Episode 59

Show Notes

Overview

After a weeks break we are back to look at updates for ClamAV, GnuTLS, nginx, Samba and more, plus we briefly discuss the current 20.04 Mid-Cycle Roadmap Review sprint for the Ubuntu Security Team

This week in Ubuntu Security Updates

73 unique CVEs addressed

[USN-4230-1] ClamAV vulnerability [01:16]

• 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-15961
• Backport latest upstream release (0.102.1) from focal
• CPU based DoS when scanning crafted emails - parsing of MIME components in particular

[USN-4232-1] GraphicsMagick vulnerabilities [01:52]

• 11 CVEs addressed in Xenial
  • CVE-2017-16353
  • CVE-2017-16352
  • CVE-2017-15930
  • CVE-2017-15277
  • CVE-2017-14997
  • CVE-2017-14994
  • CVE-2017-14733
  • CVE-2017-14649
  • CVE-2017-14504
  • CVE-2017-14314
  • CVE-2017-14165
• Episode 57, Episode 55
• Heap based buffer over-reads - info leak or crash -> DoS
• Heap based buffer over-flow - crash -> DoS, RCE
• NULL ptr derefs - crash -> DoS
• Memory overallocation -> memory based remote DoS

[USN-4231-1] NSS vulnerability [03:04]

• 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-17006
• UBSAN found possible buffer overflow due to failure to check lengths of inputs to various functions - so applications using libnss for crypto could be vulnerable to buffer overflow

[USN-4233-1] GnuTLS update [03:54]

• Affecting Xenial, Bionic
• Update marks SHA1 as being untrusted for digital signature operations - SHA1 has been broken in theory for a while and 2017 Google showed the first SHA1 collision - recently the first chosen-prefix attack was demonstrated against SHA1 as well - demonstrated by creating a GPG key which can impersonate another
• As such GnuTLS will not trust SHA1 based digital signatures since these can relatively easily be forged now (but not for an arbitrary input)
• As such libraries / applications which use GnuTLS (libsoup, Epiphany) will not trust SHA1 based digital signatures
• https://sha-mbles.github.io/

[USN-4234-1] Firefox vulnerabilities [06:10]

• 8 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-17026
  • CVE-2019-17025
  • CVE-2019-17024
  • CVE-2019-17023
  • CVE-2019-17022
  • CVE-2019-17020
  • CVE-2019-17017
  • CVE-2019-17016
• Latest upstream Firefox release (72.0.1)
• Usual sorts of issues fixed: DoS, info disclosure, bypass content security policy restrictions, conduct XSS attacks or execute arbitrary code

[USN-4047-2] libvirt update vulnerability [06:48]

• 1 CVEs addressed in Trusty ESM
  • CVE-2019-10161
• Episode 40 libvirt updated for regular releases - various APIs which could cause effects were accessible to read-only users
• Now backported for 14.04 ESM users / customers as well

[USN-4235-1, USN-4235-2] nginx vulnerability [07:18]

• 1 CVEs addressed in Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-20372
• HTTP request smuggling (Episode 52) - allowed attacker to read unauthorized web pages where nginx is being fronted by a load balanced when used with certain error_page configurations

[USN-4236-1, USN-4236-2] Libgcrypt vulnerability [08:03]

• 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-13627
• ECDSA timing side-channel attack (Minerva)
  • observe timing of signature generation on known messages to indicate the bit-length of the random nonce scalar during scalar multiplication on an elliptic curve - full private key is able to be recovered using lattice techniques
• https://minerva.crocs.fi.muni.cz/

[USN-4237-1, USN-4237-2] SpamAssassin vulnerabilities [09:04]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-12420
  • CVE-2018-11805
• DoS via excessive resource usage
• RCE via crafted conf (CF) files - advised should only use trusted conf files

[USN-4238-1] SDL_image vulnerabilities [09:55]

• 12 CVEs addressed in Xenial, Bionic
  • CVE-2019-7635
  • CVE-2019-5052
  • CVE-2019-5051
  • CVE-2019-13616
  • CVE-2019-12222
  • CVE-2019-12221
  • CVE-2019-12220
  • CVE-2019-12219
  • CVE-2019-12218
  • CVE-2019-12217
  • CVE-2019-12216
  • CVE-2018-3977
• Image loading library for SDL1.2 (low level library used for various games etc - provides common access to audio, input devices, graphics etc)
• Large C code-base - usual memory safety issues -> usual effects -> crash, DoS or possible RCE

