Third party patch roundup – June 2017

Here we are again at the end of the month, and it’s been an interesting one on the IT security front. After the WannaCry ransomware attack in May, June brought another major world-wide malware infestation that may have originated in Ukraine and spread to dozens of countries. At the time of this writing, several large pharmaceutical, shipping, energy, food companies had been hit, along with others. At the time of this writing, not much information is available about who’s behind it and what the ramifications will be, or even exactly what it is (some say it’s a variation of Petya and others say it’s brand new).

Many of the latest high profile attacks target Microsoft Windows and its components, but that doesn’t mean third party software isn’t vulnerable to serious attacks, as well. A Linux Systemd vulnerability that enables DNS attacks made the news near the end of the month, and then there is the “feature” in Chrome that Google says isn’t a security flaw, that could allow hackers to record audio and video with your camera and mic, without your knowledge.

Software vendors are working overtime these days to stay ahead of the attackers. Many of today’s attacks are perpetuated via the web. I’m reminded of the old “Why do you rob banks?  Because that’s where the money is” story; the web is where the victims are, and many people who are careful about not opening email attachments are far less hesitant about clicking links on web sites. The good news is that both Google and Mozilla fixed a large number of security issues in the June updates for their respective web browsers.

Now let’s take a look at the details of some of this month’s patches from major third party security vendors.

Apple

Apple seems to be following a one on/one off schedule, with no security updates issued in April, then seven large updates last month, and now (as of June 28), no updates for June. If the pattern holds, look out for a heavy slate of patches from them in July.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe came out with four new security bulletins this month, providing updates for four different products. All four of them were originally issued on Adobe’s traditional Patch Tuesday and one was updated later in the month. Along with the almost obligatory Flash Player update, we got patches for Shockwave, Captivate, and Digital Editions.  

On June 13 (Patch Tuesday), Adobe issued the following:

• APSB17-17 is an update for Flash Player running on Windows, Linux, Mac and Chrome OS. It addresses four use-after-free vulnerabilities and five memory corruption issues that could be exploited to accomplish remote code execution. It is rated critical and assigned priority level 1 for all platforms except the Flash Player Desktop Runtime for Linux.
• APSB17-18 is an update for Shockwave Player running on Windows. It addresses a single memory corruption issue that could be exploited to accomplish remote code execution. It is rated critical and assigned priority level 2.

• APSB17-19 is an update for Adobe Captivate, running on Windows and Mac. It addresses one critical and one important vulnerability that could be exploited to accomplish information disclosure and remote code execution. It is rated critical and assigned priority level 3 for both platforms. This bulletin was updated on June 19.

• APSB17-20 is an update for Adobe Digital Editions running on Windows, Mac, iOS and Android. It addresses four critical memory corruption vulnerabilities, an important escalation of privilege vulnerability and two important memory address disclosure issues. It is rated critical with a priority rating of 3 on all platforms.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories web site at https://helpx.adobe.com/security.html

Google

Google Chrome web browser stable channel update v59.0.3071.104 for Windows, Mac and Linux was announced on June 15 and contains five security fixes, include a high severity sandbox escape vulnerability and a high severity out of bounds read vulnerability, along with medium severity domain spoofing fix and various fixes from internal audits and other initiatives.

For more information, see the Google Chrome Releases blog at
https://chromereleases.googleblog.com/2017/06/stable-channel-update-for-desktop_15.html

Android security bulletin for June was published by Google on June 5. Patches were issued addressing one critical vulnerability in the Media Framework that could enable an attacker to exploit a memory corruption condition to accomplish remote code execution. Additional vulnerabilities addressed include:

• Six additional Media Framework vulnerabilities rated high severity that could be used for DoS attacks
• Three Bluetooth issues of high and moderate severity that could be used for elevation of privilege
• Ten libraries vulnerabilities rated high and moderate that could be exploited for remote code execution
• A high severity System UI vulnerability that could result in remote code execution.

For more information, see the bulletin at https://source.android.com/security/bulletin/2017-06-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next scheduled release is July 18.

For more detailed information, see the Oracle Critical Patch Update Advisory for April 2016 at
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Mozilla

On June 13, Mozilla released Firefox 54 and Security Advisory 2017-15, which includes security updates to address three critical vulnerabilities, twelve rated high severity, and nine of moderate impact. These include:

• Use-after-free issues in CSS layout, docshell reloading, track elements, content viewer listeners, IME input, logging XHR header errors, indexed DB
• Memory safety bugs/memory corruption issues
• Out-of-bounds reads in WebGL
• Privilege escalation issues
• Multiple vulnerabilities in the Graphite 2 library
• Violation of same-origin policy related to Android intent URLs
• File manipulation, file execution and file deletion issues, arbitrary file overwrites and arbitrary file reads
• Addressbar spoofing
• Domain name spoofing related to OS X font rendering
• “Mark of the web” bypass

The most serious of these have the potential to enable an attacker to run arbitrary code.

