This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Similar to Ubuntu Security Podcast
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Daily update on current cyber security threats
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
We head to the Lone Star State to connect with fellow Linux enthusiasts and immerse ourselves in the vibrant scene of Austin, Texas. Live chat: https:/jblive.tv
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
))
Episode 32
Manage episode 234081086 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Overview
This week we look at updates to cover the latest Intel CPU vulnerabilities (MDS - aka RIDL, Fallout, ZombieLoad), plus other vulnerabilies in PostgreSQL, ISC DHCP, Samba and more, whilst special guest this week is Seth Arnold from the Ubuntu Security Team to talk Main Inclusion Review code audits.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-3972-1] PostgreSQL vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Stores statistics for columns by sampling values from that column
- Security policy allows to restrict users from viewing particular rows
- But sampling would not take into account security policy
- User could craft a leaky operator which would return the sampled data and effectively bypass the security policy
- Fixed to only allow non-leakproof operators to use sampled data when no relevant row security policies in place
- Arbitrary server memory able to be read by executing a crafted INSERT statement on a partitioned table (only affects PostgreSQL 11 so only Disco)
[USN-3973-1] DHCP vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- DHCP server could crash due to mismatch in BIND internal memory management and DHCP server code
- BIND in Bionic + Cosmic contained a change which zeroed out an internal index to indicate it was unused - however 0 is still a valid index in the DHCP server codebase - and so this could cause a use-after free (since would be free’d, index set to 0 by BIND lib but then still used later since 0 is valid). Instead changed to track indexes correctly to account for this behaviour.
[USN-3974-1] VCFtools vulnerabilities
- 3 CVEs addressed in Xenial
- Tools for working with VCF files (1000 Genomes Project)
- Fuzzed in conjunction with AddressSanitizer in clang using crafted VCF files
- Read-based heap buffer overflow - crash, DoS
- 2 * use after free -> crash, DoS / code execution
[USN-3975-1] OpenJDK vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- 2 affecting both openjdk-11 and openjdk-8
- CPU DoS via BigDecimal implementation operating on particular values
- Sandbox escape due to incorrect skeleton class selection in the RMI registry
- 2 sandbox escapes affecting only openjdk-8 via the 2D graphics component
[USN-3976-1, USN-3976-2] Samba vulnerability
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Kerberos (as used in AD) contains an extension to allow a service to request a Kerberos ticket to itself on behalf of a non-Kerberos authenticated user (allows to use Kerberos for all internal code-paths)
- Can be proxied over the network so that a privileged server can proxy on behalf of the non-Kerberos authenticated user
- This proxied request contains a checksum (which can be keyed to prevent spoofing) - BUT this is not enforced - so an attacker can intercept the proxied request and rewrite the user name to any other one in the KDC AND replace the checksum with a simple CRC32 - as this can be computed without any prior knowledge
[USN-3986-1] Wireshark vulnerabilities
- 9 CVEs addressed in Xenial, Bionic, Cosmic
- Updated to latest 2.6.8 release to fix many issues in various packet dissectors that would cause wireshark to crash
[USN-3988-1] MediaInfo vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic, Disco
- CLI tool for reading metadata from various audio/video files
- 2* OOB read -> crash, DoS
[LSN-0051-1] Linux kernel vulnerability
- 4 CVEs for Microarchitectural Data Sampling (MDS) vulnerabilities
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
- https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
- https://www.redhat.com/en/blog/deeper-look-mds-vulnerability
- Too invasive to be addressed by Livepatch - requires updates to the kernel and new microcode to fix
- Intel CPUs contain various microarchitectural elements - store buffers, load ports, fill buffers - which get used to complete architectural operations (read from an address etc)
- 4 CVEs due to the different use of these different buffers in the various techniques
- RIDL (Rogue in-flight data load) - fill buffers and load ports
- Fallout - store buffers
- ZombieLoad - independent discovery of fill-buffer variant of RIDL
- These get reused across operations, and in particular get reused across hyperthreads executing on the same CPU core
