Episode 46

Posted on Thursday, Sep 12, 2019
A massive 85 CVEs addressed this week, including updates for Exim, the Linux Kernel, Samba, systemd and more, plus we discuss hacking BMCs via remote USB devices and password stashes.

Show Notes

Overview

A massive 85 CVEs addressed this week, including updates for Exim, the Linux Kernel, Samba, systemd and more, plus we discuss hacking BMCs via remote USB devices and password stashes.

This week in Ubuntu Security Updates

85 unique CVEs addressed

[USN-4124-1] Exim vulnerability [00:49]

[USN-4114-1] Linux kernel vulnerabilities [03:49]

  • 5 CVEs addressed in Bionic (HWE), Disco
    • CVE-2019-3900 # medium
      • Infinite loop in virtio network driver - guest VM cause host DoS by stalling vhost_net kernel thread
    • CVE-2019-14284 # medium
      • Divide by zero in floppy driver ioctl() handler (created by default by qemu)
    • CVE-2019-14283 # medium
      • Integer overflow and OOB read in floppy driver
    • CVE-2019-13648 # medium
      • DoS for PowerPC if user calls sigreturn() with crafted signal stack frame - exception and system crash (requires transactional memory to be disabled)
    • CVE-2019-10638 # medium
      • Kernel tries to randomise IP ID values (used for de-fragmentation of IP packets) for connection-less protocols to avoid tracking
      • Is meant to be random across source + dest address + protocol
      • But if an attacker can observe traffic to multiple hosts, can infer the hashing key used to generate the ID values
      • And then can associate different streams of packets back to the same source host and hence can track devices
      • Fixed to used an actual random value for the base of the hash and use a better hashing algorithm (siphash) for ID generation

[USN-4115-1] Linux kernel vulnerabilities [06:42]

[USN-4116-1] Linux kernel vulnerabilities [09:12]

  • 6 CVEs addressed in Xenial
    • CVE-2019-3900 # medium
      • Infinite loop in virtio net driver (guest VM cause host DoS)
    • CVE-2019-14284 # medium
      • See above (Divide by zero in floppy driver)
    • CVE-2019-14283 # medium
      • See above (Integer overflow and OOB read in floppy driver)
    • CVE-2019-13648 # medium
      • See above (PowerPC DoS on sigreturn())
    • CVE-2019-10638 # medium
      • See above (IP ID randomisation)
    • CVE-2018-20856 # medium
      • UAF in block-layer under particular failure conditions

[USN-4117-1] Linux kernel (AWS) vulnerabilities [09:43]

[USN-4118-1] Linux kernel (AWS) vulnerabilities [10:17]

[USN-3934-2] PolicyKit vulnerability [10:36]

  • 1 CVEs addressed in Precise ESM
  • Episode 27 - PolicyKit could get confused via PID reuse - fix was 2 parts - 1 kernel to ensure can’t race kernel on PID assignment, and second was in PolicyKit itself to check on PID, UID and start time.

[USN-4119-1] Irssi vulnerability [11:23]

  • 1 CVEs addressed in Disco
    • CVE-2019-15717 # medium
      • UAF if server sends two CAP commands (used by client and server to negotiate capabilities - ie sasl support etc)

[USN-4121-1] Samba vulnerability [11:52]

  • 1 CVEs addressed in Disco
    • CVE-2019-10197 # medium
      • Possible directory share escape by unauthenticated users - allows attackers to gain access to the host filesystem outside the share root (limited as per underlying file-system permissions)
      • Needs the server to have explicitly enabled ‘wide links’ and not be using ‘unix extensions’ OR to have also set ‘allow insecure wide links’

[USN-4120-1] systemd vulnerability [12:40]

  • 1 CVEs addressed in Bionic, Disco
    • CVE-2019-15718 # medium
      • systemd-resolved failed to properly setup access controls on its DBus server socket, whic allows unprivileged users to execute DBus methods that should only be executable by privileged users - such as changing the systems DNS resolver settings

[USN-4122-1] Firefox vulnerabilities [13:10]

[USN-4123-1] npm/fstream vulnerability [13:29]

Goings on in Ubuntu Security Community

Joe and Alex discuss hacking BMCs via a remote USN attack [13:53]

Joe and Alex also discuss password stashes [20:33]

Get in contact