Episode 48

Show Notes

Overview

This week we look at security updates for the Linux kernel, SDL 2, ClamAV and more, plus Alex and Joe talk security and performance trade-offs, snaps and OWASP Top 10 Cloud Security recommendations, and finally Alex covers some recent concerns about the security of the Snap Store.

This week in Ubuntu Security Updates

31 unique CVEs addressed

[USN-4142-1, USN-4142-2] e2fsprogs vulnerability [00:37]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-5094
• Cisco TALOS - possible code execution via OOB write to the heap for code which handles quota support in ext4 - so possible to trigger via a specially crafted ext4 partition - could be triggered during an fsck on the partition etc.

[USN-4143-1] SDL 2.0 vulnerabilities [01:37]

• 5 CVEs addressed in Xenial, Bionic, Disco
  • CVE-2019-7638
  • CVE-2019-7637
  • CVE-2019-7636
  • CVE-2019-7635
  • CVE-2017-2888
• 3 different heap based buffer over-reads -> crash, DoS
• Heap based buffer over-write -> possible code execution or at least crash -> DoS
• Integer overflow -> small alloc -> heap based buffer overflow -> possible code execution

[USN-4147-1] Linux kernel vulnerabilities [02:23]

• 18 CVEs addressed in Bionic (HWE), Disco
  • CVE-2019-15223
  • CVE-2019-15221
  • CVE-2019-15218
  • CVE-2019-15217
  • CVE-2019-9506
  • CVE-2019-15926
  • CVE-2019-15925
  • CVE-2019-15538
  • CVE-2019-15220
  • CVE-2019-15215
  • CVE-2019-15212
  • CVE-2019-15211
  • CVE-2019-15118
  • CVE-2019-15117
  • CVE-2019-15090
  • CVE-2019-13631
  • CVE-2019-10207
  • CVE-2019-0136
• OOB read in ath6kl driver - possible to trigger remotely from the network - crash, DoS
• Bluetooth KNOB attack
• Crashes from malicious USB audio devices:
  • Infinite recursion when parsing device descriptors (if had multiple identical device descriptors could be triggered)
  • OOB read if specified an invalid input pin
• OOB read in QLogic QEDI iSCSI driver
• 2 covered in Episode 46
  • Possible code execution via a NULL pointer dereference in bluetooth UART driver - so if an attacker can map executable code at address zero can achieve code execution - in Ubuntu we have mmap_min_addr set to a non-zero value so this is mitigated by default
  • DoS in Intel wifi driver - allows a malicious client to knock a peer of the network

[USN-4144-1] Linux kernel vulnerabilities [05:02]

• 2 CVEs addressed in Xenial (HWE), Bionic
  • CVE-2019-15538
  • CVE-2018-20976
• 2 different XFS issues
  • UAF triggered from a malicious XFS image -> code exection? -> crash, DoS
  • CPU based DoS if can trigger a chgrp() error due to out-of-quota

[USN-4145-1] Linux kernel vulnerabilities [05:46]

• 11 CVEs addressed in Xenial
  • CVE-2019-15926
  • CVE-2019-15215
  • CVE-2019-15211
  • CVE-2019-13631
  • CVE-2019-11487
  • CVE-2019-10207
  • CVE-2019-0136
  • CVE-2018-20976
  • CVE-2018-20961
  • CVE-2017-18509
  • CVE-2016-10905
• Most covered above

[USN-4146-1, USN-4146-2] ClamAV vulnerabilities [06:00]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-12900
  • CVE-2019-12625
• Update to latest upstream version (0.101.4)
• OOB read when handling crafted BZIP2 and ZIP files - was covered for bzip2 itself in Ubuntu in Episode 38 - vendored in clamav

Goings on in Ubuntu Security Community

Alex and Joe talk security and performance trade-offs, snaps and OWASP Top 10 Cloud Security recommendations [07:01]

• https://snapcraft.io/teamtime
• https://threatpost.com/intimate-details-healthcare-workers-exposed-cloud-security/149007/
• https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project

Alex addresses some concerns with the perceived security of the Snap Store [20:44]

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter