Episode 4

Show Notes

Overview

A quieter week in package updates - this week we look at some details of the 9 unique CVEs addressed across the supported Ubuntu releases and talk about various hardening guides for Ubuntu.

This week in Ubuntu Security Updates

9 unique CVEs addressed

[USN-3759-1] libtirpc vulnerabilities

• 3 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2017-8779
  • CVE-2018-14622
  • CVE-2016-4429
• Transport Independent RPC Library, used by NFS
• 1 medium priority issue:
  • Crash from NULL pointer dereference when run out of file descriptions (failure to check return value) - a remote attacker could cause crash by flooding with new connections
• 2 low priority issues:
  • “rpcbomb” - allows an unauthenticated attacker to DoS via memory exhaustion
  • Stack based buffer overflow could cause a crash when flooded by ICMP and UDP packets in the sunrpc implementation - fixed by replacing stack based memory allocation with heap-based allocation instead
  • Common pattern to fix this type of issue - similar work in Linux kernel recently by KSPP to replace VLAs

[USN-3759-2] libtirpc vulnerabilities

• 3 CVEs addressed in Precise ESM
  • CVE-2017-8779
  • CVE-2018-14622
  • CVE-2016-4429
• Same as above for the Precise Extended Security Maintenence release

[USN-3760-1] transfig vulnerability

• 1 CVEs addressed in Trusty, Xenial
  • CVE-2018-16140
• transfig / fig2dev - utilities for converting XFig files
• Fixes an error which allows memory corruption when handling specially crafted files

[USN-3761-1] Firefox vulnerabilities

• 5 CVEs addressed in Trusty, Xenial, Bionic
  • CVE-2018-12383
  • CVE-2018-12378
  • CVE-2018-12377
  • CVE-2018-12376
  • CVE-2018-12375
• Latest firefox release (62) fixing a number of issues including DoS and RCE
• One interesting one is CVE-2018-12383 - in Firefox 58 the password storage format was changed (was sqlite, then was changed to json). When user sets a master password, this is used to encrypt all stored passwords. However, this was only done for the copy stored with the new format - the old copy would still be stored unencrypted since it never had a master password set on it. This is now fixed to simply delete the old copy of the password DB.

Goings on in Ubuntu Security Community

Discussions around hardening guides for Ubuntu

• A number of ‘best practices’ guides exist for hardening Ubuntu installations from reputable organisations
  • NCSC
  • CIS Benchmarks
  • many others
• In general these have similar recommendations:
  • Use UEFI Secure Boot
  • Disable unnecesary services
  • Use a known and fixed networking configuration (disable DHCP / use VPN etc)
  • Enable Mandatory Access Control frameworks (ie. AppArmor)
  • Use a specific password policy
  • Enable auditing
• Differ in level of detail and technical knowledge needed to deploy
• Typically aimed at computer and network administrators (not end-users)
• Ubuntu already includes a number of these recommendations out of the box:
  • https://wiki.ubuntu.com/Security/Features
• Ubuntu strives to strike a balance between security and usability out-of-the-box

Hiring

Ubuntu Security Manager

• https://boards.greenhouse.io/canonical/jobs/1278287

Ubuntu Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1158266

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter