Episode 22

Posted on Monday, Mar 4, 2019
This week we cover security updates including Firefox, Thunderbird, OpenSSL and another Ghostscript regression, plus we look at a recent report from Capsule8 comparing Linux hardening features across various distributions and we answer some listener questions.

Show Notes

Overview

This week we cover security updates including Firefox, Thunderbird, OpenSSL and another Ghostscript regression, plus we look at a recent report from Capsule8 comparing Linux hardening features across various distributions and we answer some listener questions.

This week in Ubuntu Security Updates

16 unique CVEs addressed

[USN-3893-2] Bind vulnerabilities

[USN-3866-3] Ghostscript regression

  • Affecting Trusty, Xenial, Bionic, Cosmic
  • Mentioned last week briefly
  • Previous update to Ghostscript introduced a regression (blue background)
    • See later for information

[USN-3894-1] GNOME Keyring vulnerability

  • 1 CVEs addressed in Trusty, Xenial
  • Already fixed upstream (hence doesn’t apply to Bionic / Cosmic etc)
  • User’s login password kept in memory of child process after pam session is opened
  • Could be dumped by root user or captured in crash dump etc and possibly exposed
    • Other tools exist to try and extract from memory as well (minipenguin etc)
  • Fix is to simply reset this after pam session is opened

[USN-3895-1] LDB vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • LDAP-like embedded database (used by Samba and others)
  • Authenticated user can cause OOB read when searching LDAP backend of AD DC with a search string containing multiple wildcards - crash -> DoS

[USN-3896-1] Firefox vulnerabilities

  • 3 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Firefox 65
  • Use-after-free and integer overflow in Skia library (vector graphics library, similar to cairo)
  • Cross-origin image theft - able to read from canvas element in violation of same-origin policy using transferFromImageBitmap() method

[USN-3897-1] Thunderbird vulnerabilities

[USN-3898-1, USN-3898-2] NSS vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty, Xenial, Bionic, Cosmic
  • Several NULL pointer dereferences -> crash -> DoS

[USN-3899-1] OpenSSL vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic
  • Possible padding oracle (an application which uses OpenSSL could behave differently based on whether a record contained valid padding or not)
    • Attacker can learn plaintext by modifying ciphertext and observing different behaviour

[USN-3900-1] GD vulnerabilities

  • 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Double free if failed to properly extract image file - crash -> DoS
  • Heap-based buffer overflow in color matching (able to be triggered by a specially crafted image) - crash -> DoS, possible code execution

Goings on in Ubuntu Security Community

Comparison of Linux Hardening across distributions

  • https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/
  • Analyses binaries from various Linux distributions looking for hardening features (OpenSUSE, Debian, CentOS, RHEL & Ubuntu)
  • Compare kernel configuration vs KSPP recommendations
  • Ubuntu 18.04 ranks highest, due to proactive hardening features baked into toolchain and newer kernel taking advantage of KSPP upstream features
    • gcc is patched so anyone building on Ubuntu gets these features
    • build.snapcraft.io too
    • however is missing stack clash mitigation
  • Plan to add more hardening features for 19.10 (stack clash and control-flow integrity support via gcc) and review kernel options cf. KSPP

Q&A

Does numerous bugs and regressions in Ghostscript indicate it is reaching it’s EOL?

  • doc-E-brown via twitter
  • Lots of recent focus -> finds bugs
  • ghostscript codebase is old and gnarly and some fixes have been quite invasive
  • Any new code could introduce new bugs - particularly complicated fixes -> creates more bugs (regressions)
    • (as doc-E-brown suggests, regressions indicate old code-base)
  • Tavis (and others) seem to be looking elsewhere but likely still more bugs to be found
  • Would be great if GS could either be made safer or a safer alternative but no-one is stepping up
  • Sadly No good viable alternative currently

Hiring

Ubuntu Security Generalist

Robotics Security Engineer

Security Automation Engineer

Get in contact