Episode 56

Show Notes

Overview

In the second to last episode for 2019, we look at security updates for Samba, Squid, Git, HAProxy and more, plus Alex and Joe discuss Evil Corp hacker indictments, unsecured AWS S3 buckets and more.

This week in Ubuntu Security Updates

43 unique CVEs addressed

[USN-4212-1] HAProxy vulnerability [00:50]

1 CVEs addressed in Bionic, Disco, Eoan
- CVE-2019-19330
Failed to treat malformed headers as invalid - HTTP/2 allows encoding headers as binary and these can then contain characters which would be invalid when converted to HTTP/1.1 - as such these should be treated as invalid, otherwise allows to send on invalid headers to HTTP/1.1 servers and could be used to launch attacks against them - so test for and reject in valid chars (CR, LF and NUL)

[USN-4213-1] Squid vulnerabilities [01:37]

7 CVEs addressed in Xenial, Bionic, Disco, Eoan
2 issues in URN handling (uniform resource name, globally unique identifier within a particular namespace - e.g. urn:ietf:rfc:2648):
- When handling URN requests Squid makes a corresponding HTTP request but the various access control checks that are normally done for HTTP weren’t done so could end up accessing restricted HTTP resources (such as servers that listen to localhost etc)
- Heap buffer overflow if response received from a server that is handling a URN request does not fit within the buffer
- Failure to NUL terminal strings - buffer overflow on read -> crash in cachemgr cgi process - DoS to all clients using the cachemgr
Able to redirect traffic to origins that should be disallowed due to use of append_domain setting
HTTP request smuggling (Episode 52 for HAProxy)
Nonces used for HTTP digest authentication were generated from a raw byte value of a pointer from a heap memory allocation - this allows attackers to deduce this pointer value and therefore help to defeat ASLR

[USN-4214-1] RabbitMQ vulnerability [03:54]

1 CVEs addressed in Trusty ESM, Disco, Eoan
- CVE-2019-18609
Integer overflow if a client sent a frame of size close to UINT32_MAX - a resulting size is calculated that could overflow, and then memory allocated with this overflowed (and hence small) size, resulting in a heap buffer overflow when the frame is copied to that resulting buffer - so instead just reject frames greater than INT32_MAX

[USN-4215-1] NSS vulnerability [04:38]

1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
- CVE-2019-17007
NULL pointer dereference -> crash -> DoS when handling Netscape Certificate Sequences (a type of encoded certificate) handled by NSS

[USN-4216-1] Firefox vulnerabilities [05:07]

9 CVEs addressed in Bionic, Disco, Eoan
Latest upstream firefox release (71.0)
- Includes fix for NSS issue discussed last week plus other sorts of issues:
  - UAFs
  - Stack memory corruption
  - Heap buffer overflows etc

[USN-4217-1] Samba vulnerabilities [05:45]

2 CVEs addressed in Xenial, Bionic, Disco, Eoan
- CVE-2019-14870
- CVE-2019-14861
Kerberos delegation allows to be configured as non-forwardable - but this would not be honored properly by the Samba AD DC - so could allow delegation to be forwarded by clients even when was disabled by config
Able to read invalid memory and so crash AD DC if a DNS record was created that matched the name of a DNS zone due to type confusion

[USN-4218-1] GNU C vulnerability [06:43]

1 CVEs addressed in Precise ESM, Trusty ESM
- CVE-2018-6485
eglibc was used as the standard libc in Ubuntu in older releases like Trusty/Precise etc - posix_memalign integer overflow - allocates memory of a given size aligned to a certain size - could return a smaller area than requested -> heap overflow as a result

[USN-4219-1] libssh vulnerability [07:30]

1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- CVE-2019-14889
libssh ssh_scp_new() function takes a 3rd argument - if this could be attacker influenced then could possible inject arbitrary commands which will then be run on the server - so requires the API to be used in a particular way - but could then allow users to execute commands on the server even if they should only have been able to copy files

[USN-4220-1] Git vulnerabilities [08:16]

9 CVEs addressed in Xenial, Bionic, Disco, Eoan
RCE if clone a malicious repo with a crafted .gitmodules file (used to specify git submodules for the parent repo)
Mishandling of CLI arguments during cloning of repos via SSH URLs allowed possible RCE
Arbitrary path overwrite during a fast-import due to incorrect handling of the export-marks option
WSL relevant issues:
- On Windows would write out filenames that contained backslashes even though these then act as directory separators on Windows
- Wouldn’t enforce NTFS protections in the working directory
- Didn’t take into account NTFS Alternate Data Streams, allowing files inside the .git dir to be overwritten during clone (file attribute specific to NTFS, allowing to store data for a file alongside the actual file itself)
- Second attack via NTFS ADS via name squatting on the git~2 short-name
- Didn’t handle Window virtual drives which can be named as not just say A: but a full name - git would handle these as relative paths, allowing writing outside the worktree during a clone

[USN-4202-2] Thunderbird regression [10:15]

10 CVEs addressed in Bionic, Eoan
Upstream regression - previous update 68.2.1 could result in a new profile being created for some users so would appear to lose settings etc

[USN-4221-1] libpcap vulnerability [10:37]

1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco
- CVE-2019-15165
Possible buffer overflow when handling PHB headers - confusion upstream about which commit fixes which part but have included all the various commits from upstream - thanks Steve for taking the time to dig into this issue