For more information about all of these vulnerabilities and fixes, see Mozilla’s web site at https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox45

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (June 29), Ubuntu has issued 50 security advisories, which is more than usual for recent months (by comparison, last month saw 22 updates). Many of them address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

• USN-3346-1: bind9 vulnerabilities – 29th June 2017. Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone update requests. An attacker could use this to improperly perform zone updates. (CVE-2017-3143) Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone transfer requests.
• USN-3323-2: GNU C Library vulnerability – 29th June 2017. USN-3323-1 fixed a vulnerability in the GNU C Library. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that the GNU C library did not properly handle memory when processing environment variables for setuid programs.
• USN-3342-2: Linux kernel (HWE) vulnerabilities – 29th June 2017. USN-3342-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. USN-3333-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications.
• USN-3345-1: Linux kernel vulnerabilities – 29th June 2017. USN 3324-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.
• USN-3343-2: Linux kernel (Trusty HWE) vulnerabilities – 29th June 2017. USN 3343-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. USN 3335-2 fixed a vulnerability in the Linux kernel.
• USN-3338-2: Linux kernel regression – 29th June 2017. USN-3338-1 fixed vulnerabilities in the Linux kernel. However, the fix for CVE-2017-1000364 introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. Original advisory details: It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough.
• USN-3342-1: Linux kernel vulnerabilities – 29th June 2017. USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. It was discovered that a use-after-free flaw existed in the filesystem encryption subsystem in the Linux kernel.
• USN-3343-1: Linux kernel vulnerabilities – 29th June 2017. USN 3335-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. It was discovered that a use-after-free vulnerability in the core voltage regulator driver of the Linux kernel.
• USN-3344-1: Linux kernel vulnerabilities – 29th June 2017. USN 3328-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. This update addresses the issue. We apologize for the inconvenience. Roee Hay discovered that the parallel port printer driver in the Linux kernel did not properly bounds check passed arguments.
• USN-3344-2: Linux kernel (Xenial HWE) vulnerabilities – 29th June 2017. USN-3344-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. USN 3334-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications.
• USN-3341-1: Systemd vulnerability – 27th June 2017. An out-of-bounds write was discovered in systemd-resolved when handling specially crafted DNS responses. A remote attacker could potentially exploit this to cause a denial of service (daemon crash) or execute arbitrary code.
• USN-3340-1: Apache HTTP Server vulnerabilities – 26th June 2017. Emmanuel Dreyfus discovered that third-party modules using the ap_get_basic_auth_pw() function outside of the authentication phase may lead to authentication requirements being bypassed. This update adds a new ap_get_basic_auth_components() function for use by third-party modules. (CVE-2017-3167) Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection()
• USN-3339-1: OpenVPN vulnerabilities – 22nd June 2017. Karthikeyan Bhargavan and Gaëtan Leurent discovered that 64-bit block ciphers are vulnerable to a birthday attack. A remote attacker could possibly use this issue to recover cleartext data. Fixing this issue requires a configuration change to switch to a different cipher. This update adds a warning to the log file.
• USN-3335-1: Linux kernel vulnerability – 22nd June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3334-1: Linux kernel (Xenial HWE) vulnerability – 22nd June 2017. USN-3328-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large.
• USN-3333-1: Linux kernel (HWE) vulnerability – 22nd June 2017. USN-3326-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large.
• USN-3332-1: Linux kernel (Raspberry Pi 2) vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3331-1: Linux kernel (AWS) vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3329-1: Linux kernel (GKE) vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3328-1: Linux kernel vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3327-1: Linux kernel (Raspberry Pi 2) vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3326-1: Linux kernel vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3325-1: Linux kernel (Raspberry Pi 2) vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3324-1: Linux kernel vulnerability – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3335-2: Linux kernel (Trusty HWE) vulnerability – 21st June 2017. USN-3335-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large.
• USN-3338-1: Linux kernel vulnerabilities – 21st June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3337-1: Valgrind vulnerabilities – 21st June 2017. It was discovered that Valgrind incorectly handled certain string operations. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
• USN-3336-1: NSS vulnerability – 21st June 2017. It was discovered that NSS incorrectly handled certain empty SSLv2 messages. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service.
• USN-3330-1: Linux kernel (Qualcomm Snapdragon) vulnerabilities – 19th June 2017. It was discovered that the stack guard page for processes in the Linux kernel was not sufficiently large enough to prevent overlapping with the heap. An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative privileges.
