Episode 70
Posted on Friday, Apr 10, 2020
This week we have a great interview between Joe McManus and Emilia Torino from the Ubuntu
Security team, plus we cover security updates for Apport, Firefox, GnuTLS,
the Linux kernel and more.
Show Notes
Overview
This week we have a great interview between Joe McManus and Emilia Torino from the Ubuntu Security team, plus we cover security updates for Apport, Firefox, GnuTLS, the Linux kernel and more.
This week in Ubuntu Security Updates
18 unique CVEs addressed
[USN-4315-1] Apport vulnerabilities [00:32]
- 2 CVEs addressed in Xenial, Bionic, Eoan
- Apport creates it’s lock file as world writable in a world-writable location - so a local attacker could create a symlink in it’s place to a non-existant file in a root-owned location and Apport would end up creating that file but with world-writable permissions - so could be used to possibly escalate privileges say by dropping a new cron file or similar.
- Apport runs as root but drops privileges when creating crash reports - and then changes permissions on crash report to be owned by the user - again using a symlink attack it could be possible to get Apport to change the permissions on an arbitrary file to be readable by a regular user and hence disclose sensitive information. Is generally mitigated by protected_symlinks setting.
[USN-4316-1, USN-4316-2] GD Graphics Library vulnerabilities [02:46]
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan
- Used by php for image handling
- Use of an uninitialized variable during image creation -> info leak or possible memory corruption
- NULL ptr deref in certain circumstances
[USN-4317-1] Firefox vulnerabilities [03:10]
- 2 CVEs addressed in Xenial, Bionic, Eoan
- 74.0.1 - reports of two issues being used to exploit Firefox in the wild - https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
- 2 use-after-free -> remote code execution
[USN-4321-1] HAProxy vulnerability [03:56]
- 1 CVEs addressed in Bionic, Eoan
- Arbitrary heap memory write in HPACK decoder (HTTP/2 header compression) -> crash, DoS or possible RCE
[USN-4322-1] GnuTLS vulnerability [04:35]
- 1 CVEs addressed in Eoan
- Used all zeros instead of a random 32-byte value for key negotiation as a DTLS client - so breaks the security guarantees of DTLS (datagram-TLS). Introduced in a code change which changed a boolean OR to and AND without inverting the logic (ie De Morgan)
[USN-4323-1] Firefox vulnerabilities [05:28]
- 6 CVEs addressed in Xenial, Bionic, Eoan
- 75.0
- Malicious extension could possibly steal auth codes from OAuth login sequences
- Memory corruption -> DoS, info leak or RCE via malicious website
[USN-4318-1] Linux kernel vulnerabilities [06:18]
- 3 CVEs addressed in Xenial, Bionic
- 4.15 bionic kernel (xenial hwe)
- 3 DoS issues:
- Use-after-free in VFS layer -> crash / info-leak
- PowerPC KVM guest to host state memory corruption -> crash
- Soft-lockup via malicious ext4 image due to failure to properly validate the journal size
[USN-4319-1, USN-4325-1] Linux kernel vulnerabilities [07:22]
- 2 CVEs addressed in Bionic, Eoan
- 5.3 eoan kernel (bionic hwe), 5.0 bionic clouds kernel
- VFS UAF from above
- Memory leak in IPMI handler -> DoS via memory exhaustion
[USN-4320-1] Linux kernel vulnerability [08:08]
- 1 CVEs addressed in Trusty ESM, Xenial
- 4.4 xenial kernel (trusty hwe)
- VFS UAF
[USN-4324-1] Linux kernel vulnerabilities [08:33]
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic
- 4.15 rapsi, snapdragon, gke, aws etc - bionic, xenial hwe, trusty esm hwe
- VFS UAF
- Ext4 soft-lockup issue
Goings on in Ubuntu Security Community
Joe talks with Ubuntu Security Team member Emilia Torino [09:06]
Uncompressed OVAL data being discontinued on 1st May [24:25]
- Will still have bzip2 compressed form just removing uncompressed since is redundant and too large to be useful in general
- https://discourse.ubuntu.com/t/uncompressed-oval-data-going-away/14981