Episode 38

Posted on Tuesday, Jul 2, 2019
This week we look at the latest security updates for the Linux kernel, Firefox, ImageMagick, OpenStack and more, plus we have a special guest, the maintainer and lead developer of the AppArmor project, John Johansen, to talk about the project and some of the upcoming features.

Show Notes

Overview

This week we look at the latest security updates for the Linux kernel, Firefox, ImageMagick, OpenStack and more, plus we have a special guest, the maintainer and lead developer of the AppArmor project, John Johansen, to talk about the project and some of the upcoming features.

This week in Ubuntu Security Updates

55 unique CVEs addressed

[USN-4031-1] Linux kernel vulnerability

  • 1 CVEs addressed in Bionic, Cosmic, Disco
  • 64-bit PowerPC (ppc64el) memory management issue - introduced in the 4.17 kernel - so only affects Cosmic/Disco or Bionic when using the HWE kernel
  • Different processes might be able to read / write to each others virtual memory
    • Requirements:
      • Must be using the hash page table MMU - eg. PowerPC 970 (G5), PA6T, Power5/6/7/8/9
        • By default Power9 bare-metal use the Radix MMU so are not affected unless have explicitly disabled this via the kernel command-line
        • KVM guests would also be affected in this case or if also explicitly configured to use the HPT MMU
        • Logical partitions (LPARs) under PowerVM on Power9 would be affected as they always use HPT MMU
      • Need to allocate memory above 512TB - only possible via mmap()
      • Any child process (fork()) receives same context-id for the memory mapping so can just read/write to the mappings above 512TB
      • If child exits, a 3rd process could be reallocated the same context-id and so could then read/write also
  • Only a subset of PowerPC systems will be affected by this and would need to be running applications which allocate above 512TB so whilst is high impact, low probability of being at risk

[USN-4032-1] Firefox vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • Firefox 67.0.4 - latest upstream release
  • Possible for a sandboxed child process to escape the sandbox by using IPC to send a Prompt:Open message to the parent which would then process web-content on behalf of the child
  • Since parent is not sandboxed, it could be then exploited (say by leveraging another vulnerability such as the one discussed last week for Firefox) for arbitrary code execution

[USN-4033-1] libmysofa vulnerability

  • 1 CVEs addressed in Bionic, Cosmic, Disco
  • C library to read SOFA (Spatially Oriented Format for Acoustics) files
    • Used by lots of different applications that handle audio, like gstreamer, ffmpeg, smplayer, blender etc
  • Integer overflow leading to buffer overflow - crash -> DoS or possible code-execution

[USN-4034-1] ImageMagick vulnerabilities

[USN-4035-1] Ceph vulnerabilities

  • 4 CVEs addressed in Xenial, Cosmic, Disco
  • 2 CVEs affect ceph in Xenial
    • dm-crypt disk encryption keys were able to be read by users with read-only permissions - fixed to ensure need an explicit permission to read keys
    • DoS from authenticated RGW users
  • 2 Cosmic+Disco
    • Does not properly sanitize encryption keys when outputting debug log information for v4 auth -so encryption keys would be output in plaintext to debug logs
      • fixed to sanitize before output
      • won’t be fixed for Xenial since upstream hasn’t backported this and there are many instances of other sensitive info being logged there as well
    • DoS by unauthenticated remote users via the civetweb frontend - as they could create connections to a RADOS gateway to exhaust file descriptors for the gateway service causing it to run out and fail to create new connections
      • Close fd on error path

[USN-4036-1] OpenStack Neutron vulnerability

  • 1 CVEs addressed in Xenial, Cosmic
  • Networking abstraction layer of OpenStack
  • Allows to define security groups with rules which then get executed by a driver using a particular underlying technology
  • Rules can specify protocols and source / destination ports
  • iptables driver would execute rules but if encountered an error (such as a protocol was specified along with a port but the protocol doesn’t support ports - like VRRP) then it would error out and not apply further rules from the security group
    • So could block other rules from being applied
  • Fixed to ensure port arguments are only applied to protocols which support them

[USN-4037-1] policykit-desktop-privileges update

  • Affecting Xenial, Bionic, Cosmic, Disco
  • PolicyKit policy update for USB Creator
    • Previously would allow a user with admin privileges (ie. in the admin/sudo group) to overwrite disks (ie create bootable USB images) without prompting for authentication
    • Now updated to require the user to also authenticate as well

[USN-4038-1, USN-4038-2] bzip2 vulnerabilities

  • 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • UAF via crafted bzip2 file - crash, DoS
  • OOB write from crafted bzip2 which contains too many selectors - possible RCE

[USN-4040-1, USN-4040-2] Expat vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • CPU DoS if XML names contained large number of colons (used to specify namespace prefix)

[USN-4042-1] poppler vulnerabilities

[USN-4041-1, USN-4041-2] Linux kernel update

  • 1 CVEs addressed in Trusty ESM (HWE), Xenial, Bionic, Cosmic, Disco
  • Final SACK Panic issue (Episode 37) - added sysctl to easily set MSS (is usually hard-coded to 48) - so can be increased to avoid this DoS issue

Goings on in Ubuntu Security Community

AppArmor interview with John Johansen

Hiring

Robotics Security Engineer

Ubuntu Security Engineer

Get in contact