Episode 21

Posted on Thursday, Feb 21, 2019
Double episode covering the security updates from the last 2 weeks, including snapd (DirtySock), systemd and more, plus we talk responsible disclosure and some open positions on the Ubuntu Security team.

Show Notes

Overview

Double episode covering the security updates from the last 2 weeks, including snapd (DirtySock), systemd and more, plus we talk responsible disclosure and some open positions on the Ubuntu Security team.

This week in Ubuntu Security Updates

15 unique CVEs addressed

[USN-3886-1] poppler vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Two DoS:
    • Out-of-bounds heap buffer read due to missing check for a negative index -> crash -> DoS
    • Crash due to hitting an assertion -> DoS

[USN-3888-1] GVfs vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • Possible to allow a local user with admin privileges (eg. sudo group) to read arbitrary files without prompting for authorisation IF no policykit agents running
    • Policykit agents run by default so would require user to be running a difffent DE or to have uninstalled / disabled them
    • Also low impact since user has authority anyway

[USN-3889-1] WebKitGTK+ vulnerabilities

  • 2 CVEs addressed in Bionic, Cosmic
  • Memory corruption and type confusion errors - leading to possible remote code execution

[USN-3890-1] Django vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Could cause Django to consume a large amount of memory when formatting a decimal number with a large number of digits or with a large exponent since it would simply print every single provided character
  • Possible DoS although would need a very large number to be input
  • Fix is to format numbers with more than 200 characters in scientific notation

[USN-3887-1] snapd vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • ‘DirtySock’ - discovered by Chris Moberly
  • Failed to correctly parse and validate the remote socket address
  • Code had undergone refactoring and introduced this bug
  • Allows to impersonate privileged user and therefore call privileged APIs via the snapd socket

[USN-3850-2] NSS vulnerabilities

[USN-3891-1] systemd vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Discovered by Ubuntu Security team member Chris Coulson
  • Stack buffer overflow of DBus path field - declared as VLA, but sender could use a value larger than the stack size and therefore jump the entire stack and the guard pages
  • Segmentation violation -> crash -> DoS
    • systemd does not automatically restart so brings down entire system - reboot
  • Possible code execution but unlikely
  • DBus and systemd need to agree on what the maximum size of various elements are - DBus spec says path could be unlimited - but in practice is less than 32MB! (dbus-daemon limits messages to this size) - systemd now limits path to 64KB AND ensures it keeps running after receiving an invalid sized path

[USN-3892-1] GDM vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • Logic error in handing of timed logins (not enabled by default)
  • If screen already locked, select to log in as different user - then select a user which has timed login enabled - after timeout will unlock screen of original user
  • Need administrator privileges to enabled timed login for a given user so low impact

[USN-3866-2] Ghostscript regression

  • Affecting Trusty, Xenial, Bionic, Cosmic
  • Previous update for Ghostscript (USN-3866-1 - Episode 18) caused a regression in printing 4”x6” (v9.26 - upstream bug)

[USN-3893-1] Bind vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Fail to properly apply controls to zone transfers - could allow clients to request and receive a zone transfer to a dynamically loadable zone contrary to the allow-transfer ACL
  • Assertion failure if a trust anchor’s keys are replaced with keys using an unsupported algorithm during a key rollover when using the managed-keys feature for DNSSEC validation
  • Remotely triggerable memory leak when processing particular packets - DoS

Goings on in Ubuntu Security Community

snapd, systemd and handling of embargoed issues

  • 2 updates involving close communication between Ubuntu Security Team and external stakeholders - embargoed
  • Responsible Disclosure - allows to coordinate a fix in a timely manner and then release update once all parties are ready in a coordinated manner
  • Set CRD with stakeholders (reporter, upstream, other distros etc)
  • Coordinate fix with upstream and other distros
  • Plan coordinated updates to be released with other distros / upstream at CRD

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Security Automation Engineer

Get in contact