Episode 41

Posted on Monday, Aug 5, 2019
With Alex and Joe having been away at a Canonical sprint last week, we look back at the past fortnight’s security updates including new Linux kernel releases, MySQL, VLC, Django and more plus we discuss a recent Citrix password spraying attack.

Show Notes

Overview

With Alex and Joe having been away at a Canonical sprint last week, we look back at the past fortnight’s security updates including new Linux kernel releases, MySQL, VLC, Django and more plus we discuss a recent Citrix password spraying attack.

This week in Ubuntu Security Updates

90 unique CVEs addressed

[USN-4066-2] ClamAV vulnerability

  • 1 CVEs addressed in Precise ESM, Trusty ESM
  • Episode 40 - libmspack buffer overflow - ClamAV contains own copy of libmspack in older releases so is affected

[USN-4065-2] Squid vulnerabilities

Episode 40 (memory corruption issues)

[USN-4067-1] Evince vulnerability

  • 1 CVEs addressed in Xenial
  • Integer overflow -> buffer overflow when handling embedded tiff content in PDF documents
  • DoS -> possible RCE

[USN-4068-1, USN-4068-2] Linux kernel vulnerabilities

  • 4 CVEs addressed in Bionic and Xenial (HWE)
  • 2 information disclosure vulnerabilities:
    • Exposes kernel memory to user-space which could expose sensitive information (keys, pointers to help defeat ASLR etc)
    • Bluetooth Human Interface Device Protocol (HIDP) socket ioctl() failed to NUL terminate the name field
    • Ext4 file-system did not zero out unused regions in extents tree blocks which are returned to user-space
  • Use-after-free due to a race-condition in the reliable datagram socket (RDS) protocol module -> crash / code exec
    • Blacklisted by default in Ubuntu and contrary to the original CVE description, this is not likely to be remotely exploitable since the use-after-free only occurs on namespace cleanup
  • Intel i915 graphics driver failed to validate ranges for mmap() in some places
    • Local attacker who already has access to the device could use this to crash / code execution -> privilege escalation

[USN-4076-1] Linux kernel vulnerabilities

  • 6 CVEs addressed in Xenial
  • Freescale Hypervisor Manager (HVM) for PowerPC - used invalid size parameter from ioctl() for page size calculations - local attacker could use this to cause various memory corruption issues possibly resulting in privilege escalation or code execution (only enabled in Xenial 4.4 kernel)
  • Broadcom wifi driver would possibly pass through firmware events received on-the-air to the local USB wifi device - allows a remote attacker to send firmware events to the device having unspecified impact
  • Possible seccomp bypass for policies that use ptrace on ARM - a tracing process could modify a syscall parameter after the seccomp decision for that syscall had been made - so could violate the policy
  • Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
  • Race condition in Serial Attached SCSI (SAS) could possibly result in a UAF -> crash, or code execution

[LSN-0053-1] Linux kernel vulnerability

[USN-4069-1, USN-4069-2] Linux kernel vulnerabilities

  • 4 CVEs addressed in Disco and Bionic (HWE)
  • 2 information disclosure issues mentioned for the Bionic/Xenial HWE above (4.15 kernel) - Bluetooth HIDP + Ext4 extents information disclosure vulns covered earlier
  • Race condition in coredump generation - local user can trigger coredump for a process which can race with other memory managment handling and so could result in access to invalid memory regions - crash -> DoS or information disclosure
  • Integer overflow for page reference counts -> UAF
    • Requires at least 140GB of RAM to be affected

[USN-4070-1] MySQL vulnerabilities

[USN-4071-1, USN-4071-2] Patch vulnerabilities

  • 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
  • OS shell command injection via a crafted patch file - uses shell meta characters to take control of patch
  • Mishandles symlinks which allows a crafted patch file to overwrite arbitrary files

[USN-4072-1] Ansible vulnerabilities

  • 8 CVEs addressed in Xenial, Bionic, Disco
  • Path traversal vulnerability in fetch module - allows an attacker to overwrite files outside of the specified destination
  • Configuration or inventory variables read from CWD - local attacker could point to an arbitrary module / plugin under their control and so gain code-execution as the ansible daemon
  • Various issues with variable substitution which could result in any variable being substituted and thus an information disclosure

[USN-4073-1] libEBML vulnerability

  • 1 CVEs addressed in Xenial, Bionic
  • VLC related issue - lots of media attention - “uninstall VLC now” etc - overblown
  • Heap-based buffer over-read in the Matroska decoder - crash -> DoS - not code-execution
  • However, VLC itself had a number of outstanding vulnerabilities

[USN-4074-1] VLC vulnerabilities

  • 4 CVEs addressed in Bionic, Disco
  • 2 different heap-based buffer overflow - possible RCE but likely mitigated with ASLR (according to upstream)
  • Double free -> crash -> DoS (glibc heap-protector ensures can’t cause heap corruption -> abort)
  • Invalid pointer dereference (uninitialized) -> crash or infoleak

[USN-4075-1] Exim vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Possible RCE as root if configuration used the ${sort } expansion on items that can be controlled by an attacker - ie. $domain etc

[USN-4054-2] Firefox regressions

[USN-3990-2] urllib3 vulnerability

[USN-4077-1] tmpreaper vulnerability

  • 1 CVEs addressed in Xenial, Bionic
  • Race condition when performing a bind-mount via rename() - local privilege escalation since can result in a file being placed elsewhere on the fs hierarchy - so could drop a file in etc/cron.d for example to get root code execution

[USN-4078-1] OpenLDAP vulnerabilities

  • 2 CVEs addressed in Xenial, Bionic, Disco
  • Would confuse authorisation for one user with another - so other user could then perform operations which they were not entitled to - in SASL authentication code paths

[USN-4079-1, USN-4079-2] SoX vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic and Disco
  • CLI audio converter etc - usual sorts of issues for a C based application handling complex input file formats:
    • NULL ptr dereference
    • Stack-based buffer overflow
    • 2 separate integer overflows -> heap overflow

[USN-4080-1] OpenJDK 8 vulnerabilities

[USN-4083-1] OpenJDK 11 vulnerabilities

[USN-4081-1] Pango vulnerability

  • 1 CVEs addressed in Disco
  • Heap-based buffer overflow -> code execution for applications which pass invalid utf8 to Pango APIs like pango_itemize()

[USN-4082-1] Subversion vulnerabilities

[USN-4084-1] Django vulnerabilities

  • 4 CVEs addressed in Xenial, Bionic, Disco
  • DoS via memory exhaustion when encoding an attacker controlled URI
  • SQL injection in key and index lookups in JSON handling
  • 2 different CPU based DoS - 1 in strip_tags() function if input contained large sequence of nested, incomplete HTML entities, other in truncating due to use of regex with backtracking

[USN-4085-1] Sigil vulnerability

  • 1 CVEs addressed in Xenial, Bionic, Disco
  • Zip slip vulnerability discovered by Mike Salvatore (Episode 40)

Goings on in Ubuntu Security Community

Alex and Joe discuss the recent Citrix password spraying attack

Get in contact