Episode 40

Show Notes

Overview

Big roundup of security updates from the past 2 weeks including Docker, ZeroMQ, Squid, Redis and more, plus we talk with Joe McManus about some recent big fines for companies breaching their GDPR responsibilities and it’s EOL for Ubuntu 18.10 Cosmic Cuttlefish.

This week in Ubuntu Security Updates

62 unique CVEs addressed

[USN-4047-1] libvirt vulnerabilities

• 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-10168
  • CVE-2019-10167
  • CVE-2019-10166
  • CVE-2019-10161
• All related - in each case various libvirt APIs were accessible to users with read-only permissions and allowed them to perform operations which they should not have access to - in one case providing an ability to escalate privileges to root on the host - since would allow to execute arbitrary binaries with elevated permissions.
• By default, libvirt is constrained by AppArmor in Ubuntu which provides some isolation to help in these cases

[USN-4048-1] Docker vulnerabilities

• 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-5736
  • CVE-2018-15664
• Directory traversal via crafted symlink exchange (TOCTOU) via docker cp command - docker cp can be used to copy files between host and container - to do this safely, need to resolve paths as though were in the container - so tries to check a path by resolving symlinks, and then later use it if validates - but race exists where can then modify a component in the path via symlink after the check but before the copy, so can then overwrite arbitrary files on the host -> privilege escalation
• runc component in docker could allow a container to overwrite the runc binary on the host -> privilege escalation (and container escape) to the runc context on the host
  • https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/runC

[USN-4049-1, USN-4049-2] GLib vulnerability

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic
  • CVE-2019-13012
• Similar to CVE-2019-12450 (Episode 36) - in this case, directories and files would get created with default permisssions, not restrictive permissions, when using the keyfile gsettings backend - could expose settings or allow other users to modify settings etc.

[USN-4050-1] ZeroMQ vulnerability

• 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-13132
• Stack buffer overflow when using CURVE encryption/authentication -> RCE

[USN-4051-1, USN-4051-2] Apport vulnerability

• 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
  • CVE-2019-7307
• Reported by Kevin Backhouse of Semmle Security Research Team
• TOCTOU when processing a users own ignore configuration file
• Apport runs as root, but would check permission to file via access() system call - which uses the real processes’ UID / GID - so is safe as a permission check - BUT would then go and open the file - so in the meantime this could be replaced by a symlink to say a root owned file which could then get included in the resulting crash report
• Fix is to seteuid() as the desired user to set effective UID to then actually open the file before restoring euid to root - so this does both the equivalent of the access and open in 1 call avoiding to TOCTOU

[USN-4052-1] Whoopsie vulnerability

• 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-11476
• Reported by Kevin Backhouse of Semmle Security Research Team
• Integer overflow when processing crash dump - when parsing the crash dump, if it contained an artificially large value in the dump file, would overflow length calculation, then would result in a heap-buffer OOB write -> crash, DoS OR code-execution as whoopsie process.
• When coupled with previous Apport bug could allow an arbitrary user to read any file on the system by first embedding it in a crash dump via Apport and then triggering Whoopsie to process it and expose the via arbitrary code execution

[USN-4053-1] GVfs vulnerabilities

• 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-12795
  • CVE-2019-12449
  • CVE-2019-12448
  • CVE-2019-12447
• gvfs private server socket did not configure any authorisation - so any user could possible connect to it and issue API calls -> possible code exection as another user
• files created / moved by admin backend could end up with wrong file ownership - admin backend allows to access root files as normal user (via admin authorisation) - so can copy files as a user to root’s home which then are still owned by the original user

[USN-4054-1] Firefox vulnerabilities

• 21 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-11730
  • CVE-2019-11729
  • CVE-2019-11728
  • CVE-2019-11727
  • CVE-2019-11725
  • CVE-2019-11724
  • CVE-2019-11723
  • CVE-2019-11721
  • CVE-2019-11720
  • CVE-2019-11719
  • CVE-2019-11718
  • CVE-2019-11717
  • CVE-2019-11716
  • CVE-2019-11715
  • CVE-2019-11714
  • CVE-2019-11713
  • CVE-2019-11712
  • CVE-2019-11711
  • CVE-2019-11710
  • CVE-2019-11709
  • CVE-2019-9811
• Upstream release 68.0

[USN-4064-1] Thunderbird vulnerabilities

• 10 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-11730
  • CVE-2019-11729
  • CVE-2019-11719
  • CVE-2019-11717
  • CVE-2019-11715
  • CVE-2019-11713
  • CVE-2019-11712
  • CVE-2019-11711
  • CVE-2019-11709
  • CVE-2019-9811
• Upstream release 60.8

