Episode 35

Posted on Tuesday, Jun 11, 2019
We look at vulnerabilities and updates for Exim, the Linux kernel, Berkeley DB, Qt and more, plus Joe and Alex discuss some recent malware campaigns including Hiddenwasp, and we cover some open positions too.

Show Notes

Overview

We look at vulnerabilities and updates for Exim, the Linux kernel, Berkeley DB, Qt and more, plus Joe and Alex discuss some recent malware campaigns including Hiddenwasp, and we cover some open positions too.

This week in Ubuntu Security Updates

34 unique CVEs addressed

[USN-4002-1] Doxygen vulnerability

  • 1 CVEs addressed in Xenial
  • Generates HTML code documentation from code comments
  • Includes a field to search across the documentation
  • Doesn't treat this as untrusted input and blindly displays the input in resulting pages
    • Allows possible XSS or iframe injection
  • Fix is simple - whitelist allowed characters to avoid injection etc

[USN-4003-1] Qt vulnerabilities

  • 3 CVEs addressed in Xenial, Bionic, Cosmic
  • 3 likely DoS issues:
    • Buffer overflow when handling invalid BMP images - didn't check for valid / sensible width or height parameters
    • NULL pointer dereference on malformed GIF images
    • Double free when parsing a specially crafted (illegal format) XML document

[USN-4004-1, USN-4004-2] Berkeley DB vulnerability

  • 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • Contains an embedded copy of sqlite which was vulnerable to a heap-based out-of-bounds read when handling invalid rtree tables

[USN-4005-1] Linux kernel vulnerabilities

  • 2 CVEs addressed in Disco
  • Reliable Datagram Sockets (RDS) module was vulnerable to a race-condition during network namespace cleanup that could lead to a UAF.
    • RDS is blacklisted by default in Ubuntu AND this is only able to be exploited by a local attacker
  • NULL pointer dereference in LSI Logic MegaRAID driver

[USN-4006-1, USN-4006-2] Linux kernel vulnerability

  • 1 CVEs addressed in Cosmic & Bionic HWE
  • Old a.out binary format for 32-bit platforms - so only affects i386 kernel users, and only affects setuid a.out binaries (none in archive)
  • Kernel would not setup permissions early enough and so could allow ASLR to be bypassed, weakening system protections to then more easily exploit some other existing vulnerablity in the given setuid a.out binary
  • Have also disabled a.out support in general going forward as this is a relic of the past

[USN-4007-1, USN-4007-2] Linux kernel vulnerability

  • 1 CVEs addressed in Bionic & Xenial HWE
  • Same a.out issue

[USN-4008-1, USN-4008-3] Linux kernel vulnerabilities

  • 4 CVEs addressed in Xenial, Trusty ESM (HWE)
  • a.out issue, plus RDS and MegaRAID NULL ptr dereference
  • Similar to a.out issue, in general ASLR could be bypassed on setuid binaries due to a similar race-condition
  • This fix also requires some AppArmor profile changes

[USN-4008-2] AppArmor update

  • 4 CVEs addressed in Xenial
  • Updated AppArmor profiles to handle new kernel behavoiur as a result of the fix for CVE-2019-11190 (ASLR bypass on setuid executables).
  • When executing a binary, will then appear to require mmap privileges of the resulting binary, so ensure all current profiles are updated to add this permission on the appropriate rules

[USN-4009-1, USN-4009-2] PHP vulnerabilities

  • 2 CVEs addressed in Precise ESM, Trusty ESM
  • 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Heap buffer overflow in handling crafted JPEG files
  • Integer overflow, leading to possible OOB read when handling crafted mime encoded data
  • (Xenial, Bionic, Cosmic and Disco only) - OOB read when handling crafted EXIF data -> crash, DoS or possible information disclosure form other memory

[USN-4010-1] Exim vulnerability

  • 1 CVEs addressed in Bionic, Cosmic
  • Possible remote exploit of popular MTA
  • Embargo broke early - was expected to be public 11th June - as a consequence, we released our update once the details were publicly known
    • It was possible to include shell directives in the recipients email address which would be evaluated by the exim process (and hence as root) - but would require the attacker to keep a connection open to the server for 7 days by transmitting 1 byte every few minutes.

[USN-3957-3] MariaDB vulnerabilities

  • 2 CVEs addressed in Bionic
  • Corresponding fixes for flaws originally reported in MySQL - fixed in MariaDB (community maintained fork of MySQL) - Episode 30

[USN-4011-1, USN-4011-2] Jinja2 vulnerabilities

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • Sandbox is used when rendering user-provided templates (ie untrusted)
  • Possible to escape the sandbox by reading arbitrary python objects via Python's internal string format method (by referencing the globals array)
  • Was originally fixed in 2016 for the str.format method - but at the time missed the similar str.format_map method - so both fixed in this update

[USN-3991-2] Firefox regression

Goings on in Ubuntu Security Community

Alex and Joe talk about recent malware campaigns

Hiring

Robotics Security Engineer

Security Certifications Engineer

Get in contact