Episode 75
In episode 75 we look at security updates for APT, json-c, Bind, the Linux kernel and more, plus Joe and Alex discuss recent phishing attacks and the Wired biopic of Marcus Hutchins.
Ubuntu Security Podcast · Ubuntu Security Team
May 22, 202029m 40s
Audio is streamed directly from the publisher (people.canonical.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Overview
In episode 75 we look at security updates for APT, json-c, Bind, the Linux kernel and more, plus Joe and Alex discuss recent phishing attacks and the Wired biopic of Marcus Hutchins.
This week in Ubuntu Security Updates
26 unique CVEs addressed
[USN-4358-1] libexif vulnerabilities [00:44]
- 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Divide by zero and a CPU infinite loop (DoS) for handling crafted exif content
[USN-4359-1] APT vulnerability [01:19]
- 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Own ar archive handling code
- Stack buffer OOB read for ar archive members with specially crafted names - tried to handle spaces etc in names but if the name was all spaces would overrun the name and read past the end of it
[USN-4360-1] json-c vulnerability [02:04]
- 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Integer overflow -> OOB write from a large json file
[USN-4360-2, USN-4360-3] json-c regression [02:27]
- Affecting Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Upstream fix had a bug where logic for trying to handle integer overflow was inverted and so would cause INT_MAX (2GB) memory to be allocated
- On machines with a small amount of memory this could exhaust all and trigger OOM killer
- Part of logic of the package is to trigger a rexec of upstart (which serialises itself via libjson) - so this could cause upstart to consume all memory, get killed to OOM killer and cause fail to boot etc
- upstart not used as default init on xenial+ and initial update was delayed for ESM so only a small number of users would be affected (those running 16.04 LTS/xenial who had manually configured upstart as init)
[USN-4361-1] Dovecot vulnerabilities [04:13]
- 3 CVEs addressed in Eoan (19.10), Focal (20.04 LTS)
- 3 issues discovered by Philippe Antoine
- UAF sending command is followed by a sufficient number of newlines -> crash
- Sending with empty quoted localpart or malformed NOOP commands -> crash
[USN-4362-1] DPDK vulnerabilities [04:47]
- 5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- Data-plane development kit (provides TCP offloading to userspace to accelerate package processing workloads)
- Used by openvswitch for OpenStack software defined networking
- Memory leak and file-descriptor leak -> DoS
- Guest to host crash via a missing check on an address in an io descriptor
- Failure to validate key lengths
- Integer overflow on host from guest -> crash
[USN-4367-1] Linux kernel vulnerabilities [05:51]
- 3 CVEs addressed in Focal (20.04 LTS)
- 5.4 kernel
- UAF due to a race-condition in bfq block io scheduler in block subsystem
- Bug in parsing of mount options for tmpfs -> stack overflow (need root privileges etc to specify mount options)
- UAF in btrfs when handling a specially crafted file-system image
[USN-4363-1] Linux kernel vulnerabilities [06:42]
- 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
- 4.15 kernel
- block io scheduler UAF
- PowerPC specific guest -> host VM crash on save / restore of authority mask registers
- tmpfs mount option parsing
- Serial CAN driver did not initialise stack data so could leak stack memory to userspace etc
[USN-4364-1] Linux kernel vulnerabilities [07:30]
- 7 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS)
- 4.4 kernel
- USB camera drivers fail to validate device metadata -> NULL ptr deref etc (crash)
- tmpfs & serial CAN above
[USN-4368-1] Linux kernel vulnerabilities [07:59]
- 8 CVEs addressed in Bionic (18.04 LTS)
- 5.0 gke/eom (based off Ubuntu 19.04 disco kernel)
- block io scheduler UAF
- ppc specific guest -> host VM crash on save / restore of authority mask registers
- USB camera drivers fail to validate device metadata
- tmpfs & serial CAN above
[USN-4365-1] Bind vulnerabilities [08:31]
- 2 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- DNS refelection attack via recursive resolution - http://www.nxnsattack.com/
[USN-4366-1] Exim vulnerability [09:14]
- 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
- OOB read in Secure Password Authentication (SPA, also known as NTLM) authenticator, could result in SPA/NTLM auth bypass