Episode 97

Posted on Saturday, Nov 21, 2020
This week we look at vulnerabilities in MoinMoin, OpenLDAP, Kerberos, Raptor (including a discussion of CVE workflows and the oss-security mailing list) and more, whilst in community news we talk about the upcoming AppArmor webinar, migration of Ubuntu CVE information to ubuntu.com and reverse engineering of malware by the Canonical Sustaining Engineering team.

Show Notes

Overview

This week we look at vulnerabilities in MoinMoin, OpenLDAP, Kerberos, Raptor (including a discussion of CVE workflows and the oss-security mailing list) and more, whilst in community news we talk about the upcoming AppArmor webinar, migration of Ubuntu CVE information to ubuntu.com and reverse engineering of malware by the Canonical Sustaining Engineering team.

This week in Ubuntu Security Updates

45 unique CVEs addressed

[USN-4629-1] MoinMoin vulnerabilities [00:50]

  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • RCE via attachment upload - can upload an attachment which is then cached - a subsequent crafted request can exploit a vulnerability in the cache handling code to achieve directory traversal and a subsequent RCE

[USN-4630-1] Raptor vulnerability [01:40]

[USN-4622-2] OpenLDAP vulnerability [03:43]

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
  • Episode 96 - NULL ptr deref for a remote unauthenticated user in slapd
  • Upstream dispute this as a real CVE - say that only unintended info disclosure is a security issue (what about RCE?)

[USN-4628-2] Intel Microcode regression [04:29]

  • 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Episode 96 - Failed to boot on new Tiger Lake platforms
  • We took the decision to remove this MCU once we saw the regression and had updates out within 24h of initial release
  • Intel have now reverted this themselves upstream in a fixup release 20201118

[USN-4171-6] Apport regression [05:40]

  • 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Previous update could possibly be used to crash Apport itself due to mishandling of dropping permissions when reading the user’s config file (note these don’t normally exist unless you manually create one so in general is not an issue) - this fixes that and introduces some more hardening measures to try and ensure permissions are always dropped correctly and this is more robust overall

[USN-4631-1] libmaxminddb vulnerability [06:50]

  • 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • Heap based buffer overread -> DoS

[USN-4632-1] SLiRP vulnerabilities [07:03]

  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • 2 different buffer overflows - 1 due to improper use of return value from snprintf() - the other due to mishandling of pointer arithmetic -> DoS, RCE?

[USN-4607-2] OpenJDK regressions

[USN-4633-1] PostgreSQL vulnerabilities [07:42]

  • 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • 1 RCE, 1 arbitrary SQL execution but need to be an authenticated user and 1 DoS via dropping of connection

[USN-4634-1] OpenLDAP vulnerabilities [08:03]

  • 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • 2 more DoS bugs against OpenLDAP - both assertion failures able to be triggered by a remote attacker

[USN-4635-1] Kerberos vulnerability [08:29]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • DoS via unbounded recursion in parsing of ASN.1 encoded message - BER can specify an indefinite length - so this was parsed recursively but since it never placed any limit on this if the nesting was deep enough, could overrun the stack an trigger an abort.

[USN-4636-1] LibVNCServer, Vino vulnerability [09:05]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • Divide by zero -> DoS

[USN-4637-1] Firefox vulnerabilities [09:18]

Goings on in Ubuntu Security Community

Migration of Ubuntu CVE information from people.canonical.com to ubuntu.com [09:37]

  • Long time in the making - worked with the design team at Canonical to design and prototype display of CVEs in a more human friendly format (for machine friendly we have OVAL etc)
  • ubuntu.com/security/CVE-XXXX-XXXX
  • Still includes CVE description, priority, status per-release and other details - but focusses on the most salient ones rather than the more engineering style of the old ones
  • Redirects in place for old people.canonical.com URLs

Securing Linux Machines with AppArmor Webinar [11:18]

Analysis of the dovecat and hy4 Linux Malware [12:36]

Get in contact