Episode 32

Posted on Monday, May 20, 2019
This week we look at updates to cover the latest Intel CPU vulnerabilities (MDS - aka RIDL, Fallout, ZombieLoad), plus other vulnerabilies in PostgreSQL, ISC DHCP, Samba and more, whilst special guest this week is Seth Arnold from the Ubuntu Security Team to talk Main Inclusion Review code audits.

Show Notes

Overview

This week we look at updates to cover the latest Intel CPU vulnerabilities (MDS - aka RIDL, Fallout, ZombieLoad), plus other vulnerabilies in PostgreSQL, ISC DHCP, Samba and more, whilst special guest this week is Seth Arnold from the Ubuntu Security Team to talk Main Inclusion Review code audits.

This week in Ubuntu Security Updates

37 unique CVEs addressed

[USN-3972-1] PostgreSQL vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Stores statistics for columns by sampling values from that column
    • Security policy allows to restrict users from viewing particular rows
    • But sampling would not take into account security policy
    • User could craft a leaky operator which would return the sampled data and effectively bypass the security policy
    • Fixed to only allow non-leakproof operators to use sampled data when no relevant row security policies in place
  • Arbitrary server memory able to be read by executing a crafted INSERT statement on a partitioned table (only affects PostgreSQL 11 so only Disco)

[USN-3973-1] DHCP vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • DHCP server could crash due to mismatch in BIND internal memory management and DHCP server code
  • BIND in Bionic + Cosmic contained a change which zeroed out an internal index to indicate it was unused - however 0 is still a valid index in the DHCP server codebase - and so this could cause a use-after free (since would be free'd, index set to 0 by BIND lib but then still used later since 0 is valid). Instead changed to track indexes correctly to account for this behaviour.

[USN-3974-1] VCFtools vulnerabilities

  • 3 CVEs addressed in Xenial
  • Tools for working with VCF files (1000 Genomes Project)
  • Fuzzed in conjunction with AddressSanitizer in clang using crafted VCF files
    • Read-based heap buffer overflow - crash, DoS
    • 2 * use after free -> crash, DoS / code execution

[USN-3975-1] OpenJDK vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • 2 affecting both openjdk-11 and openjdk-8
    • CPU DoS via BigDecimal implementation operating on particular values
    • Sandbox escape due to incorrect skeleton class selection in the RMI registry
  • 2 sandbox escapes affecting only openjdk-8 via the 2D graphics component

[USN-3976-1, USN-3976-2] Samba vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • Kerberos (as used in AD) contains an extension to allow a service to request a Kerberos ticket to itself on behalf of a non-Kerberos authenticated user (allows to use Kerberos for all internal code-paths)
  • Can be proxied over the network so that a privileged server can proxy on behalf of the non-Kerberos authenticated user
  • This proxied request contains a checksum (which can be keyed to prevent spoofing) - BUT this is not enforced - so an attacker can intercept the proxied request and rewrite the user name to any other one in the KDC AND replace the checksum with a simple CRC32 - as this can be computed without any prior knowledge

[USN-3986-1] Wireshark vulnerabilities

[USN-3988-1] MediaInfo vulnerabilities

  • 2 CVEs addressed in Bionic, Cosmic, Disco
  • CLI tool for reading metadata from various audio/video files
  • 2* OOB read -> crash, DoS

[LSN-0051-1] Linux kernel vulnerability

  • 4 CVEs for Microarchitectural Data Sampling (MDS) vulnerabilities
  • https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
  • https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
  • https://www.redhat.com/en/blog/deeper-look-mds-vulnerability
  • Too invasive to be addressed by Livepatch - requires updates to the kernel and new microcode to fix
  • Intel CPUs contain various microarchitectural elements - store buffers, load ports, fill buffers - which get used to complete architectural operations (read from an address etc)
    • 4 CVEs due to the different use of these different buffers in the various techniques
    • RIDL (Rogue in-flight data load) - fill buffers and load ports
    • Fallout - store buffers
    • ZombieLoad - independent discovery of fill-buffer variant of RIDL
  • These get reused across operations, and in particular get reused across hyperthreads executing on the same CPU core
  • A malicious process can use speculative execution sampling techniques to infer the contents of one of these microarchitectural buffers - so could see data from a process that had previously been executing on the same CPU core OR in the case of HT can see data from a process executing concurrently on the same core
  • In the case of a single core can be fixed by first adding new behaviour to the unused VERW instruction to clear these buffers as a microcode update
  • Then updating the Linux kernel to call this new VERW instruction when switching tasks, VMs etc
  • However, does not mitigate in the case of SMT
  • So only way to properly mitigate is to disable SMT as well
  • In the case of virtualisation, the guest does the task switching so it needs to clear these buffers - update to QEMU + libvirt to expose this new CPU capability to the guest so that it can perform the flushing itself
  • Kernel + QEMU updates also contain fixes for other CVEs
  • Kernels updated for all supported releases including the HWE kernels

[USN-3977-1] Intel Microcode update

[USN-3978-1] QEMU update

[USN-3979-1] Linux kernel vulnerabilities

[USN-3980-1, USN-3980-2] Linux kernel vulnerabilities

[USN-3981-1, USN-3981-2] Linux kernel vulnerabilities

[USN-3982-1, USN-3982-2] Linux kernel vulnerabilities

[USN-3983-1, USN-3983-2] Linux kernel vulnerabilities

[USN-3984-1] Linux kernel vulnerabilities

[USN-3985-1, USN-3985-2] libvirt update

Goings on in Ubuntu Security Community

Main inclusion review security code audits discussion with Seth Arnold

Hiring

Robotics Security Engineer

Security Certifications Engineer

Get in contact