[USN-4239-1] PHP vulnerabilities [10:32]

• 4 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
  • CVE-2019-11050
  • CVE-2019-11047
  • CVE-2019-11046
  • CVE-2019-11045
• 2 heap buffer over-reads in parsing EXIF information, 1 over-read in bcmath extension, and 1 issue with handling filenames with embedded NUL bytes

[USN-4221-2] libpcap vulnerability [11:28]

• 1 CVEs addressed in Precise ESM
  • CVE-2019-15165
• Episode 56

[USN-4240-1] Kamailio vulnerability [11:42]

• 1 CVEs addressed in Xenial
  • CVE-2018-8828
• SIP server written in C
• Heap based buffer overflow when receiving a specially crafted REGISTER message

[USN-4241-1] Thunderbird vulnerabilities [11:59]

• 11 CVEs addressed in Bionic, Eoan
  • CVE-2019-11745
  • CVE-2019-17026
  • CVE-2019-17024
  • CVE-2019-17022
  • CVE-2019-17017
  • CVE-2019-17016
  • CVE-2019-17012
  • CVE-2019-17011
  • CVE-2019-17010
  • CVE-2019-17008
  • CVE-2019-17005
• Latest upstream release (68.4.1)
• Derived from Firefox code-base so contains fixes for lots issues which also affected Firefox above

[USN-4225-2] Linux kernel (HWE) vulnerabilities [12:21]

• 15 CVEs addressed in Bionic
  • CVE-2019-18813
  • CVE-2019-19534
  • CVE-2019-19529
  • CVE-2019-19524
  • CVE-2019-19072
  • CVE-2019-19055
  • CVE-2019-19052
  • CVE-2019-19051
  • CVE-2019-19045
  • CVE-2019-18660
  • CVE-2019-16231
  • CVE-2019-14897
  • CVE-2019-14896
  • CVE-2019-14901
  • CVE-2019-14895
• Episode 58 - eoan (19.10) 5.3 kernel is now used as the HWE kernel for bionic (18.04 LTS)

[USN-4242-1] Sysstat vulnerabilities [13:07]

• 2 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-19725
  • CVE-2019-16167
• Both issues occur when reading a crafted input file using the sadf utility - likely the original reported is fuzzing this
• Double free - heap corruption but on Ubuntu we enable the glibc heap-protector so this is just a crash -> DoS
• Integer overflow -> heap buffer overflow when reading crafted input file

[USN-4243-1] libbsd vulnerabilities [14:12]

• 2 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco
  • CVE-2019-20367
  • CVE-2016-2090
• Library providing common BSD C functions which are not available on Linux (strlcpy() etc)
  • OOB read (crash -> DoS)
  • Off-by-one in fgetwln() (get line of wide characters from a stream) -> heap buffer overflow -> crash / RCE (doesn’t appear to be used by any software in Ubuntu)

[USN-4244-1] Samba vulnerabilities [15:15]

• 3 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2019-19344
  • CVE-2019-14907
  • CVE-2019-14902
• UAF in DNS zone scavenging in AD DC
• Crash if fail to convert characters at log level 3
• Does not automatically replicate ACLs which are set to inherit down a subtree (unable to be easily backported to Xenial so only fixed on Bionic, Disco and Eoan - instead can workaround by manually replication ACLs from one DC to another for a given naming context)

[USN-4245-1] PySAML2 vulnerability [16:32]

• 1 CVEs addressed in Xenial, Bionic, Disco, Eoan
  • CVE-2020-5390
• May fail to properly validate signatures in a particularly crafted SAML document by using the wrong data - so could assert a document has been fully signed when only a part of it has

Goings on in Ubuntu Security Community

Mid cycle product roadmap sprint [17:18]

• Security team presents progress on plans for Ubuntu 20.04 Focal Fossa - ie. ESM offerings, AppArmor features, snapd security features, Ubuntu Core security features, MIR security reviews progress etc
• Represented by Joe McManus, Mark Morlino, Chris Coulson and John Johansen

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter