Episode 50

Ubuntu Security Podcast

Content provided by Alex Murray and Ubuntu Security Team. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Alex Murray and Ubuntu Security Team or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

4+ y ago 23:48

MP3•Episode home

Overview

Alex and Joe discuss the big news of this week - the release of Ubuntu 19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt, UW IMAP and more.

This week in Ubuntu Security Updates

51 unique CVEs addressed

[USN-4156-2] SDL vulnerabilities [00:37]

11 CVEs addressed in Precise ESM, Trusty ESM
Covered in Episode 49 and Episode 48

[USN-4160-1] UW IMAP vulnerability [01:04]

1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2018-19518
University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)
Used rsh to implement various operations - wouldn’t try and sanitize the provided hostname - so if attacker could provide a hostname/mailbox to php’s IMAP without any validation could execute arbitrary commands on the host
- Fixed by turning off the rsh based functionality by default in PHP - if you still want this you can set imap.enable_insecure_rsh but this is not advised…

[USN-4158-1] LibTIFF vulnerabilities [02:17]

2 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-17546
- CVE-2019-14973
Integer overflow -> heap based buffer overflow -> crash, DoS or code execution
(Low) Integer overflow due to undefined behaviour in existing overflow checking code when multiplying various elements -> no known way to exploit

[USN-4155-2] Aspell vulnerability [03:13]

1 CVEs addressed in Eoan
- CVE-2019-17544
Episode 49 covered for older releases - Eoan is now out so updated there too

[USN-4159-1] Exiv2 vulnerability [03:31]

1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- CVE-2019-17402
OOB read -> crash, DoS

[USN-4164-1] Libxslt vulnerabilities [03:44]

3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
OSS-Fuzz found 3 issues
- possible heap buffer overflow as a result of a dangling pointer - so same memory area could be reused for future memory operations -> fixed to reset the pointer when done
- 2 low priority issues - both stack memory info disclosures

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

9 CVEs addressed in Bionic (HWE) and Disco
Integer overflow -> buffer overflow -> root privesc in binder
Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad Spengler - fixed properly in Linus’ tree but not when it got backported to the stable tree - two lines of code got reordered - so load of possible speculative value occurred _after_it had been used - so the speculative load barrier had no effect - Ubuntu regularly backports fixes from the latest stable tree so we ended up affected as well
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
Possible DoS (kernel crash) if users can write to /dev/kvm - by default on Ubuntu users don’t have this privilege so generally not affected
2 different heap based buffer overflows in Marvell Wifi driver -> occurred when setting parameters for the driver so could be triggered by a local users -> crash, DoS or possible code execution

[USN-4161-1] Linux kernel vulnerability [07:40]

1 CVEs addressed in Eoan
- CVE-2019-18198
Eoan kernel “0-day” - will discuss with Joe later

[USN-4162-1] Linux kernel vulnerabilities [07:58]

10 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic
SMB based buffer overread if try mounting a share with version specified as 3.0 but the share itself is version 2.10 -> parameter size mismatch -> read of too much memory -> info disclosure
UAF in RSI 91x Wi-Fi driver -> able to be triggered by a remote network peer -> crash, DoS or possible RCE
ptrace spectrev1 reissue, KVM crash, Marvell Wifi Driver issues from above
USB audio issues from Episode 48 (Disco kernel -> now fixed in Bionic kernel as well)

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

10 CVEs addressed in Xenial and Trusty ESM (HWE)
Spectrev1 reissue, USB Audio, KVM crash, Marvell and RSI 91x WiFi Driver issues all covered earlier
Serial attached SCSI implementation mishandled error condition leading to deadlock -> local user could possibly trigger this leading to a DoS

[LSN-0058-1] Linux kernel vulnerability [10:09]

22 CVEs addressed in Bionic and Xenial + Xenial (HWE)
Most all covered in previous episodes or previously in this episode
2 high priority issues
- vhost_net issue from Episode 47
- SACKPanic from Episode 37

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

https://twitter.com/sylvia_ritter
https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-19.10-Kernel-Bug
- Mitigate by installing the latest eoan kernel update or by disabling user namspaces: sysctl user.max_user_namespaces=0

Get in contact

230 episodes

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

Episode 50

Ubuntu Security Podcast

138 subscribers

published 4+ y ago

MP3•Episode home

Overview

Alex and Joe discuss the big news of this week - the release of Ubuntu 19.10 Eoan Ermine - plus we look at updates for the Linux kernel, libxslt, UW IMAP and more.

This week in Ubuntu Security Updates

51 unique CVEs addressed

[USN-4156-2] SDL vulnerabilities [00:37]

11 CVEs addressed in Precise ESM, Trusty ESM
Covered in Episode 49 and Episode 48

[USN-4160-1] UW IMAP vulnerability [01:04]

1 CVEs addressed in Xenial, Bionic, Disco
- CVE-2018-19518
University of Washington IMAP toolkit (used by PHP for it’s IMAP implementation)
Used rsh to implement various operations - wouldn’t try and sanitize the provided hostname - so if attacker could provide a hostname/mailbox to php’s IMAP without any validation could execute arbitrary commands on the host
- Fixed by turning off the rsh based functionality by default in PHP - if you still want this you can set imap.enable_insecure_rsh but this is not advised…

[USN-4158-1] LibTIFF vulnerabilities [02:17]

2 CVEs addressed in Xenial, Bionic, Disco
- CVE-2019-17546
- CVE-2019-14973
Integer overflow -> heap based buffer overflow -> crash, DoS or code execution
(Low) Integer overflow due to undefined behaviour in existing overflow checking code when multiplying various elements -> no known way to exploit