[USN-4055-1] flightcrew vulnerabilities

• 3 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-13453
  • CVE-2019-13241
  • CVE-2019-13032
• Mike Salvatore discovered and coordinated with upstream on fixing these issues
• Found 2 through fuzzing, 1 though code-analysis whilst analysing first two vulnerabilites
• 2 fuzzing bugs
  • 1 NULL pointer dereference (crash, DoS)
  • 1 infinite loop (CPU DoS)
• 1 zip slip - write files outside of working directory when handling zip files (EPUB is a ZIP file)
• Great write-up on his blog:
  • https://salvatoresecurity.com/fun-with-fuzzers-or-how-i-discovered-three-vulnerabilities-part-1-of-3/
  • https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-2-of-3/
  • https://salvatoresecurity.com/fun-with-fuzzers-how-i-discovered-three-vulnerabilities-part-3-of-3/

[USN-4056-1] Exiv2 vulnerabilities

• 7 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-13114
  • CVE-2019-13113
  • CVE-2019-13110
  • CVE-2019-13112
  • CVE-2018-19535
  • CVE-2018-19108
  • CVE-2018-19107
• Library and CLI toolks to manage image metadata
• All DoS - assertion failure / NULL pointer dereference / OOB read / uncontrolled memory allocation / infinite loop

[USN-4057-1] Zipios vulnerability

• 1 CVEs addressed in Xenial, Bionic, Cosmic, Disco
  • CVE-2019-13453
• Same as the flightcrew infinite loop issue since flightcrew contains an embedded copy of zipios

[USN-4058-1] Bash vulnerability

• 1 CVEs addressed in Xenial
  • CVE-2019-9924
• rbash did not prevent modifying BASH_CMDS so user could execute any commands as the shell, defeating the purpose of rbash

[USN-4059-1, USN-4059-2] Squid vulnerabilities

• 2 CVEs addressed in Precise ESM, Xenial, Bionic, Disco
  • CVE-2019-13345
  • CVE-2018-19132
• XSS in cachemgr CGI web module, and memory leak in SNMP module

[USN-4060-1, USN-4060-2] NSS vulnerabilities

• 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-11729
  • CVE-2019-11727
  • CVE-2019-11719
• 3 of the CVEs from the Firefox update (since Firefox contains libnss)
  • Empty public keys could trigger a segfault
  • Possible to force to sign with wrong signature type with TLS 1.3
  • OOB read when importing a private key with leading NUL bytes -> info disclosure / crash

[USN-4061-1] Redis vulnerabilities

• 2 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-10193
  • CVE-2019-10192
• 1 stack, and 1 heap based buffer overflows when handling purposely corrupted hyperloglog data structure

[USN-4062-1] WavPack vulnerabilities

• 4 CVEs addressed in Bionic, Disco
  • CVE-2019-1010319
  • CVE-2019-1010318
  • CVE-2019-1010317
  • CVE-2019-1010315
• 3 different DoS issues (1 CVE was found to be the same as the other)
  • 2 * use of uninitialised variable
  • Divide by zero

[USN-4063-1] LibreOffice vulnerabilities

• 2 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-9849
  • CVE-2019-9848
• RCE via a malicious document - docs can contain python - and this can be used with the built-in LibreLogo turtle graphics script to execute bundled python code - so can get RCE via a mouse-over event using LibreLogo and embedded python
• Stealth mode - documents can only fetch resources from ’trusted' locations
  • Allows to disable the normal remote resource handling in documents to be a more private mode
  • BUT bullet graphics not included - so could specify a remote bullet graphic from a non-trusted location and would still be fetched

[USN-4065-1] Squid vulnerabilities

• 3 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-12529
  • CVE-2019-12527
  • CVE-2019-12525
• 3 different possible crash bugs via memory corruption -> DoS, but also maybe RCE…
  • 1 when using digest auth and 2 for basic auth

[USN-4066-1] libmspack vulnerability

• 1 CVEs addressed in Xenial, Bionic
  • CVE-2019-1010305
• Buffer over-read with malicious chm file -> crash, DoS

Goings on in Ubuntu Security Community

Discussion with Joe McManus on recent large GDPR fines for Marriot and British Airways

• https://thehackernews.com/2019/07/british-airways-breach-gdpr-fine.html
• https://threatpost.com/marriott-123m-fine-data-breach/146320/

Ubuntu 18.10 (Cosmic Cuttlefish) End-of-Life

• Ubuntu 18.10 Cosmic Cuttlefish EOL was on 18th July, 2019
• https://lists.ubuntu.com/archives/ubuntu-security-announce/2019-July/005021.html

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter