD) to allow easy discovery of public keys via HTTPS
  • Allows a key to be imported from a webserver -> first need to lookup hostname via DNS SRV
  • Fails to sanitize response - so performs an attacker controlled, arbitrary HTTPS GET request
    • Attacker needs to construct a malicious SRV record for the domain in question
  • Possible CSRF, content injection etc
  • Thunderbird will automatically use WKD via GnuPG to lookup missing keys so allows easy exploitation

[USN-3854-1] WebKitGTK+ vulnerabilities

  • 1 CVEs addressed in Bionic, Cosmic
  • Possible RCE via invalid processing of crafted web content (as usual limited details on WebKitGTK vulnerabilities…)

[USN-3855-1] systemd vulnerabilities

  • 3 CVEs addressed in Xenial, Bionic, Cosmic
  • “System Down” systemd vulnerabilities
  • Chris Coulson put in a heroic effort and patched quickly - Ubuntu first affected distro to release patched systemd
  • Due to use of variable length arrays on the stack, allows various fields which are attacker controlled to be overflowed
  • If overflow far enough can bypass kernel stack guard pages, and hence corrupt the heap
  • Possible code execution as a result (original advisory contained a PoC for i386 which gained control of the instruction pointer)
  • Can be mitigated via use of the gcc flag -fstack-clash-protection - this is now under review to be used by default in forthcoming Ubuntu releases

[USN-3856-1] GNOME Bluetooth vulnerability

  • 1 CVEs addressed in Bionic
  • BlueZ doesn't necessarily make bluetooth device undiscoverable automatically after timeout
  • Hence after enabling discovery would then still be discoverable even though user expectation is that is not anymore
  • Actual bug then is really in BlueZ but now added a workaround in GNOME bluetooth to manually disable discovery

[USN-3857-1] PEAR vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • PHP Extension and Application Repository - possible RCE when deserialising via PHP object injection
  • Triggered when unpacking a PHAR (PHP ARchive) - also possible to sneak one into a JPEG so easy to exploit - just need image upload (Wordpress etc)

[USN-3858-1] HAProxy vulnerabilities

  • 3 CVEs addressed in Xenial, Bionic, Cosmic
  • Popular load balancing reverse proxy (used in OpenStack etc.)
  • Infinite recursion from a pointer referencing itself or from long chains of pointers -> stack exhaustion -> crash -> DoS
  • Out-of-bounds read when validating DNS responses - information disclosure of 16 bytes
  • Fail to ensure valid length of H2 HEADERS when decoding - out-of-bounds read -> crash -> DoS

[USN-3859-1] libarchive vulnerabilities

  • 4 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Out-of-bounds read for UTF-16 names in RAR archives
  • UAF and double free in RAR decoder - crash -> DoS, possible RCE
  • Quasi-infinite runtime and disk usage from a tiny crafted WARC file (Web Archive format for storing results of crawling websites)

[USN-3860-1, USN-3860-2] libcaca vulnerabilities

[USN-3861-1, USN-3861-2] PolicyKit vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Invalid handling of UID > INT_MAX - would allow a user to bypass policy and execute any systemctl command

[USN-3862-1] Irssi vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • UAF when expiring hidden lines from the scroll buffer

Goings on in Ubuntu and Linux Security Community

New page cache side-channel attack via mincore()

  • Discovered by a team of researchers including some of those who found Spectre / Meltdown
  • Uses mincore() system call on Linux to determine if pages exist in the page cache or not
  • mincore() returns a bitmask of which pages are mapped in the cache for the requested range
  • Can use this side-channel to either:
    • determine when a process calls a given function in a shared library (since the library will be mapped at the same address in both the attack and victim process)
      • need to first evict the given page from the cache which is difficult but authors propose a new efficient mechanism to do this
      • can then do things like UI redressing etc in response
    • Or can use this is a covert channel to leak information from one process to another
    • Can even use over the network to leak information via an innocent webserver etc
  • Paper also describes an efficient cache eviction strategy
  • Linus directly applied a fix (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e)
    • This changes the behaviour of mincore() to only report pages which have been faulted into the cache by the calling process
      • So at best can now observe when a page is evicted from the cache but can't see when another process faults in a page
    • Breaks user-space API of mincore() and hence some existing programs (as noted in the commit)
      • Linus’ primary rule is to never break userspace BUT in this case as is a security vulnerability this is okay
      • This might also likely affect other programs that use mincore in Ubuntu etc (fincore, e4defrag, qemu etc)
  • Fix is not in the stable upstream kernel yet as waiting to see what fallout there is and so also has not been applied to Ubuntu kernels yet
  • Also good discussion on LWN https://lwn.net/Articles/776801/ which highlights other avenues for inferring the contents of the page cache and other possible changes to mincore to protect against this attack
  • Will be interesting to see where this all ends up

Get in contact