Episode 27

Posted on Monday, Apr 8, 2019
Carpe Diem for Apache HTTP Server, plus updates for Dovecot, PolicyKit and the Linux kernel, and we talk to Joe McManus about the recent Asus ShadowHammer supply chain attack and more.

Show Notes


Carpe Diem for Apache HTTP Server, plus updates for Dovecot, PolicyKit and the Linux kernel, and we talk to Joe McManus about the recent Asus ShadowHammer supply chain attack and more.

This week in Ubuntu Security Updates

52 unique CVEs addressed

[USN-3928-1] Dovecot vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Local user root privilege escalation
    • Stack buffer overflow - indexer-worker processes missing bounds check when copying from the index
    • If local user can modify the dovecot index then could leverage this for code-execution in the indexer process context
    • Mitigated by usual hardening techniques (ASLR, stack-protector, read-only GOT (via RELRO & BIND_NOW))

[USN-3929-1] Firebird vulnerabilities

  • 2 CVEs addressed in Trusty
  • Remote authenticated users execute code
  • Remote un-authenticated user DoS via op_response action with a non-empty status

[USN-3934-1] PolicyKit vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Episode 23 - fixed kernel to make process start_time via fork() more atomic
  • Updated policykit to also check UIDs match (so now checks start_time, PID and UID so can’t use another user’s authorisations)

[USN-3935-1] BusyBox vulnerabilities

  • 10 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Mix of issues across various components in BusyBox
    • udhcpc:
      • Information disclosure of stack memory in dhcp client / server (shared component) due to failure to check DHCP options are correct size - original fix was incomplete so this got 2 CVEs
      • Heap buffer overflow via DHCP option parsing of OPTION_6RD (IPv6 rapid deployment on IPv4 infra)
      • Integer overflow -> heap-based OOB write -> crash -> DoS / code execution
    • wget:
      • Heap buffer overflow in wget
    • shell:
      • Failure to sanitize filenames during tab completion - could allow code execution etc as user who is running the shell
    • archive handling
      • Integer overflow in bzip2 decompression - OOB write - crash -> DoS / code execution?
      • Pointer misuse in zip decompression - OOB read - crash -> DoS
      • directory traversal due to symlinks which point outside the current working directory when decompressing tar archives (tyhicks)
    • module loading
      • allows users to load modules which are otherwise restricted - assumes modules could specify the path so uses basename() on the module name - so just need to include a / in the module name to circumvent other checks

[USN-3937-1] Apache HTTP Server vulnerabilities

  • 6 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • “Carpe Diem” and others
    • Local root privilege escalation due to an OOB array access resulting in arbitrary function call when apache gracefully restarts - done daily via logrotate at 6:25am
      • affects mod_prefork, mod_worker and mod_event
      • main server (running as root) shares a memory segment (the scoreboard) with low-privileged worker processes
      • PID, last request handled etc - maintained by the worker
      • worker stores an index into global buckets array in the privileged parent
      • this gets used on restart to restart the worker but no check is done to ensure this is valid
      • so since is in shm child can change this index to ensure it points back into the shm segment where it has write access
      • the bucket contains a function pointer to restart worker - so since this is now indexed from the shm segment can make this point to any function of choice - AND this gets executed as root by the parent
      • Requires some other bug to turn this into a remote exploit since need to get R/W access remotely on a worker process
    • Failure to normalize URLs in a consistent manner - LocationMatch and RewriteRule might not get applied correctly
    • Race condition in mod_auth_digest could allow user with valid credentials to impersonate another and bypass access controls
    • read after free on string comparison in mod_http2 - crash, DoS
    • failure to respect session expiry time in mod_session_cookie
    • DoS via slow-loris type attack to occupy server threads

[USN-3936-1] AdvanceCOMP vulnerability

  • 1 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • Integer overflow when decompressing invalid PNG images - OOB write and heap OOB read

[USN-3930-1, USN-3930-2] Linux kernel vulnerabilities

  • 13 CVEs addressed in Cosmic and Bionic (HWE)
  • Jann Horn (GPZ):
    • mmap minimum address bypass - could allow to turn a kernel NULL pointer dereference into code execution
    • ASN.1 decoding for SNMP NAT missing length checks - OOB R/W possible
    • side-channel attack due to speculation on pointer arithmetic in eBPF programs (Spectre V1)
      • mitigated when secure boot due to lockdown patches blocking BPF program loading
    • Reference counting race-condition in KVM -> UAF -> guest VM crash
  • UAF + OOPS in IPMI due to race-condition on restart
  • Memory leak on error path of vfs read operations -> DoS
  • UAF in SCTP sendmsg - crash / code execution
  • UAF in AF_ALG due to failure to NULL structure members
    • Originally misclassified by NVD as remotely exploitable, confusion over socket() use by crypto API?
  • Info leak and a UAF in KVM when using nested virtualisation - not enabled by default in Ubuntu kernels unless if install QEMU - this is enabled automatically
  • 2 different information leak of heap memory in bluetooth subsystem triggerable by unauthenticated remote attacker
  • UAF in ALSA USB sound device handling mentioned in Episode 20

[USN-3931-1, USN-3931-2] Linux kernel vulnerabilities

[USN-3932-1, USN-3932-2] Linux kernel vulnerabilities

[USN-3933-1, USN-3933-2] Linux kernel vulnerabilities

Goings on in Ubuntu Security Community

Supply chain attacks and Ubuntu


Ubuntu Security Generalist

Robotics Security Engineer

Get in contact