Episode 9

Show Notes

Overview

This week we look at some details of the 61 unique CVEs addressed across the supported Ubuntu releases, with a particular focus on the recent Xorg vulnerability (CVE-2018-14665), plus Cosmic is now officially supported by the Security Team.

This week in Ubuntu Security Updates

61 unique CVEs addressed

[USN-3790-2] Requests vulnerability

• 1 CVEs addressed in Cosmic
  • CVE-2018-18074
• Cosmic is now officially released and so is officially supported by the Security Team
• This is the same vulnerability which we covered in Episode 8 for Trusty, Xenial, Bionic now fixed for Cosmic

[USN-3795-2] libssh vulnerability

• 1 CVEs addressed in Cosmic
  • CVE-2018-10933
• This is the same vulnerability which we covered in Episode 8 for Trusty, Xenial, Bionic now fixed for Cosmic

[USN-3792-3] Net-SNMP vulnerability

• 1 CVEs addressed in Cosmic
  • CVE-2018-18065
• This is the same vulnerability which we covered in Episode 8 for Trusty, Xenial & Bionic now fixed for Cosmic

[USN-3796-3] Paramiko vulnerability

• 1 CVEs addressed in Cosmic
  • CVE-2018-1000805
• This is the same vulnerability which we covered in Episode 8 for Trusty, Xenial & Bionic now fixed for Cosmic

[USN-3788-2] Tex Live-bin vulnerability

• 1 CVEs addressed in Cosmic
  • CVE-2018-17407
• This is the same vulnerability which we covered in Episode 7 for Trusty, Xenial & Bionic now fixed for Cosmic

[USN-3797-1, USN-3797-2] Linux kernel vulnerabilities

• 4 CVEs addressed in Xenial and Trusty for the Xenial HWE kernel for Trusty
  • CVE-2018-10938
  • CVE-2018-9363
  • CVE-2018-16658
  • CVE-2018-14734
• Includes:
  • UAF in Infiniband -> DoS via crash
  • Integer overflow in CDROM -> info disclosure of kernel memory
  • Integer overflow in bluetooth HID -> buffer overflow -> DoS / possible arbitrary code execution
  • Remotely triggerable infinite loop in labelled network handler (CIPSO)
    • CIPSO used by SELinux / SMACK not AppArmor so unlikely Ubuntu users affected

[USN-3798-1] Linux kernel vulnerabilities

• 8 CVEs addressed in Trusty and Precise ESM (for the Trusty HWE kernel for Precise ESM)
  • CVE-2018-9518
  • CVE-2018-7566
  • CVE-2018-1000004
  • CVE-2017-18216
  • CVE-2017-15299
  • CVE-2017-0794
  • CVE-2016-7913
  • CVE-2015-8539
• Includes:
  • Local DoS / code exec via insertion of an already existing key into kernel keyring
  • UAF in XCeive driver, local DoS / code exec (crash)
  • Race condition in generic SCSI -> Local DoS (crash) / code exec
  • NULL ptr dereference in ocfs2 -> Local DoS (crash)
  • Race condition in ALSA handling of ioctls -> Local DoS via deadlock
  • Race condition in ALSA -> UAF / out of bounds read -> Local DoS (crash) / code exec
  • Buffer overflow in NFC LLCP impl -> remote DoS / code exec

[USN-3777-3] Linux kernel (Azure) vulnerabilities

• 8 CVEs addressed in Xenial, Bionic
  • CVE-2018-6555
  • CVE-2018-6554
  • CVE-2018-3639
  • CVE-2018-14633
  • CVE-2017-5715
  • CVE-2018-15572
  • CVE-2018-15594
  • CVE-2018-17182
• Corresponding fixes for Azure Cloud specific kernel as covered in Episode 7 for standard Bionic kernel

[USN-3799-1] MySQL vulnerabilities

• 21 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-3284
  • CVE-2018-3283
  • CVE-2018-3282
  • CVE-2018-3278
  • CVE-2018-3277
  • CVE-2018-3276
  • CVE-2018-3251
  • CVE-2018-3247
  • CVE-2018-3200
  • CVE-2018-3187
  • CVE-2018-3185
  • CVE-2018-3174
  • CVE-2018-3173
  • CVE-2018-3171
  • CVE-2018-3162
  • CVE-2018-3161
  • CVE-2018-3156
  • CVE-2018-3155
  • CVE-2018-3144
  • CVE-2018-3143
  • CVE-2018-3133
• New upstream versions of MySQL for all supported releases to fix multiple vulnerabilities, add features and possible incompatible changes
• Trusty: 5.5.62
• Xenial, Bionic & Cosmic: 5.7.24

[USN-3800-1] audiofile vulnerabilities

• 2 CVEs addressed in Trusty
  • CVE-2018-17095
  • CVE-2018-13440
• DoS (crash) and possible code execution via specially crafted audio files

[USN-3801-1] Firefox vulnerabilities

• 12 CVEs addressed in Trusty, Xenial, Bionic, Cosmic
  • CVE-2018-12397
  • CVE-2018-12396
  • CVE-2018-12395
  • CVE-2018-12403
  • CVE-2018-12402
  • CVE-2018-12401
  • CVE-2018-12399
  • CVE-2018-12398
  • CVE-2018-12393
  • CVE-2018-12392
  • CVE-2018-12390
  • CVE-2018-12388
• Firefox 63
• Includes fixes for a range of issues, most severe is possible RCE
• Also fixes for WebExtensions in Firefox - to exploit need to install a malicious extension - then could privilege escalation or local code execution

[USN-3802-1] X.Org X server vulnerability

• 1 CVEs addressed in Xenial, Bionic, Cosmic
  • CVE-2018-14665
• Incorrect permissions check for 2 command-line arguments (-modulepath and -logfile)
• On some platforms (not Ubuntu) Xorg itself is setuid
• Can then use these command-line options to overwrite arbitrary files etc -> privilege escalation to root via say overwrite of /etc/shadow
• Generated a lot of press - BUT missed the distinction that Xorg is not really setuid on Ubuntu
• We use Xorg.wrap as setuid to first run and drop permissions if using KMS driver
  • This is the case for the vast majority of drivers, and for almost all free drivers
  • So most Ubuntu users unaffected by this vulnerability
• Special Friday release :)

Goings on in Ubuntu Security Community

Hiring

Ubuntu Security Engineer

• https://boards.greenhouse.io/canonical/jobs/1158266

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• @ubuntu_sec on twitter