- A malicious process can use speculative execution sampling techniques to infer the contents of one of these microarchitectural buffers - so could see data from a process that had previously been executing on the same CPU core OR in the case of HT can see data from a process executing concurrently on the same core
- In the case of a single core can be fixed by first adding new behaviour to the unused VERW instruction to clear these buffers as a microcode update
- Then updating the Linux kernel to call this new VERW instruction when switching tasks, VMs etc
- However, does not mitigate in the case of SMT
- So only way to properly mitigate is to disable SMT as well
- In the case of virtualisation, the guest does the task switching so it needs to clear these buffers - update to QEMU + libvirt to expose this new CPU capability to the guest so that it can perform the flushing itself
- Kernel + QEMU updates also contain fixes for other CVEs
- Kernels updated for all supported releases including the HWE kernels
[USN-3977-1] Intel Microcode update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
[USN-3978-1] QEMU update
- 7 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
[USN-3979-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Disco
[USN-3980-1, USN-3980-2] Linux kernel vulnerabilities
- 10 CVEs addressed in Bionic (HWE), Cosmic
[USN-3981-1, USN-3981-2] Linux kernel vulnerabilities
- 9 CVEs addressed in Trusty ESM (HWE), Xenial (HWE), Bionic
[USN-3982-1, USN-3982-2] Linux kernel vulnerabilities
- 6 CVEs addressed in Trusty ESM (Xenial HWE), Xenial
[USN-3983-1, USN-3983-2] Linux kernel vulnerabilities
- 4 CVEs addressed in Precise ESM (Trusty HWE), Trusty ESM
[USN-3984-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Precise ESM
[USN-3985-1, USN-3985-2] libvirt update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
Goings on in Ubuntu Security Community
Main inclusion review security code audits discussion with Seth Arnold
Hiring
Robotics Security Engineer
Security Certifications Engineer
Get in contact
231 episodes
Share
Manage episode 234081086 series 2423058
Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Overview
This week we look at updates to cover the latest Intel CPU vulnerabilities (MDS - aka RIDL, Fallout, ZombieLoad), plus other vulnerabilies in PostgreSQL, ISC DHCP, Samba and more, whilst special guest this week is Seth Arnold from the Ubuntu Security Team to talk Main Inclusion Review code audits.
This week in Ubuntu Security Updates
37 unique CVEs addressed
[USN-3972-1] PostgreSQL vulnerabilities
- 2 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- Stores statistics for columns by sampling values from that column
- Security policy allows to restrict users from viewing particular rows
- But sampling would not take into account security policy
- User could craft a leaky operator which would return the sampled data and effectively bypass the security policy
- Fixed to only allow non-leakproof operators to use sampled data when no relevant row security policies in place
- Arbitrary server memory able to be read by executing a crafted INSERT statement on a partitioned table (only affects PostgreSQL 11 so only Disco)
[USN-3973-1] DHCP vulnerability
- 1 CVEs addressed in Bionic, Cosmic
- DHCP server could crash due to mismatch in BIND internal memory management and DHCP server code
- BIND in Bionic + Cosmic contained a change which zeroed out an internal index to indicate it was unused - however 0 is still a valid index in the DHCP server codebase - and so this could cause a use-after free (since would be free’d, index set to 0 by BIND lib but then still used later since 0 is valid). Instead changed to track indexes correctly to account for this behaviour.
[USN-3974-1] VCFtools vulnerabilities
- 3 CVEs addressed in Xenial
- Tools for working with VCF files (1000 Genomes Project)
- Fuzzed in conjunction with AddressSanitizer in clang using crafted VCF files
- Read-based heap buffer overflow - crash, DoS
- 2 * use after free -> crash, DoS / code execution
[USN-3975-1] OpenJDK vulnerabilities
- 4 CVEs addressed in Xenial, Bionic, Cosmic, Disco
- 2 affecting both openjdk-11 and openjdk-8
- CPU DoS via BigDecimal implementation operating on particular values
- Sandbox escape due to incorrect skeleton class selection in the RMI registry
- 2 sandbox escapes affecting only openjdk-8 via the 2D graphics component
[USN-3976-1, USN-3976-2] Samba vulnerability
- 1 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Cosmic, Disco
- Kerberos (as used in AD) contains an extension to allow a service to request a Kerberos ticket to itself on behalf of a non-Kerberos authenticated user (allows to use Kerberos for all internal code-paths)
- Can be proxied over the network so that a privileged server can proxy on behalf of the non-Kerberos authenticated user
