Episode 34

Posted on Monday, Jun 3, 2019
This week we look at security updates for Keepalived, Corosync, GnuTLS, libseccomp and more, plus we talk insider threats with Joe McManus.

Show Notes


This week we look at security updates for Keepalived, Corosync, GnuTLS, libseccomp and more, plus we talk insider threats with Joe McManus.

This week in Ubuntu Security Updates

32 unique CVEs addressed

[USN-3976-3, USN-3976-4] Samba regression

  • Affecting Trusty ESM, Xenial, Bionic
  • Episode 32 - discussed privilege escalation vuln and fix for Samba
  • Original update caused a regression where Samba might crash - fixed

[USN-3994-1] gnome-desktop vulnerability

  • 1 CVEs addressed in Bionic, Cosmic, Disco
  • Thumbnailers could possibly escape bubblewrap sandbox by using TIOCSTI ioctl to send characters to the controlling terminals input buffer and hence escape the sandbox
    • Requires to compromise a thumbnailer in the first place so less impact
    • Similar to CVE-2019-10063 for flatpak and CVE-2019-7303 for snapd

[USN-3995-1, USN-3995-2] Keepalived vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic
  • Heap based buffer overflow when parsing HTTP response code - would potentially write an unlimited amount of attacker controlled data to the heap for a 10-byte long buffer
  • Crash -> DoS, RCE
  • Fixed to properly parse and expect at most a 3 digit long response code

[USN-3845-2] FreeRDP vulnerabilities

[USN-3997-1] Thunderbird vulnerabilities

[USN-3996-1] GNU Screen vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM
  • Old low priority issue fixed for ESM releases (fixed back in 2015 upstream so screen in Xenial, Bionic etc not affected)
  • Attacker could cause a crash due to stack overrun via recursion due to large number of repeated ANSI escape sequences in output

[USN-3968-2] Sudo vulnerability

[USN-3998-1] Evolution Data Server vulnerability

  • 1 CVEs addressed in Xenial, Bionic
  • Research from Marcus Brinkmann showed it was possible to create an encrypted email with a zero-length encrypted section along with unencrypted contents which Evolution (and other email clients) would show as being encrypted.
  • Mail clients call out to gpg (gnupg) to decrypt the email but are lax in parsing GPGs output and so confuse the whole email as being encrypted
  • Due to SW arch of evolution, part of this fix is done in Evolution itself (to better highlight to the user that the email contains unencrypted portions) and part is done in the backend (Evolution Data Server) to properly parse output of gnupg

[USN-3999-1] GnuTLS vulnerabilities

  • 5 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • 3 CVEs related to “Lucky Thirteen” attack (originally published in 2013)
    • Timing attack against TLS implementations that use CBC
    • One countermeasure was to use “psuedo constant time”
    • New research showed this is not sufficient (incidentally one of the researchers was Adi Shamir, co-inventor of the RSA algorithm - the “S” in RSA)
  • 1 CVE from Tavis Ormandy (double-free when handling X.509 certificates) - crash -> DoS, code execution
  • Last CVE - uninitialized pointer could be dereferenced when handling certain post-handshake messages - likely crash -> DoS

[USN-4000-1] Corosync vulnerability

  • 1 CVEs addressed in Xenial, Bionic
  • Integer overflow leading to a buffer overflow (read), able to be triggered by an unauthenticated user - crash -> DoS

[USN-4001-1, USN-4001-2] libseccomp vulnerability

  • 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • Seccomp allows to write policies to act on system calls arguments via BPF - includes comparison operators like less than (LT) etc - Jann Horn discovered that on 64-bit platforms it did not generate correct BPF to perform comparisons correctly
  • In this case, the updates from upstream relied on other upstream changes so we chose to upgrade seccomp entirely rather than try and backport the fixes as they were too involved and so less risk overall in upgrading the version than in backporting

Goings on in Ubuntu Security Community

Alex and Joe talk about insider threats


Robotics Security Engineer

Security Certifications Engineer

Get in contact