• USN-3311-2: libnl vulnerability – 19th June 2017. USN-3311-1 fixed a vulnerability in libnl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that libnl incorrectly handled memory when performing certain operations. A local attacker could possibly use this issue to cause libnl to crash, resulting in a denial of service.
• USN-3323-1: GNU C Library vulnerability – 19th June 2017. It was discovered that the GNU C library did not properly handle memory when processing environment variables for setuid programs. A local attacker could use this in combination with another vulnerability to gain administrative privileges.
• USN-3322-1: Exim vulnerability – 19th June 2017. It was discovered that Exim did not properly deallocate memory when processing certain command line arguments. A local attacker could use this in conjunction with a vulnerability in the underlying kernel to possibly execute arbitrary code and gain administrative privileges.
• USN-3320-1: zziplib vulnerabilities – 15th June 2017. Agostino Sarubbo discovered that zziplib incorrectly handled certain malformed ZIP files. If a user or automated system were tricked into opening a specially crafted ZIP file, a remote attacker could cause zziplib to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3319-1: libmwaw vulnerability – 15th June 2017. It was discovered that libmwaw incorrectly handled certain malformed document files. If a user or automated system were tricked into opening a specially crafted file, a remote attacker could cause libmwaw to crash, resulting in a denial of service, or possibly execute arbitrary code.
• USN-3315-1: Firefox vulnerabilities – 15th June 2017. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, spoof the addressbar contents, or execute arbitrary code.
• USN-3318-1: GnuTLS vulnerabilities – 13th June 2017. Hubert Kario discovered that GnuTLS incorrectly handled decoding a status response TLS extension. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04.
• USN-3317-1: Irssi vulnerabilities – 12th June 2017. It was discovered that Irssi incorrectly handled certain DCC messages. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-9468) Joseph Bisch discovered that Irssi incorrectly handled receiving incorrectly quoted DCC files.
• USN-3253-2: Nagios regression – 7th June 2017. USN-3253-1 fixed vulnerabilities in Nagios. The update prevented log files from being displayed in the web interface. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Nagios incorrectly handled certain long strings.
• USN-3316-1: FreeRADIUS vulnerability – 7th June 2017. Stefan Winter and Luboš Pavlíček discovered that FreeRADIUS incorrectly handled the TLS session cache. A remote attacker could possibly use this issue to bypass authentication by resuming an unauthenticated session.
• USN-3314-1: Linux kernel vulnerabilities – 7th June 2017. It was discovered that the keyring implementation in the Linux kernel in some situations did not prevent special internal keyrings from being joined by userspace keyrings. A privileged local attacker could use this to bypass module verification. (CVE-2016-9604) It was discovered that a buffer overflow existed in the trace subsystem.
• USN-3313-2: Linux kernel (HWE) vulnerability – 7th June 2017. USN-3313-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS. It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel.
• USN-3312-2: Linux kernel (Xenial HWE) vulnerabilities – 6th June 2017. USN-3312-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages.
• USN-3312-1: Linux kernel vulnerabilities – 6th June 2017. It was discovered that the netfilter netlink implementation in the Linux kernel did not properly validate batch messages. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information or cause a denial of service. (CVE-2016-7917) Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function.
• USN-3313-1: Linux kernel vulnerability – 6th June 2017. It was discovered that a buffer overflow existed in the trace subsystem in the Linux kernel. A privileged local attacker could use this to execute arbitrary code.
• USN-3311-1: libnl vulnerability – 6th June 2017. It was discovered that libnl incorrectly handled memory when performing certain operations. A local attacker could possibly use this issue to cause libnl to crash, resulting in a denial of service, or execute arbitrary code.
• USN-3310-1: lintian vulnerability – 6th June 2017. Jakub Wilk discovered that lintian incorrectly handled deserializing certain YAML files. If a user or automated system were tricked into running lintian on a specially crafted package, a remote attacker could possibly use this issue to execute arbitrary code.
• USN-3309-1: Libtasn1 vulnerability – 5th June 2017. Jakub Jirasek discovered that GnuTLS incorrectly handled certain assignments files. If a user were tricked into processing a specially crafted assignments file, a remote attacker could possibly execute arbitrary code.
• USN-3308-1: Puppet vulnerabilities – 5th June 2017. Dennis Rowe discovered that Puppet incorrectly handled the search path. A local attacker could use this issue to possibly execute arbitrary code. (CVE-2014-3248) It was discovered that Puppet incorrectly handled YAML deserialization. A remote attacker could possibly use this issue to execute arbitrary code on the master.
• USN-3307-1: OpenLDAP vulnerability – 1st June 2017. Karsten Heymann discovered that OpenLDAP incorrectly handled certain search requests. A remote attacker could use this issue to cause slapd to crash, resulting in a denial of service.
• USN-3306-1: libsndfile vulnerabilities – 1st June 2017. Agostino Sarubbo and Jakub Jirasek discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code.