Episode 26
Posted on Monday, Apr 1, 2019
This week we look security updates for a heap of packages including
Firefox & Thunderbird, PHP & QEMU, plus we discuss Facebook’s recent
password storage incident as well as some listener hardening tips and
more.
Show Notes
Overview
This week we look security updates for a heap of packages including Firefox & Thunderbird, PHP & QEMU, plus we discuss Facebook’s recent password storage incident as well as some listener hardening tips and more.
This week in Ubuntu Security Updates
48 unique CVEs addressed
[USN-3919-1] Firefox vulnerabilities
- 2 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 66.0.1 (mentioned briefly last week) - fixes two vulnerabilities discovered during Pwn2Own
- Both in the IonMonkey JIT compiler
- Incorrect alias information for the Array.prototype.slice method leads to missing bounds check and a buffer overflow - code execution as a result
- Type confusion in handling of ,__proto__ mutations - ,__proto__ is used to modify the Prototype of an object to be mutated - used for object inheritance in JavaScript - allows arbitrary memory read/write and therefore code execution as a result
[USN-3918-2] Firefox vulnerabilities
- 17 CVEs addressed in Trusty
- Firefox 66 & 66.0.1 - Episode 25 covered for Xenial, Bionic and Cosmic
[USN-3918-3] Firefox regression
- 17 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Firefox 66 & 66.0.1 contained a regression - so upstream released 66.0.2
- Broke keyboard handling in Office 365, iCloud and IBM WebMail - Firefox 66 changed the way keycode handling works so these websites and others which use older, deprecated methods to get the keycode have been added to an internal fallback list to use the old method
[USN-3927-1] Thunderbird vulnerabilities
- 10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Thunderbird 60.6.1
- Rolls in security fixes covered previous for Firefox (66.0, 66.0.1)
- Both the Pwn2Own and previous fixes
- As for Firefox, listen back to Episode 25 for details of 66.0 fixes
[USN-3921-1] XMLTooling vulnerability
- 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Crash due to uncaught DOMException able to be triggered by a malformed XML document - DoS
- Thanks to Etienne Dysli Metref who provided debdiff’s as well as testing for this update
[USN-3922-1] PHP vulnerabilities
- 5 CVEs addressed in Xenial, Bionic, Cosmic
- Integer overflow on 32-bit archs when processing malformed EXIF image data - crash, DoS
- Failure to check available data length when processing image thumbnails - OOB read -> crash -> DoS
- OOB read of 1 byte when handling EXIF image data - crash -> DoS
- During file rename, if file is moved across file-systems, the new file briefly is world readable allowing anyone to read it - fixed by ensuring umask is used correctly so that the new file always has restrictive permissions from the outset
[USN-3923-1] QEMU vulnerabilities
- 11 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
- Heap-based buffer overflow in TCP emulation
- OOB read in i2c handling allowing a local attacker within a guest who has permission to execute i2c commands could read qemu host process stack memory
- Plan9 FS host-directory sharing race-condition on file rename -> crash -> DoS
- 2 issues in USB MTP handling:
- time-of-check to time-of-use error allows attacker with write access to the shared host filesystem can use this to navigate host FS in context of QEMU host process and read any therefore read any file which QEMU can on the host
- Path traversal flaw due to improper filename sanitisation - allow to read-write arbitrary host files -> Dos or code execution on the host
- Updates for Paravirtualised RDMA subsystem:
- DoS due to infinite loop
- NULL pointer dereference due to missing read method
- Fix various memory leaks
- Various other NULL pointer dereferences plus a failure to check parameters leading to possible extreme memory allocation
- Fix OOB read triggerable by guest
[USN-3924-1] mod_auth_mellon vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic
- Apache module to provide authentication and authorisation via SAML 2.0 IdP
- Possible to bypass authorisation checks when also using mod_proxy
- Fix an open-redirect via the logout endpoint - could encode an absolute URL using backward-slashes (\) in place of forward-slashes (/) and this would be propagated by the endpoint to the client where the browser would convert these and follow the redirect - due to mismatch in how browsers will convert these but apache’s own internal URI parsing does not
[USN-3925-1] FreeImage vulnerability
- 1 CVEs addressed in Trusty, Xenial
- OOB write in XMP image handling - code execution
[USN-3926-1] GPAC vulnerabilities
- 8 CVEs addressed in Xenial, Bionic, Cosmic
- Various memory safety issues, including OOB buffer reads and writes due to missing bounds checks (was using strcpy without checking lengths…)
Goings on in Ubuntu Security Community
Joe McManus on Facebook insecure password storage
- https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
- https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
Ubuntu Hardening Tips
- Paul Waring got in touch to mention his tips for hardening new Ubuntu installations:
- Install and configure unattended-upgrades
- Install UFW and block all incoming connections except specific services
- Can be done easily via ansible from just a few lines of YAML
- For servers:
- Install SSHGuard to ban IP addresses with too many failed login attempts
- Require TLS for all services via LetsEncrypt + certbot
- Configure SSH to permit only key-based authentication
- For wordpress installations - install wp-cli to auto-update themes and plugins
- Automate as much of this as possible for automatic hardening