Episode 2

Posted on Tuesday, Aug 28, 2018
L1TF kernel regressions, WPA2 key recovery, mirror fail and more!

Show Notes


83 unique CVEs addressed across the supported Ubuntu releases.

This week in Ubuntu Security Updates

[USN-3742-3] Linux kernel (Trusty HWE) regressions

  • Security team issues USNs for package updates caused by regressions in previous security updates
  • Fix for regressions caused by the original kernel update for L1TF
  • Could cause Java applications to fail to start and possible kernel panics on boot for some hardware configurations

[USN-3745-1] wpa_supplicant and hostapd vulnerability

  • 1 CVEs addressed in Bionic
  • Researchers analysed WPA2 4-way handshake via symbolic execution to find weaknesses
    • Found a number of issues including a decryption oracle
    • In this case, the would decrypt but not authenticate frame and then could allow recovery of the group key via a timing side-channel
    • In theory, allows an unauthenticated attacker to recover WPA2 group key via frame manipulation when used with TKIP
      • NOTE: is not advised to use TKIP in practice anyway (should use WPA2/CCMP) and so should have limited applicability
    • In practice, due to large number of attempts needed to recover the full key, this is impractical (especially given that the group key is changed periodically)
  • https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
  • https://papers.mathyvanhoef.com/woot2018.pdf

[USN-3746-1] APT vulnerability

  • 1 CVEs addressed in Bionic
  • Dubbed “mirror fail” by the author and even a website - https://mirror.fail/
  • mirror protocol in apt allows to specify a list of mirrors to try rather than just a single mirror in source.list
    • not enabled by default
  • in APT 1.6 this was reworked and a bug introduced
    • on fallback from one mirror to the next, the previous mirrors InRelease file would be used without checking the one from the new mirror
    • hence failing to authenticate the one from the new mirror
    • could potentially allow installation of untrusted packages BUT would need at least two mirrors to be compromised AND for the user to have setup use of multiple mirrors in the first place

[USN-3748-1] base-files vulnerability

  • 1 CVEs addressed in Bionic
  • Vulnerability in the motd update script via insecure use of temporary files
    • Could allow DoS or privelege escalation if user has turned off kernel symlink restrictions

[USN-3751-1] Spice vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic
  • Insufficient bounds checks could allow to crash a server OR client from an authenticated peer
  • Requires authentication

[USN-3747-1] OpenJDK 10 vulnerabilities

[USN-3749-1] Spidermonkey vulnerabilities

  • 1 CVEs addressed in Bionic
  • Regular Spidermonkey update to fix vulnerabilities

[USN-3750-1] Pango vulnerability

Kernel packages updated

[USN-3752-1] Linux kernel vulnerabilities

[USN-3752-2] Linux kernel (HWE) vulnerabilities

[USN-3753-1] Linux kernel vulnerabilities

[USN-3753-2] Linux kernel (Xenial HWE) vulnerabilities

[USN-3754-1] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community


Ubuntu Security Manager

Ubuntu Security Engineer

Get in contact