Episode 73
Posted on Friday, May 8, 2020
After the recent release of Ubuntu 20.04 LTS, we look at security fixes for
OpenJDK, CUPS, the Linux kernel, Samba and more, plus Joe and Alex discuss
robot kits and the Kaiji botnet.
Show Notes
Overview
After the recent release of Ubuntu 20.04 LTS, we look at security fixes for OpenJDK, CUPS, the Linux kernel, Samba and more, plus Joe and Alex discuss robot kits and the Kaiji botnet.
This week in Ubuntu Security Updates
86 unique CVEs addressed
[USN-4337-1] OpenJDK vulnerabilities [01:21]
- 13 CVEs addressed in Xenial, Bionic, Eoan
- openjdk 11.0.7 and 8u252b09-1
- Errors in regex handling and XML handling -> DoS
- Various issues in TLS handshake handling -> bypass certification verification or allow to compromise secure connections
- Insecure handling of CRLF in HTTP headers -> info disclosure via bypassing access controls
- Possible sandbox bypass
[USN-4338-1, USN-4338-2] re2c vulnerability [02:26]
- 1 CVEs addressed in Eoan, Focal
- Used to generate fast C code for parsing regular expressions
- Heap buffer overflow if parsing a very long input due to incorrect length checks
[USN-4339-1] OpenEXR vulnerabilities [02:59]
- 12 CVEs addressed in Xenial, Bionic, Eoan, Focal
- Last mentioned back in Episode 49 - handles image format developed by ILM with a high definition range for computer imaging applications - used by opencv, gimp and others
- Project Zero fuzzing OpenEXR - usual types of issues in large C++ code base - OOB reads / writes - usual effects -> crashes, info leaks, RCE
[USN-4340-1] CUPS vulnerabilities [04:09]
- 2 CVEs addressed in Xenial, Bionic, Eoan, Focal
- Heap buffer overflow when parsing ppd files - so if added a printer with a crafted ppd file could crash / RCE - since cupsd runs as root could be possible RCE as root
- OOB read -> info leak / crash
[USN-4341-1, USN-4341-2, USN-4341-3] Samba vulnerabilities [05:11]
- 2 CVEs addressed in Trusty ESM, Xenial, Bionic, Eoan, Focal
- Stack overflow able to be triggered by an unauthenticated user when Samba is acting as an AD DC -> crash, code exec?
- UAF in Samba AD DC LDAP server
[USN-4342-1] Linux kernel vulnerabilities [06:02]
- 7 CVEs addressed in Bionic, Eoan
- 5.3 kernel for eoan + bionic hwe
- s390 specific race-condition in page table handling -> local attacker arbitrary code exec
- race-condition -> UAF in block io tracing -> OOB read -> info leak / crash
- stack buffer overflow in vhost-net driver -> able to be triggered by a local attacker via ioctl() on /dev/vhost-net
- race-condition -> UAF in tty (virtual terminal) subsystem
- low priority (DoS etc via crafted file-systems)
[USN-4344-1] Linux kernel vulnerabilities [07:58]
- 7 CVEs addressed in Bionic
- 5.0 gke / oem kernel
- Same issues reported earlier
[USN-4343-1] Linux kernel vulnerability [08:13]
- 1 CVEs addressed in Focal
- 5.4 kernel
- s390 page-table issue
[USN-4345-1] Linux kernel vulnerabilities [08:25]
- 9 CVEs addressed in Xenial, Bionic
- 4.15 kernel - xenial hwe + bionic
- Same as above plus a few OOBs read when handing invalid USB camera device descriptors in various drivers - so a local attacker could cause a crash etc
[USN-4346-1] Linux kernel vulnerabilities [09:00]
- 5 CVEs addressed in Trusty ESM, Xenial
- 4.4 kernel - trusty hwe + xenial
- tty and blk io subsystem race-conditions -> UAFs
[USN-4347-1] WebKitGTK vulnerability [09:26]
- 1 CVEs addressed in Bionic, Eoan, Focal
[USN-4348-1] Mailman vulnerabilities [09:47]
- 3 CVEs addressed in Xenial, Bionic
- Possible XSS when viewing list archives since mailman does not track the mime-type of attachments -> so HTTP reply may lack a MIME type and so the receiving browser may assume that content-type is text/html and so execute contained Javascript code
[USN-4349-1] EDK II vulnerabilities [10:36]
- 9 CVEs addressed in Xenial, Bionic, Eoan
- UEFI firmware stack for x86-64 virtual machines - huge amount of code with a large attack surface -> network stack, disk device and file-system handling, cryptographic signature parsing etc
- Buffer overflow in network stack and block io system
- stack overflow, fail to clear memory containing passwords, memory leaks, failure to properly check EFI signatures, memory corruption via a double free etc
[USN-4350-1] MySQL vulnerabilities [12:05]
- 25 CVEs addressed in Xenial, Bionic, Eoan, Focal
- CVE-2020-2930
- CVE-2020-2928
- CVE-2020-2926
- CVE-2020-2925
- CVE-2020-2924
- CVE-2020-2923
- CVE-2020-2922
- CVE-2020-2921
- CVE-2020-2904
- CVE-2020-2903
- CVE-2020-2901
- CVE-2020-2898
- CVE-2020-2897
- CVE-2020-2896
- CVE-2020-2895
- CVE-2020-2893
- CVE-2020-2892
- CVE-2020-2812
- CVE-2020-2804
- CVE-2020-2780
- CVE-2020-2765
- CVE-2020-2763
- CVE-2020-2762
- CVE-2020-2760
- CVE-2020-2759
- Latest upstream point releases - 8.0.80 for eoan + focal, 5.7.30 for xenial and bionic
- https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-30.html
- https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-20.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
[USN-4330-2] PHP vulnerabilities [12:46]
- 3 CVEs addressed in Focal
- See Episode 72
[USN-4332-2] File Roller vulnerability [13:05]
- 1 CVEs addressed in Focal
- See Episode 72
[USN-4333-2] Python vulnerabilities [13:06]
- 2 CVEs addressed in Focal
- See Episode 72
Goings on in Ubuntu Security Community
Release of Ubuntu 20.04 LTS (Focal Fossa) [13:16]
- Supported as LTS for 5 years and as ESM for 5 years -> 10 years of security support
- Kernel changes -> based on upstream 5.4 LTS kernel, includes Lockdown LSM, Wireguard as built-in to the kernel
- SSH client / server supports hardware based 2 factor auth (like Yubikeys) OOTB
- More stringent TLS default parameters to blacklist insecure ciphers / key-lengths etc