- This proxied request contains a checksum (which can be keyed to prevent spoofing) - BUT this is not enforced - so an attacker can intercept the proxied request and rewrite the user name to any other one in the KDC AND replace the checksum with a simple CRC32 - as this can be computed without any prior knowledge
[USN-3986-1] Wireshark vulnerabilities
- 9 CVEs addressed in Xenial, Bionic, Cosmic
- Updated to latest 2.6.8 release to fix many issues in various packet dissectors that would cause wireshark to crash
[USN-3988-1] MediaInfo vulnerabilities
- 2 CVEs addressed in Bionic, Cosmic, Disco
- CLI tool for reading metadata from various audio/video files
- 2* OOB read -> crash, DoS
[LSN-0051-1] Linux kernel vulnerability
- 4 CVEs for Microarchitectural Data Sampling (MDS) vulnerabilities
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS
- https://www.redhat.com/en/blog/understanding-mds-vulnerability-what-it-why-it-works-and-how-mitigate-it
- https://www.redhat.com/en/blog/deeper-look-mds-vulnerability
- Too invasive to be addressed by Livepatch - requires updates to the kernel and new microcode to fix
- Intel CPUs contain various microarchitectural elements - store buffers, load ports, fill buffers - which get used to complete architectural operations (read from an address etc)
- 4 CVEs due to the different use of these different buffers in the various techniques
- RIDL (Rogue in-flight data load) - fill buffers and load ports
- Fallout - store buffers
- ZombieLoad - independent discovery of fill-buffer variant of RIDL
- These get reused across operations, and in particular get reused across hyperthreads executing on the same CPU core
- A malicious process can use speculative execution sampling techniques to infer the contents of one of these microarchitectural buffers - so could see data from a process that had previously been executing on the same CPU core OR in the case of HT can see data from a process executing concurrently on the same core
- In the case of a single core can be fixed by first adding new behaviour to the unused VERW instruction to clear these buffers as a microcode update
- Then updating the Linux kernel to call this new VERW instruction when switching tasks, VMs etc
- However, does not mitigate in the case of SMT
- So only way to properly mitigate is to disable SMT as well
- In the case of virtualisation, the guest does the task switching so it needs to clear these buffers - update to QEMU + libvirt to expose this new CPU capability to the guest so that it can perform the flushing itself
- Kernel + QEMU updates also contain fixes for other CVEs
- Kernels updated for all supported releases including the HWE kernels
[USN-3977-1] Intel Microcode update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
[USN-3978-1] QEMU update
- 7 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
[USN-3979-1] Linux kernel vulnerabilities
- 11 CVEs addressed in Disco
[USN-3980-1, USN-3980-2] Linux kernel vulnerabilities
- 10 CVEs addressed in Bionic (HWE), Cosmic
[USN-3981-1, USN-3981-2] Linux kernel vulnerabilities
- 9 CVEs addressed in Trusty ESM (HWE), Xenial (HWE), Bionic
[USN-3982-1, USN-3982-2] Linux kernel vulnerabilities
- 6 CVEs addressed in Trusty ESM (Xenial HWE), Xenial
[USN-3983-1, USN-3983-2] Linux kernel vulnerabilities
- 4 CVEs addressed in Precise ESM (Trusty HWE), Trusty ESM
[USN-3984-1] Linux kernel vulnerabilities
- 4 CVEs addressed in Precise ESM
[USN-3985-1, USN-3985-2] libvirt update
- 4 CVEs addressed in Trusty ESM, Xenial, Bionic, Cosmic, Disco
Goings on in Ubuntu Security Community
Main inclusion review security code audits discussion with Seth Arnold
Hiring
Robotics Security Engineer
Security Certifications Engineer
Get in contact
231 episodes
All episodes
×
Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.
Similar to Ubuntu Security Podcast
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
The award-winning WIRED UK Podcast with James Temperton and the rest of the team. Listen every week for the an informed and entertaining rundown of latest technology, science, business and culture news. New episodes every Friday.
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
Android Backstage, a podcast by and for Android developers. Hosted by developers from the Android engineering team, this show covers topics of interest to Android programmers, with in-depth discussions and interviews with engineers on the Android team at Google. Subscribe to Android Developers YouTube → https://goo.gle/AndroidDevs
…
continue reading
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Daily update on current cyber security threats
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
We head to the Lone Star State to connect with fellow Linux enthusiasts and immerse ourselves in the vibrant scene of Austin, Texas. Live chat: https:/jblive.tv
…
continue reading
Player FM - Podcast App
Go offline with the Player FM app!
Go offline with the Player FM app!
