Episode 24
Posted on Tuesday, Mar 19, 2019
A look at recent fixes for vulnerabilities in poppler, WALinuxAgent, the
Linux kernel and more. We also talk about some listener feedback on
Ubuntu hardening and the launch of Ubuntu 14.04 ESM.
Show Notes
Overview
A look at recent fixes for vulnerabilities in poppler, WALinuxAgent, the Linux kernel and more. We also talk about some listener feedback on Ubuntu hardening and the launch of Ubuntu 14.04 ESM.
This week in Ubuntu Security Updates
18 unique CVEs addressed
[USN-3905-1] poppler vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Heap-based buffer underwrite (index into array using negative index) - write into heap memory which preceeds the intended buffer - heap corruption - crash -> DoS, possible code execution
- Found by fuzzing and AddressSanitizer in clang
[USN-3906-1] LibTIFF vulnerabilities
- 6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- All DoS, one possible code-execution:
- Dereference of an invalid address (read from invalid memory location)
- Heap buffer overread
- 2x NULL pointer dereferences
- Memory leak
- Heap buffer overflow - possible code execution
[USN-3907-1] WALinuxAgent vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- WALinuxAgent used to manage instances of Ubuntu (and other Linux distributions) running on Azure
- Can be used to configure swap space for a given image
- would then create a swap file (/mnt/swapfile) BUT would make it world-readable
- so any local user could read it - if keys or other sensitive items were in memory that got swapped to disk could be read by all
- Fixed to make this readable only by root and to also correct the permissions on any existing swapfile as well
[USN-3902-2] PHP vulnerabilities
- 4 CVEs addressed in Precise ESM
- See last week’s Episode 23 - discussed for Xenial and Trusty - fixed now for Precise ESM as well
[USN-3910-1, USN-3910-2] Linux kernel vulnerabilities
- 5 CVEs addressed in Xenial and Trusty (Xenial HWE)
- 2 of these discussed in previous episodes Episode 23 (PolicyKit start time, DoS via mmaping a FUSE-backed file into processes memory containing command-line args)
- Trigger of BUG_ON() in kernel (like assert() for kernel code) due to integer overflow from large pgoff parameter to remap_file_pages() when used in conjuction with an existing mmap() -> crash -> DoS
- OOB read in USB driver for Option High Speed mobile devices - would read a descriptor from the USB device as a u8 and then index into an array with this without checking whether it fell within the array
- NULL pointer dereference in f2fs driver via use of noflush_merge mount option
[USN-3908-1, USN-3908-2] Linux kernel vulnerability
- 1 CVEs addressed in Trusty and Precise ESM (Trusty HWE)
- See last week’s Episode 23 - discussed for Bionic kernel - now for
Trusty kernel (and the Trusty HWE kernel backported to Precise ESM)
- PolicyKit start time issue, fixed in kernel
[USN-3909-1] libvirt vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic
- NULL pointer dereference in libvirt if agent does not reply in time (say guest is being shutdown) - crash host libvirt -> DoS
Goings on in Ubuntu Security Community
Ubuntu Hardening Response
- Alexander Popov
- Responsible for getting STACKLEAK into the mainline kernel
- Pointed out his Linux Kernel Defence Map and kconfig hardened check
- We use kconfig hardened check internall and tyhicks has contributed various improvements which allow this to be used to check the various Ubuntu kernel configurations
Extended Security Maintenance for Ubuntu 14.04 (Trusty Tahr) begins April 25 2019
- https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-March/004800.html
- Ubuntu 14.04 LTS will transition to Extended Security Maintenance on Tuesday 25th April
- Encourage users to upgrade to Xenial (and then Bionic)
- ESM for 14.04 provided to customers via Ubuntu Advantage
- Further details regarding ESM