Episode 19

Posted on Monday, Feb 4, 2019
This week we look at updates to the Linux kernel in preparation for the 18.04.2 release, plus updates for Open vSwitch, Firefox, Avahi, LibVNCServer and more. We also revisit and discuss upstream changes to the mincore() system call to thwart page-cache side-channel attacks first discussed in Episode 17.

Show Notes

Overview

This week we look at updates to the Linux kernel in preparation for the 18.04.2 release, plus updates for Open vSwitch, Firefox, Avahi, LibVNCServer and more. We also revisit and discuss upstream changes to the mincore() system call to thwart page-cache side-channel attacks first discussed in Episode 17.

This week in Ubuntu Security Updates

40 unique CVEs addressed

[USN-3870-1] Spice vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Out-of-bounds read - off-by-one - likely crash on segmentation violation but possible code-execution

[USN-3871-1] Linux kernel vulnerabilities

  • 13 CVEs addressed in Bionic
  • NULL pointer dereference in KVM able to be triggered by a local user (crash -> DoS)
  • mremap() TLB flush leaving stale entries in page cache - covered previously in Episode 15
  • Episode 15 covered CVE-2018-17972 (procfs kernel stack disclosure)
  • UAF in KVM when using nested virtualisation (not enabled by default for Ubuntu kernels) able to be trigered by gust VM to crash host (DoS) or possibly elevate privileges etc.
  • Race condition between connect() and close() in AF_VSOCK (used for communication between guest and host machines) could allow to read 4 bytes of memory (UAF) from host kernel or possibly corrupt other AF_VSOCK messages to other guests - information leak
  • 7 ext4 issues discovered by Wen Xu (fuzzing ext4 with KASAN enabled):
    • OOB write during update of journal metadata when mounting specially crafted ext4 image - crash -> DoS (privilege esc?)
    • OOB write to stack when processing xattrs of specially crafted ext4 image - crash -> DoS
    • OOB write when mounting
    • OOB write unmounting specially crafted ext4 image
    • OOB read when mounting
    • UAF when processing xattrs of renamed file in specially crafted image
    • General UAF when mouting a specially crafted image
    • Reproducers provided in upstream kernel bug reports

[USN-3872-1] Linux kernel (HWE) vulnerabilities

  • 4 CVEs addressed in Bionic
  • Info leak from crypto subsystem - regression of CVE-2013-2547 - fail to fully initialise structure members copied to userspace - unlike CVE-2013-2547, able to be exploited by a standard user without any capabilities
  • Failure to ensure ioapics were initialised - possible NULL pointer dereference -> crash -> DoS
  • KVM UAF w/ nested virtualisation and AF_VSOCK race condition UAF

[USN-3873-1] Open vSwitch vulnerabilities

[USN-3874-1] Firefox vulnerabilities

  • 7 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Firefox 65 for all supported platforms
    • Proxy autoconfig file (PAC) could allow proxy requests to localhost to go via remote proxy - if enabled proxy-autodetection - then possible for remote attacker to conduct attacks against local services etc
    • Various memory safety issues - crash -> DoS, UAF, code execution
    • Sandbox escape via IPC channels due to failure to properly apply authentication to IPC channels in some situations
      • IPC channels used in new multiprocess architecture etc

[USN-3875-1] OpenJDK vulnerability

  • 1 CVEs addressed in Xenial, Cosmic
  • Info leak from Java SE VM in OpenJDK library subsystem able to be triggered by a remote attacker - possible sandbox bypass as well

[USN-3876-1, USN-3876-2] Avahi vulnerabilities

  • 2 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Both the same vulnerability - duplicate CVE
  • Traffic reflection and amplification - possible to leverage for DDoS attack since avahi-daemon would inadvertently respond to unicast IPv6 queries to source addresses which were not on the local link

[USN-3877-1] LibVNCServer vulnerabilities

Goings on in Ubuntu Security Community

An update on mincore()

  • In Episode 17 discussed changes to mincore() mitigate page cache side-channel attack
  • Linus Torvalds committed a change to change the behaviour of mincore() to mitigate the vulnerability
  • Recently reverted that change citing too much breakage to existing users:
    • In particular Netflix have a use-case where they dump page cache across processes to aid in migration of Cassandra workloads across machines
  • Instead an alternate approach to limit cache residency reporting only to processes which have write access to the particular file in question
    • ie. so if a process has write access to a file which it has open for writing it will be able to read back from mincore() which pages are mapped in the cache and which are not - so will still work for the Netflix and others case of databases wanting to know which pages are mapped or not from disk
    • will stop the case of being able to know which pages of shared system libraries etc are mapped and hence stop the original side-channel attack
    • patches not yet submitted for mm tree or others but should be soon

Get in contact