Episode 53
Posted on Friday, Nov 15, 2019
This week we look at the details of the latest Intel hardware
vulnerabilities, including security updates for the Linux kernel and Intel
microcode, plus Bash, cpio, FriBidi and more.
Show Notes
Overview
This week we look at the details of the latest Intel hardware vulnerabilities, including security updates for the Linux kernel and Intel microcode, plus Bash, cpio, FriBidi and more.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4176-1] GNU cpio vulnerability [01:00]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
- cpio wouldn’t validate values written to headers of TAR archives - could use cpio to create a TAR containing another TAR with a big size and will use wrong context values (ie uses inner TAR values in header) - this could allow a TAR to be created which has files with permissions not owned by the original user - when extracted by cpio will overwrite target files - whereas if using tar to extract will avoid this - fixed to check and handle header values correctly
[USN-4177-1] Rygel vulnerability [02:18]
- Affecting Eoan
- Added Rygel in Eoan which is off by default but needed GNOME to handle that - it would disable it dynamically - so if not running GNOME, rygel would be running and sharing your stuff on the local network - fixed to disable automatically on upgrade - and then can use the GNOME settings front-end etc to re-enable if desired
[USN-4178-1] WebKitGTK+ vulnerabilities [03:34]
- 4 CVEs addressed in Bionic, Disco
[USN-4181-1] WebKitGTK+ vulnerabilities [03:34]
- 2 CVEs addressed in Bionic, Disco, Eoan
[USN-4179-1] FriBidi vulnerability [04:00]
- 1 CVEs addressed in Disco, Eoan
- Issue reported about unicode isolated handling in Qt - turns out affected GTK applications as well - entirely different code with very similar flaw - stack buffer overflow since didn’t check bounds of a fixed array used to store details on nested unicode isolate sections - simple fix to just check bounds before trying to store next element
[USN-4180-1] Bash vulnerability [05:38]
- 1 CVEs addressed in Precise ESM
- Recently announced vuln (heap-based buffer overflow) in bash affecting old versions - so most releases unaffected except Precise - can trigger by printing wide characters via echo -e
[USN-4182-1, USN-4182-2] Intel Microcode update [06:12]
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
- Voltage modulation able to be performed by a local privileged user - disabled via microcode
- TSX Asynchronous Abort (TAA) -
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915
- Another variant of MDS but only affects processsors with Transational Synchronization Extensions (TSX)
- MDS mitigations also can mitigate this - but needs microcode update - associated kernel update too
[USN-4183-1] Linux kernel vulnerabilities [07:58]
- 9 CVEs addressed in Eoan
- MCEPSC - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/TAA_MCEPSC_i915
- trigger a MCE from a guest by changing page size in a particular way within the guest -> MCE on host kernel -> DoS
- i915 graphics - userspace can modify PTE via writes to MMIO from blitter command streamer or expose kernel memory - privesc
- TAA
- Various other issues:
- Realtek wifi driver buffer overflow - able to be triggered OTA - crash / RCE
- Buffer overflow in nl80211 config interface (local user) - crash / code exec
- Jann Horn - shiftfs issues
- UID/GID confusion when namespace of lower file-system is not init_user_ns - DAC bypass
- type confusion -> buffer overflow
- reference count underflow -> UAF
- local user crash / code exec
- i915 graphics - userspace read on GT MMIO -> hang -> DoS (low power state)
[USN-4184-1] Linux kernel vulnerabilities [11:09]
- 14 CVEs addressed in Bionic (HWE), Disco
- See above plus
- Various network based subsystems failed to enforce CAP_NET_RAW for raw
socket creation
- AF_NFC, AF_ISDN, AF_APPLETALK, AF_IEEE802154 (low-rate wireless network), AF_AX25
- Various network based subsystems failed to enforce CAP_NET_RAW for raw
socket creation
[USN-4185-1, USN-4185-2] Linux kernel vulnerabilities [12:06]
- 11 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic
- realtek wifi buffer overflow, AF_XXX CAP_NET_RAW, NULL pointer dereference in Atheros USB Wifi Driver, Intel hardware issues (2xi915 + TAA + MCEPSC)
[USN-4186-1, USN-4186-2] Linux kernel vulnerabilities [12:47]
- 13 CVEs addressed in Trusty ESM (HWE), Xenial
- Binder UAF -> crash, DoS -> code exec (CONFIG_DEBUG_LIST mitigates this - looking to add this in future kernels like 20.04)
- realtek wifi, CAP_NET_RAW, nl80211 config buffer overflow, Intel hardware issues
[USN-4187-1] Linux kernel vulnerability [13:48]
- 1 CVEs addressed in Trusty ESM
- TAA
[USN-4188-1] Linux kernel vulnerability [13:48]
- 1 CVEs addressed in Precise ESM
- TAA
[LSN-0059-1] Linux kernel vulnerability [14:05]
- 4 CVEs addressed in Xenial and Bionic
- Intel hardware issues - CAN’T BE LIVEPATCHED - need to update kernel and reboot