[USN-4155-2] Aspell vulnerability [03:13]

1 CVEs addressed in Eoan
- CVE-2019-17544
Episode 49 covered for older releases - Eoan is now out so updated there too

[USN-4159-1] Exiv2 vulnerability [03:31]

1 CVEs addressed in Xenial, Bionic, Disco, Eoan
- CVE-2019-17402
OOB read -> crash, DoS

[USN-4164-1] Libxslt vulnerabilities [03:44]

3 CVEs addressed in Precise ESM, Trusty ESM, Xenial, Bionic, Disco, Eoan
OSS-Fuzz found 3 issues
- possible heap buffer overflow as a result of a dangling pointer - so same memory area could be reused for future memory operations -> fixed to reset the pointer when done
- 2 low priority issues - both stack memory info disclosures

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

9 CVEs addressed in Bionic (HWE) and Disco
Integer overflow -> buffer overflow -> root privesc in binder
Reintroduction of Spectre v1 vulnerability in ptrace subsystem - Brad Spengler - fixed properly in Linus’ tree but not when it got backported to the stable tree - two lines of code got reordered - so load of possible speculative value occurred _after_it had been used - so the speculative load barrier had no effect - Ubuntu regularly backports fixes from the latest stable tree so we ended up affected as well
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
Possible DoS (kernel crash) if users can write to /dev/kvm - by default on Ubuntu users don’t have this privilege so generally not affected
2 different heap based buffer overflows in Marvell Wifi driver -> occurred when setting parameters for the driver so could be triggered by a local users -> crash, DoS or possible code execution

[USN-4161-1] Linux kernel vulnerability [07:40]

1 CVEs addressed in Eoan
- CVE-2019-18198
Eoan kernel “0-day” - will discuss with Joe later

[USN-4162-1] Linux kernel vulnerabilities [07:58]

10 CVEs addressed in Trusty ESM (Azure), Xenial (HWE), Bionic
SMB based buffer overread if try mounting a share with version specified as 3.0 but the share itself is version 2.10 -> parameter size mismatch -> read of too much memory -> info disclosure
UAF in RSI 91x Wi-Fi driver -> able to be triggered by a remote network peer -> crash, DoS or possible RCE
ptrace spectrev1 reissue, KVM crash, Marvell Wifi Driver issues from above
USB audio issues from Episode 48 (Disco kernel -> now fixed in Bionic kernel as well)

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

10 CVEs addressed in Xenial and Trusty ESM (HWE)
Spectrev1 reissue, USB Audio, KVM crash, Marvell and RSI 91x WiFi Driver issues all covered earlier
Serial attached SCSI implementation mishandled error condition leading to deadlock -> local user could possibly trigger this leading to a DoS

[LSN-0058-1] Linux kernel vulnerability [10:09]

22 CVEs addressed in Bionic and Xenial + Xenial (HWE)
Most all covered in previous episodes or previously in this episode
2 high priority issues
- vhost_net issue from Episode 47
- SACKPanic from Episode 37

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

https://twitter.com/sylvia_ritter
https://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-19.10-Kernel-Bug
- Mitigate by installing the latest eoan kernel update or by disabling user namspaces: sysctl user.max_user_namespaces=0

Get in contact

230 episodes

#Alex Murray #Ubuntu Security Team #Linux #Tech #Operating Systems #Alex and Joe #Security #Software Development

All episodes

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

Listen to 500+ topics

Similar to Ubuntu Security Podcast

Podcasts Worth a Listen

Ubuntu Security Podcast « » Episode 50

Overview

This week in Ubuntu Security Updates

[USN-4156-2] SDL vulnerabilities [00:37]

[USN-4160-1] UW IMAP vulnerability [01:04]

[USN-4158-1] LibTIFF vulnerabilities [02:17]

[USN-4155-2] Aspell vulnerability [03:13]

[USN-4159-1] Exiv2 vulnerability [03:31]

[USN-4164-1] Libxslt vulnerabilities [03:44]

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

[USN-4161-1] Linux kernel vulnerability [07:40]

[USN-4162-1] Linux kernel vulnerabilities [07:58]

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

[LSN-0058-1] Linux kernel vulnerability [10:09]

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

Get in contact

Episode 50

Overview

This week in Ubuntu Security Updates

[USN-4156-2] SDL vulnerabilities [00:37]

[USN-4160-1] UW IMAP vulnerability [01:04]

[USN-4158-1] LibTIFF vulnerabilities [02:17]

[USN-4155-2] Aspell vulnerability [03:13]

[USN-4159-1] Exiv2 vulnerability [03:31]

[USN-4164-1] Libxslt vulnerabilities [03:44]

[USN-4157-1, USN-4157-2] Linux kernel vulnerabilities [04:59]

[USN-4161-1] Linux kernel vulnerability [07:40]

[USN-4162-1] Linux kernel vulnerabilities [07:58]

[USN-4163-1, USN-4163-2] Linux kernel vulnerabilities [09:29]

[LSN-0058-1] Linux kernel vulnerability [10:09]

Goings on in Ubuntu Security Community

Joe and Alex on Ubuntu 19.10 (Eoan Ermine) released but with possible local user kernel DoS bug [11:02]

Get in contact

Podcasts Worth a Listen

Welcome to Player FM!

Similar to Ubuntu Security Podcast

Quick Reference Guide

Ubuntu Security Podcast « »
Episode 50