Episode 83
Posted on Friday, Jul 24, 2020
This week Joe talks Linux Security Modules stacking with John Johansen and
Steve Beattie plus Alex looks at security updates for snapd, the Linux
kernel and more.
Show Notes
Overview
This week Joe talks Linux Security Modules stacking with John Johansen and Steve Beattie plus Alex looks at security updates for snapd, the Linux kernel and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4199-2] libvpx vulnerabilities [01:05]
- 3 CVEs addressed in Trusty ESM (14.04 ESM)
- VP8/VP9 video code (webm)
- Various OOB read on crafted input
[USN-4424-1] snapd vulnerabilities [01:38]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- James Henstridge from Ubuntu Desktop team
- snapd sandbox for strict mode snaps - within sandbox provides xdg-open implementation which can forward to the real xdg-open outside the sandbox - but would use XDG_DATA_DIRS env from the snap when launching xdg-open outside of the snap - XDG_DATA_DIRS could then contain a directory which the snap itself controls - allows to launch arbitrary binaries from the snap outside of confinement
- Fixed to not incorporate XDG_DATA_DIRS from the snap
- cloud-init would run on every boot without restriction - supports the
concept of loading meta-data from an external disk - so a local attacker
with physical access could alter the boot sequence - would be an issue
with FDE since could intercept the disk encryption key etc - fixed via
snapd to disable cloud-init after the first boot since cloud-init is
managed by snapd
- Is only an issue for Ubuntu Core 16/18 devices which employed FDE
- Doesn’t affect UC20
[USN-4425-1] Linux kernel vulnerabilities [06:20]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
- 5.4 kernel (focal / bionic hwe)
- Possible bypass of Secure Boot lockdown protections via loading of ACPI tables via configs - provides a means of arbitrary memory write - allows root user to bypass lockdown
- aufs inode reference count issue - BUG() -> DoS
- relay subsystem crash (Episode 81)
[USN-4426-1] Linux kernel vulnerabilities [7:32]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- 4.15 kernel (bionic / xenial hwe)
- ACPI lockdown bypass / aufs inode above
- Second lockdown bypass via loading of ACPI tables via the SSDT EFI variable similar to above
- DAX (direct access to files in persistent memory arrays) huge pages support - abuse mremap() to gain root privileges - requires the system to make use of DAX storage to be able to exploit
[USN-4427-1] Linux kernel vulnerabilities [08:30]
- 10 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
- 4.4 kernel (xenial / trusty hwe)
- aufs
- Various means to bypass spectre related mitigations
- SSDT ACPI lockdown bypass
[USN-4429-1] Evolution Data Server vulnerability [09:12]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- Very similar to recent mutt & Thunderbird vuln from Episode 81 / Episode 82
- Would read extra data after clear-text “begin TLS” when initiating STARTTLS - would allow an untrusted attacker who could intercept and modify traffic to inject arbitrary responses that then get processed later as though they had come from the trusted, encrypted connection to the server - fixed in same way as mutt by clearing buffered content when starting TLS
[USN-4430-1] Pillow vulnerabilities [10:24]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- Python Imaging Library - used for image handling by lots of Python GUIs
- All OOB reads on crafted input -> crash, DoS