Episode 37
Posted on Friday, Jun 28, 2019
The big new this week is SackPANIC! updates for the Linux kernel, plus we look at vulnerabilities in, and updates for, Samba, SQLite, Bind, Thunderbird and more, and we are hiring!
Show Notes
Overview
The big new this week is SackPANIC! updates for the Linux kernel, plus we look at vulnerabilities in, and updates for, Samba, SQLite, Bind, Thunderbird and more, and we are hiring!
This week in Ubuntu Security Updates
36 unique CVEs addressed
[USN-4017-1, USN-4017-2] Linux kernel vulnerabilities
- 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- SACK Panic - will be discussed in more detail with Joe later in the show
- Livepatch (LSN-0052-1) also available for Xenial and Bionic
[USN-4018-1] Samba vulnerabilities
- 2 CVEs addressed in Disco
- Two DoS issues (both NULL ptr dereferences) only affecting most recent Samba versions
- One in AD DC DNS mgmt server RPC process
- Only an authenticated user could trigger this
- Other in LDAP server - user with read access to the directory could trigger NULL ptr dereference via the paged search control
- One in AD DC DNS mgmt server RPC process
[USN-4019-1, USN-4019-2] SQLite vulnerabilities
- 12 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- 7 CVEs addressed in Precise ESM, Trusty ESM
- Mix of various issues, most involving various memory corruption problems
- UAFs, DoS (crash), heap-based buffer over-reads (crash -> DoS or possible information disclosure), incorrect use of temporary directories, race-condition leading to NULL pointer dereference, integer overflow -> buffer overflow -> crash / code execution
[USN-4021-1] libvirt vulnerabilities
- 2 CVEs addressed in Cosmic, Disco
- DoS where some APIs in the guest agents could be accessed by read-only users - this would cause libvirt to block and cause a DoS
- Privilege escalation due to insecure permissions on the virt-lockd and virt-logd UNIX domain sockets - these are created by systemd unit files but were created as world writable - and the daemons don’t try and authenticate the user - so anyone could use these sockets to potentially elevate privileges - so fixed by ensuring the systemd socket definitions specify the right mode.
[USN-4020-1] Firefox vulnerability
- 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Firefox 67.0.3 which fixes a remotely exploitable crash or possible code execution problem due to type confusion in the Javascript engine - reports this was used to target various cryptocurrency exchanges by delivering Windows and Mac malware to them
[USN-4024-1] Evince update
- Affecting Xenial, Bionic
- Updated the AppArmor profile for evince to ensure it restricts access to various private file directories, and to address various issues raised by Jann Horn of GPZ - in particular limiting access to various DBus services
[USN-4026-1] Bind vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- DoS (crash due to assertion failure) caused by a race condition when handling malformed packets
[USN-4028-1] Thunderbird vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Various issues in handling of iCal data - all remotely triggerable by crafted emails:
- Crash due to type-confusion
- Both a stack and 2 separate heap buffer overflows - either could potentially be exploitable to execute arbitrary code
[USN-4027-1] PostgreSQL vulnerability
- 1 CVEs addressed in Bionic, Cosmic, Disco
- “Stack buffer overflow by setting a password” - authenticated user could set their password to a specially constructed value which when processed by PostgreSQL would cause it to crash, or possible execute arbitrary code in the context of the PostgreSQL server
[USN-4023-1] Mosquitto vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic
- Remotely triggerable memory leak (by unauthenticated users) could be used to crash the Mosquitto Broker -> DoS
- Different DoS where one client could cause others to be disconnected by sending invalid an UTF-8 topic string - which would cause other clients which do reject invalid UTF-8 to disconnect themselves
[USN-3977-3] Intel Microcode update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Episode 32 covered most recent Intel CPU vulnerabilities (MDS) - mitigated by a combination of microcode and kernel updates - this provides microcode updates for the Sandy Bridge family of Intel processors
[USN-4030-1] web2py vulnerabilities
- 5 CVEs addressed in Xenial
- Various issues including:
- Possible RCE (was serializing encryption key info into a session cookie) which could then be read by an attacker since it also made session cookie accessible via an API endpoint
- Sample web application used a hard-coded encryption key which could also allow attackers to do RCE as they could easily interpose on the session
- Environment variables were exposed by an example API endpoint which exposed host info and so remote attackers could then possibly gain admin access
- Lacked brute-force password protection as wouldn’t reject already denied hosts from repeatedly trying
Goings on in Ubuntu Security Community
Alex and Joe talk about the SACK Panic issues discovered by Netflix
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md