Episode 83

Posted on Friday, Jul 24, 2020
This week Joe talks Linux Security Modules stacking with John Johansen and Steve Beattie plus Alex looks at security updates for snapd, the Linux kernel and more.

Show Notes

Overview

This week Joe talks Linux Security Modules stacking with John Johansen and Steve Beattie plus Alex looks at security updates for snapd, the Linux kernel and more.

This week in Ubuntu Security Updates

24 unique CVEs addressed

[USN-4199-2] libvpx vulnerabilities [01:05]

[USN-4424-1] snapd vulnerabilities [01:38]

  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • James Henstridge from Ubuntu Desktop team
  • snapd sandbox for strict mode snaps - within sandbox provides xdg-open implementation which can forward to the real xdg-open outside the sandbox - but would use XDG_DATA_DIRS env from the snap when launching xdg-open outside of the snap - XDG_DATA_DIRS could then contain a directory which the snap itself controls - allows to launch arbitrary binaries from the snap outside of confinement
  • Fixed to not incorporate XDG_DATA_DIRS from the snap
  • cloud-init would run on every boot without restriction - supports the concept of loading meta-data from an external disk - so a local attacker with physical access could alter the boot sequence - would be an issue with FDE since could intercept the disk encryption key etc - fixed via snapd to disable cloud-init after the first boot since cloud-init is managed by snapd
    • Is only an issue for Ubuntu Core 16/18 devices which employed FDE
    • Doesn’t affect UC20

[USN-4425-1] Linux kernel vulnerabilities [06:20]

  • 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS)
  • 5.4 kernel (focal / bionic hwe)
  • Possible bypass of Secure Boot lockdown protections via loading of ACPI tables via configs - provides a means of arbitrary memory write - allows root user to bypass lockdown
  • aufs inode reference count issue - BUG() -> DoS
  • relay subsystem crash (Episode 81)

[USN-4426-1] Linux kernel vulnerabilities [7:32]

  • 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • 4.15 kernel (bionic / xenial hwe)
  • ACPI lockdown bypass / aufs inode above
  • Second lockdown bypass via loading of ACPI tables via the SSDT EFI variable similar to above
  • DAX (direct access to files in persistent memory arrays) huge pages support - abuse mremap() to gain root privileges - requires the system to make use of DAX storage to be able to exploit

[USN-4427-1] Linux kernel vulnerabilities [08:30]

[USN-4429-1] Evolution Data Server vulnerability [09:12]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
  • Very similar to recent mutt & Thunderbird vuln from Episode 81 / Episode 82
  • Would read extra data after clear-text “begin TLS” when initiating STARTTLS - would allow an untrusted attacker who could intercept and modify traffic to inject arbitrary responses that then get processed later as though they had come from the trusted, encrypted connection to the server - fixed in same way as mutt by clearing buffered content when starting TLS

[USN-4430-1] Pillow vulnerabilities [10:24]

Goings on in Ubuntu Security Community

John Johansen and Steve Beattie talk Linux Security Modules with Joe [10:51]

Get in contact