Episode 97

Show Notes

Overview

This week we look at vulnerabilities in MoinMoin, OpenLDAP, Kerberos, Raptor (including a discussion of CVE workflows and the oss-security mailing list) and more, whilst in community news we talk about the upcoming AppArmor webinar, migration of Ubuntu CVE information to ubuntu.com and reverse engineering of malware by the Canonical Sustaining Engineering team.

This week in Ubuntu Security Updates

45 unique CVEs addressed

[USN-4629-1] MoinMoin vulnerabilities [00:50]

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2020-15275
  • CVE-2020-25074
• RCE via attachment upload - can upload an attachment which is then cached - a subsequent crafted request can exploit a vulnerability in the cache handling code to achieve directory traversal and a subsequent RCE

[USN-4630-1] Raptor vulnerability [01:40]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2017-18926
• https://www.openwall.com/lists/oss-security/2017/06/07/1
• Old vulnerability, recently rediscovered that triggered various discussions on oss-security mailing list
  • https://www.openwall.com/lists/oss-security/2020/11/13/1
  • Discussion covered value of CVEs, how distros try and stay on top of the constant stream of CVEs etc
• Shows the value of a CVE - many distros use these as essentially work items - if a CVE doesn’t exist, the vulnerability won’t get patched

[USN-4622-2] OpenLDAP vulnerability [03:43]

• 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM)
  • CVE-2020-25692
• Episode 96 - NULL ptr deref for a remote unauthenticated user in slapd
• Upstream dispute this as a real CVE - say that only unintended info disclosure is a security issue (what about RCE?)

[USN-4628-2] Intel Microcode regression [04:29]

• 3 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-8698
  • CVE-2020-8696
  • CVE-2020-8695
• Episode 96 - Failed to boot on new Tiger Lake platforms
• We took the decision to remove this MCU once we saw the regression and had updates out within 24h of initial release
• Intel have now reverted this themselves upstream in a fixup release 20201118

[USN-4171-6] Apport regression [05:40]

• 5 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2019-15790
  • CVE-2019-11485
  • CVE-2019-11483
  • CVE-2019-11482
  • CVE-2019-11481
• Previous update could possibly be used to crash Apport itself due to mishandling of dropping permissions when reading the user’s config file (note these don’t normally exist unless you manually create one so in general is not an issue) - this fixes that and introduces some more hardening measures to try and ensure permissions are always dropped correctly and this is more robust overall

[USN-4631-1] libmaxminddb vulnerability [06:50]

• 1 CVEs addressed in Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-28241
• Heap based buffer overread -> DoS

[USN-4632-1] SLiRP vulnerabilities [07:03]

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • CVE-2020-8608
  • CVE-2020-7039
• 2 different buffer overflows - 1 due to improper use of return value from snprintf() - the other due to mishandling of pointer arithmetic -> DoS, RCE?

[USN-4607-2] OpenJDK regressions

• 8 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-14803
  • CVE-2020-14798
  • CVE-2020-14797
  • CVE-2020-14796
  • CVE-2020-14792
  • CVE-2020-14782
  • CVE-2020-14781
  • CVE-2020-14779

[USN-4633-1] PostgreSQL vulnerabilities [07:42]

• 3 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-25696
  • CVE-2020-25695
  • CVE-2020-25694
• 1 RCE, 1 arbitrary SQL execution but need to be an authenticated user and 1 DoS via dropping of connection

[USN-4634-1] OpenLDAP vulnerabilities [08:03]

• 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-25710
  • CVE-2020-25709
• 2 more DoS bugs against OpenLDAP - both assertion failures able to be triggered by a remote attacker

[USN-4635-1] Kerberos vulnerability [08:29]

• 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-28196
• DoS via unbounded recursion in parsing of ASN.1 encoded message - BER can specify an indefinite length - so this was parsed recursively but since it never placed any limit on this if the nesting was deep enough, could overrun the stack an trigger an abort.

[USN-4636-1] LibVNCServer, Vino vulnerability [09:05]

• 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-25708
• Divide by zero -> DoS

[USN-4637-1] Firefox vulnerabilities [09:18]

• 15 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Groovy (20.10)
  • CVE-2020-26969
  • CVE-2020-26968
  • CVE-2020-26967
  • CVE-2020-26965
  • CVE-2020-26963
  • CVE-2020-26962
  • CVE-2020-26961
  • CVE-2020-26960
  • CVE-2020-26959
  • CVE-2020-26958
  • CVE-2020-26956
  • CVE-2020-26953
  • CVE-2020-26952
  • CVE-2020-26951
  • CVE-2020-16012
• 83.0

Goings on in Ubuntu Security Community

Migration of Ubuntu CVE information from people.canonical.com to ubuntu.com [09:37]

• Long time in the making - worked with the design team at Canonical to design and prototype display of CVEs in a more human friendly format (for machine friendly we have OVAL etc)
• ubuntu.com/security/CVE-XXXX-XXXX
• Still includes CVE description, priority, status per-release and other details - but focusses on the most salient ones rather than the more engineering style of the old ones
• Redirects in place for old people.canonical.com URLs

Securing Linux Machines with AppArmor Webinar [11:18]

• https://www.brighttalk.com/webcast/6793/440491/securing-linux-machines-with-apparmor
• 2020-11-24 16:00 UTC
• Presented by Mike Salvatore - who also wrote the Introduction to AppArmor whitepaper
• Will cover:
  • Why a ‘defence in depth’ strategy should be employed to mitigate the potential damage caused by a breach
  • An explanation of AppArmor, its key features and why the principle of least privilege is recommended
  • The use of AppArmor in Ubuntu and snaps
• Good overview of why and how to apply AppArmor as well as a demo of how to generate a profile to confine an application with `aa-genprof`

Analysis of the dovecat and hy4 Linux Malware [12:36]

• https://ruffell.nz/reverse-engineering/writeups/2020/10/27/analysis-of-the-dovecat-and-hy4-linux-malware.html
• By Matthew Ruffell from the Sustaining Engineering team at Canonical
• Previously maintained his own Linux distro (Dapper Linux) where he manually forward-ported the grsecurity patch set - topic of his LCA 2019 talk Maintaining the Unmaintainable: Picking up the Baton of a Secure Kernel Patchset
• Walks through how he root-caused strange behaviour on a system down to some suspicious processes, and then reverse engineering those to demonstrate they were malware, and explaining what the malware did, how it operated etc - great teardown

Get in contact

• security@ubuntu.com
• #ubuntu-security on the Libera.Chat IRC network
• ubuntu-hardened mailing list
• Security section on discourse.ubuntu.com
• @ubuntu_sec on twitter