Episode 63
Posted on Thursday, Feb 20, 2020
Security updates for Firefox, QEMU, Linux kernel, ClamAV and more, plus we
discuss our recommended reading list for getting into infosec and farewell
long-time member of the Ubuntu Security Team / community Tyler Hicks.
Show Notes
Overview
Security updates for Firefox, QEMU, Linux kernel, ClamAV and more, plus we discuss our recommended reading list for getting into infosec and farewell long-time member of the Ubuntu Security Team / community Tyler Hicks.
This week in Ubuntu Security Updates
54 unique CVEs addressed
[USN-4278-1] Firefox vulnerabilities [00:55]
- 4 CVEs addressed in Bionic, Eoan
- Firefox 73.0
- Various memory safety issues
- Possible XSS if a site used a <template> tag within a <select> tag since could allow subsequent JavaScript parsing and execution
[USN-4279-1] PHP vulnerabilities [01:26]
- 3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
- Buffer overread when converting multibyte characters via mbstring functions and when reading data whilst stripping tags via fgetss() - crash / info disc
- Fix for a CPU and disk-based DoS when PHP FPM (FastCGI Process Manager) would endlessly restart a child process - busy CPU loop and large error logs -> DoS
[USN-4280-1, USN-4280-2] ClamAV vulnerability [02:27]
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Eoan
- OOB read in Data-Loss-Prevention (DLP) module (scans for CC or social security numbers) - crafted email would cause OOB read -> crash -> DoS
[USN-4281-1] WebKitGTK+ vulnerabilities [03:04]
- 5 CVEs addressed in Bionic, Eoan
- Various issues able to be triggered by malicious websites
- DoS via poor memory handling
- Wrong secrity origin for particular DOM objects
- Top-level DOM object incorrectly considered secure
- Logic issue leading to a universal XSS flaw
- Poor memory handling leading to RCE
[USN-4282-1] PostgreSQL vulnerability [03:50]
- 1 CVEs addressed in Bionic, Eoan
- Missing authorization checks on ALTER … DEPENDS ON EXTENSION sub-commands - could allow unprivileged users to drop any function, procedure, index etc under certain conditions
[USN-4283-1] QEMU vulnerabilities [04:10]
- 3 CVEs addressed in Xenial, Bionic, Eoan
- Buffer overflow in libslirp tcp emulation due to misuse of snprintf() return value - assumed snprintf() returns the number of bytes written - BUT returns the number of bytes which would have been written if the dest buffer was big enough - so if buffer is too small then returns a value larger than the buffer - so if that returned size is used later in a memcpy() or similar would overflow the buffer - so instead need to carefully track the return value if it is larger than the dest buffer
- Separate buffer overflow in libslirp tcp emulation code due to missing size checks
- Heap buffer OOB write in iSCSI block driver - malicious iSCSI server could trigger this and crash or possibly get code execution on QEMU host
[USN-4284-1] Linux kernel vulnerabilities [05:21]
- 23 CVEs addressed in Bionic, Eoan
- CVE-2019-15291
- CVE-2019-19965
- CVE-2019-19947
- CVE-2019-19767
- CVE-2019-19602
- CVE-2019-19332
- CVE-2019-19252
- CVE-2019-19241
- CVE-2019-19082
- CVE-2019-19078
- CVE-2019-19077
- CVE-2019-19071
- CVE-2019-19063
- CVE-2019-19057
- CVE-2019-19062
- CVE-2019-19050
- CVE-2019-18811
- CVE-2019-18786
- CVE-2019-18683
- CVE-2019-16232
- CVE-2019-16229
- CVE-2019-15099
- CVE-2019-14615
- 5.3 kernel (eoan, bionic hwe)
- Fix for Intel GPU state leak
- Atheros Wifi NULL pointer dereference
- 2x Crypto subsystem memory leak
- io_uring operations missing credentials checks - unprivileged user could say add an address to the loopback interface as a result
- Virtual console drivers missing checks on writes
- OOB write in KVM (need access to /dev/kvm)
- Memory corruption on x86 platforms due to a race in caching of floating point registers between processors
- NULL pointer dererefence in SCSI SAS Class driver due to a PHY down race-condition during discovery
[USN-4285-1] Linux kernel vulnerabilities [07:58]
- 12 CVEs addressed in Bionic
- 5.0 kernel (orace, aws, gke, gcp, azure etc)
- UAF in Intel i915 driver - crash / code exec
- Wifi-based DoS when used in AP mode - could get AP to send location updates to clients before a new client had finished authentication - so then as an unauthenticated station could DoS other connected stations
- Memory leak in Datagram Congestion Control Protocol (DCCP) - DoS
- 2 from above:
- NULL ptr deref in SCSI SAS
- Intel GPU info leak
[USN-4287-1, USN-4287-2] Linux kernel vulnerabilities [08:46]
- 22 CVEs addressed in Xenial, Bionic, Trusty ESM (Azure)
- CVE-2019-15291
- CVE-2020-7053
- CVE-2019-5108
- CVE-2019-20096
- CVE-2019-19965
- CVE-2019-19767
- CVE-2019-19332
- CVE-2019-19227
- CVE-2019-19082
- CVE-2019-19078
- CVE-2019-19071
- CVE-2019-19063
- CVE-2019-19062
- CVE-2019-19057
- CVE-2019-18885
- CVE-2019-18809
- CVE-2019-18786
- CVE-2019-18683
- CVE-2019-16232
- CVE-2019-16229
- CVE-2019-15099
- CVE-2019-14615
- 4.15 (bionic, xenial hwe)
- i915 UAF, wifi AP DoS, DCCP memory leak, SCSI SAS NULL ptr deref, KVM OOB write via /dev/kvm, crypto subsystem memory leak, atheros wifi NULL ptr deref, i915 info leak
[USN-4286-1, USN-4286-2] Linux kernel vulnerabilities [09:44]
- 12 CVEs addressed in Xenial, Trusty ESM (HWE)
- 4.4 kernel
- Intel GPU info leak, SCSI SAS NULL ptr deref, DCCP memory leak, wifi AP DoS
Goings on in Ubuntu Security Community
Joe and Alex discuss their recommended reading list for infosec beginners [10:17]
- Red Team Field Manual | Ben Clark
- Head First Programming
- Linux System Administrators Handbook | Nemeth, et al
- Robert Seacord’s Secure Coding in C/C++
- CERT Resilience Management Model (CERT-RMM)
- The Code Book | Simon Singh
- The Tao of Network Security Monitoring: Beyond Intrusion Detection | Richard Bejtlich
- The Cuckoos Egg | Cliff Stoll
- Linux Pro Magazine
- Black Hat Python | Justin Seitz
- Hacking: The Art Of Exploitation | Jon Erickson