Episode 45
Posted on Wednesday, Sep 4, 2019
Show Notes
Overview
This week we look at security updates for Dovecot, Ghostscript, a livepatch update for the Linux kernel, Ceph and Apache, plus Alex and Joe discuss recent Wordpress plugin vulnerabilities and the Hostinger breach, and more.
This week in Ubuntu Security Updates
22 unique CVEs addressed
[USN-4110-1, USN-4110-2] Dovecot vulnerability [00:52]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- IMAP and ManageSieve protocol parsers would not check for embedded NUL bytes in strings
- When parsing these strings, would return indexes outside the normal string bounds as the first character which needed unescaping
- Would then go and try to unescape the string from this index, which rewrites the string on the fly, and so would then go and rewrite outside the bounds of the string
- Fixed to disallow embedded NUL bytes AND to not try and skip up to first unescaped character but instead loop over the whole string in unescaping
[USN-4110-3, USN-4110-4] Dovecot regression [02:08]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- Original patch used pre-release version of the fix from upstream which contained an error such that the checking of NUL bytes was skipped - re-released with correct final upstream fix
[LSN-0054-1] Linux kernel vulnerability [02:38]
- 9 CVEs addressed in Xenial, Bionic
- Livepatch for CVEs addressed in regular kernel updates (Episode 43)
- ptrace credentials race, Marvell Wifi heap-buffer overflows, NULL pointer dereferences
[USN-4111-1] Ghostscript vulnerabilities [03:20]
- 4 CVEs addressed in Xenial, Bionic, Disco
- Four more -dSAFER sandbox bypasses (see Episode 43 for the last one)
- All variations on the theme of using the .forceput operator to escape the sandbox
[USN-4112-1] Ceph vulnerability [04:01]
- 1 CVEs addressed in Bionic, Disco
- DoS - unauthenticated clients can crash the rados gateway by
disconnecting at certain time (triggering a NULL pointer deference when
looking up the remote address for a connected client)
- Older versions are not affected since this is in the beast RGW frontend - which is not in the versions in trusty / xenial - and only in the bionic version as an experimental feature
[USN-4113-1] Apache HTTP Server vulnerabilities [04:41]
-
7 CVEs addressed in Xenial, Bionic, Disco
-
HTTP/2 DoS issue (Internal Data Buffering) - Episode 43 for nginx
-
Open redirect in mod_rewrite if have self-referential redirects
-
Stack buffer overflow + NULL pointer dereference in mod_remoteip
-
Possible XSS in mod_proxy where the link shown on error pages could be controlled by an attacker - but only possible where configured with proxying enable but misconfigured so that Proxy Error page is shown.
-
UAF (read) during HTTP/2 connection shutdown
-
HTTP/2 push - allows server to send resources to a client before it requests them - could overwrite memory of the server’s request pool - this is preconfigured and not under control of client but could cause a crash etc.
-
HTTP/2 upgrade - can configure to automatically upgrade HTTP/1.1 requests to HTTP/2 - but if this was not the first request on the connection could lead to crash
Goings on in Ubuntu Security Community
Alex and Joe talk Wordpress plugin vulnerabiliies and Hostinger password breach [07:03]
- https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/
- https://www.zdnet.com/article/hostinger-resets-customer-passwords-after-security-incident/
- https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2009/july/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/
OpenSSL 1.1.1 with TLS 1.3 support complete for Ubuntu 18.04 LTS (Bionic) [17:29]
- OpenSSL upgraded to version 1.1.1 in Ubuntu 18.04 LTS - supports TLS 1.3 - now published via -updates and -security