Episode 91
Posted on Friday, Sep 18, 2020
This week we look at security updates for GUPnP, OpenJPEG, bsdiff and more.
Show Notes
Overview
This week we look at security updates for GUPnP, OpenJPEG, bsdiff and more.
This week in Ubuntu Security Updates
24 unique CVEs addressed
[USN-4488-2] X.Org X Server vulnerabilities [00:31]
- 5 CVEs addressed in Trusty ESM (14.04 ESM)
- Episode 90
[LSN-0071-1] Linux kernel vulnerability [00:50]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Episode 90 (AF_PACKET OOB write - crash / code exec)
- Also affects Focal (20.04 LTS) but livepatch is still being prepared
[USN-4494-1] GUPnP vulnerability [01:29]
- 1 CVEs addressed in Focal (20.04 LTS)
- GNOME UPnP impl, used by Rygel for media sharing on GNOME (standard Ubuntu) desktop and many other applications
- Callstranger Vulnerability - vuln in UPnP protocol - callback header in UPnP SUBSCRIBE can contain arbitrary delivery URL - so this could be on a different network segment than the event subscription URL - so you can SUBSCRIBE to events and supply one or more URLs for delivery of the messages. Can then make this point anywhere and so can get the device to send HTTP traffic to any arbitrary destination - and so can be used for data exfil or DDoS attacks etc. Fixed to check the destination host is either a link-local address or the address mask matches - either way, check is on the same network segment.
[USN-4495-1] Apache Log4j vulnerability [03:21]
- 1 CVEs addressed in Bionic (18.04 LTS)
- Failed to properly deserialise data - so if is listening to untrusted log data from the network could be exploited to run arbitrary code
[USN-4496-1] Apache XML-RPC vulnerability [03:42]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- Similarly failed to properly deserialize data - a malicious XML-RPC server could cause code execution on the client as a result
[USN-4497-1] OpenJPEG vulnerabilities [03:58]
- 7 CVEs addressed in Xenial (16.04 LTS)
- Usual mix of memory safety issues in image handling libraries written in C - DoS, RCE etc via crafted image data
[USN-4499-1] MilkyTracker vulnerabilities [04:27]
- 3 CVEs addressed in Xenial (16.04 LTS)
- Failed to properly validate files - 2 different heap and 1 stack based buffer overflows - RCE if loading untrusted files
[USN-4498-1] Loofah vulnerability [04:52]
- 1 CVEs addressed in Xenial (16.04 LTS)
- ruby module for manipulation and transformation of HTML/XML etc
- Possible XSS - failed to sanitize JS when handling crafted SVG
[USN-4500-1] bsdiff vulnerabilities [05:16]
- 1 CVEs addressed in Xenial (16.04 LTS)
- (Oldest CVE of the week!)
- Failed to properly validate input patch file -> integer overflow -> heap based buffer overflow -> code exec / DoS
[USN-4501-1] LuaJIT vulnerability [05:40]
- 1 CVEs addressed in Xenial (16.04 LTS)
- OOB read -> crash / info leak
[USN-4502-1] websocket-extensions vulnerability [05:49]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)
- ruby websockets extension - used regex with backtracking to properly parse headers, could be sent crafted input which is very computationally intensive to parse as a result -> CPU based DoS
[USN-4503-1] Perl DBI module vulnerability [06:21]
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
- Perl DB interface - underlying code would potentially allocate the stack and hence result in invalid pointers to object that were previously on the stack - could be manipulated by a remote user to result in memory corruption etc -> crash