Episode 95

Posted on Friday, Nov 6, 2020
This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa and more, plus we cover some AppArmor related Ubuntu Security community updates as well.

Show Notes

Overview

This week we look at vulnerabilities in Samba, GDM, AccountsService, GOsa and more, plus we cover some AppArmor related Ubuntu Security community updates as well.

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4552-3] Pam-python regression [00:40]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • Original update (Episode 92 - bionic), (Episode 94 - xenial) caused was too restrictive and would disallow PAM modules written in python from importing python modules from site-specific directories

[USN-4609-1] GOsa vulnerabilities [01:18]

  • 3 CVEs addressed in Xenial (16.04 LTS)
  • PHP based LDAP user admin frontend
  • XSS attacks via the change password form
  • Could login to any account with a username containing “success” with any arbitrary password
  • Cookie mishandling allowed an authenticated user to delete files on the web server in the context of the user account running the web server

[USN-4610-1] fastd vulnerability [02:11]

  • 1 CVEs addressed in Focal (20.04 LTS)
  • Fast & secure tunnelling daemon
  • Failed to free rx buffers in certain circumstances - memory leak -> DoS

[USN-4611-1] Samba vulnerabilities [02:29]

  • 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • 2 different DoS issues - remote attacker could cause DNS server to crash by supplying invalid DNS records, or could cause winbind to crash via crafted winbind requests
  • Failed to check permissions on ChangeNotify - so an attacker could subscribe to get notifications on files they did not have permission to read - and so leaks file info

[USN-4605-2] Blueman update [03:22]

  • 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • Episode 94 - this includes additional fix so that on focal and groovy policykit is used to authenticate privileged actions

[USN-4614-1] GDM vulnerability [03:55]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Kevin Backhouse - discovered 3 vulnerabilities - one in GDM, 2 in AccountsService
  • GDM incorrectly launched the initial setup tool if it could not reach the accountsservice daemon
  • If could cause accountsservice to be unresponsive, could get GDM to luanch initial setup tool which then allows a local user to create a privileged users account
  • But requires accountsservice to be unresponsive…

[USN-4616-1] AccountsService vulnerabilities [05:00]

  • 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Drops privileges for certain operations but does so where a local unprivileged user can send it SIGSTOP signal - is now unresponsive - so could allow the GDM attack above - or could cause it to crash (send SIGSEGV etc)
  • Also would exhaust all memory when reading .pam_environment if it was really large (ie symlink to /dev/zero) - again could cause it to hang / crash -> DoS

[USN-4613-1] python-cryptography vulnerability [06:34]

[USN-4615-1] Yerase’s TNEF vulnerabilities [07:23]

Goings on in Ubuntu Security Community

AppArmor 3.0.1 being prepared [08:22]

  • Includes fixes for various application profiles as well as a fix to stop aa-notify from exiting after 100s of no activity

Securing Linux Machines with AppArmor Webinar [08:57]

  • https://www.brighttalk.com/webcast/6793/440491
  • Currently scheduled for Mon 16th Nov at 16:00 UTC
  • Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper
  • Will cover:
    • Why a ‘defence in depth’ strategy should be employed to mitigate the potential damage caused by a breach
    • An explanation of AppArmor, its key features and why the principle of least privilege is recommended
    • The use of AppArmor in Ubuntu and snaps

Get in contact