Episode 20

Posted on Monday, Feb 11, 2019
This week we look at Linux kernel updates for all releases, OpenSSH, dovecot, curl and more. Plus we answer some frequently asked questions for Ubuntu security, in particular the perennial favourite of why we choose to just backport security fixes instead of doing rolling package version updates to resolve outstanding CVEs.

Show Notes

Overview

This week we look at Linux kernel updates for all releases, OpenSSH, dovecot, curl and more. Plus we answer some frequently asked questions for Ubuntu security, in particular the perennial favourite of why we choose to just backport security fixes instead of doing rolling package version updates to resolve outstanding CVEs.

This week in Ubuntu Security Updates

33 unique CVEs addressed

[USN-3871-3, USN-3871-4, USN-3871-5] Linux kernel vulnerabilities

[USN-3878-1, USN-3878-2] Linux kernel vulnerabilities

[USN-3879-1, USN-3879-2] Linux kernel vulnerabilities

  • 5 CVEs addressed in Xenial and Trusty (Xenial HWE)
  • OOB read on reading USB device descriptor - need local physical access to connect a malicious device - crash -> DoS
  • UAF in ALSA via a malicious USB sound device that expose zero interfaces - crash -> DoS, possible code execution
  • Uninitialised ioapics (Episode 19)
  • Cleancache subsystem - after file truncation (removal), wouldn’t properly clear inode so if a new file was created with the same inode might contain leftover pages from cleancache and hence the data from the old file
    • Only affects Ubuntu kernels under Xen with tmem driver
  • ext4 - OOB write via malicious crafted image

[USN-3880-1, USN-3880-2] Linux kernel vulnerabilities

  • 4 CVEs addressed in Trusty and Precise ESM (Trusty HWE)
  • Possible memory corruption via type confusion when cloning a socket - privilege escalation
  • mremap() issue (covered in Episode 15)
  • procfs stack unwinding to leak kernel stack from other task (covered in Episode 12)
  • NULL pointer dereference in CIFS client in kernel triggered by a malicious server (crash -> DoS)

[USN-3881-1, USN-3881-2] Dovecot vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Interaction of username / password authentication with trusted SSL cert - can configure for user/pass but can also configure for client to present a trusted cert
  • Can configure to take username from cert instead of from explicit username AND also to configure no password if using cert
  • BUT if no username in cert, will use specified username - so could log in as any user

[USN-3882-1] curl vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • OOB read when parsing end of response for SMTP
  • Stack buffer overflow when creating an NTLMv2 type-3 header based on previous received data (size checks were not sufficient since they suffered from an integer overflow)
  • OOB read for NTLM type-2 handling via an integer overflow

[USN-3883-1] LibreOffice vulnerabilities

  • 5 CVEs addressed in Trusty, Xenial
  • 3 CVEs for mishandling various elements in different document types - UAF, heap-based buffer overflow (write) etc) - crash -> DoS, possible code execution
  • Information disclosure (leak of NTLM hashes) via an embedded link to a remote SMB resource within a document
  • Directory traversal flaw leading to code execution
    • document can links which like HTML, can have attributes such as a script which will get executed without prompting - so onMouseOver() etc
    • and this can refer to a file on the local filesystem outside the document structure itself
    • libreoffice ships with it’s own Python interpreter that contains functions which can be abused to run arbitrary commands
    • so can specify both the path to one of these files AND arguments to pass to it to run

[USN-3884-1] libarchive vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Infinite loop when parsing a specially crafted ISO9660 CD/DVD iso file -> DoS
  • OOB read when decompressing a specially crafted 7z file -> crash -> DoS

[USN-3885-1] OpenSSH vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Three vulnerabilities in scp able to be triggered via a malicious server (low probability)
    • Fails to validate file names from the remote server match the requested ones - server can overwrite arbitrary files on local side in the target directory
    • Fails to use proper character encoding in progress display, allows server to manipulate output of client to hide output of additional files being sent
    • Fails to check if target filename is . or empty - allows remote server to change permissions of the client local directory
  • Together allow a server to easily overwrite local files on the client side without the client user being aware

Goings on in Ubuntu Security Community

FAQs about Ubuntu Security

What packages are supported?

  • main only (~2.3k source packages in Bionic - cf. universe ~26k source packages)

What timeframe?

Why do we backport patches instead of just updating to the lastest versions?

  • Users expect high degree of stability
    • changes need caution and good rationale
    • lots of previous regressions from innocent looking changes
    • no change is completely free of risk
  • Only changes which have high impact (security fixes, severe regressions, loss of data etc)
  • More details see SRU page on Ubuntu wiki
  • So security updates must follow suit

Get in contact