What an actual assessment of Ubuntu kernel security updates looks like
Ubuntu recently released some of their usual not particularly helpful kernel security update announcements and I tweeted:
Another day, another tedious grind through Ubuntu kernel security announcements to do the assessment that Ubuntu should be doing already.
I have written about the general sorts of things we want to know about kernel security updates, but there's nothing like a specific example (and @YoloPerdiem asked). So here is essentially the assessment email that I sent to my co-workers.
First, the background. We currently have Ubuntu 16.04 LTS, 14.04 LTS, and 12.04 LTS systems, so we care about security updates for the mainline kernels for all of those (we aren't using any of the special ones). The specific security notices I was assessing are USN-3206-1 (12.04), USN-3207-1 (14.04), and USN-3208-1 (16.04). I didn't bother looking at CVEs that require hardware or subsytems that we don't have or use, such as serial-to-USB hardware (CVE-2017-5549) or KVM (several CVEs here). We also don't update kernels just for pure denial of service issues (eg CVE-2016-9191, which turns out to require containers anyway), because our users already have plenty of ways to make our systems crash if they want to.
So here is a slightly edited and cleaned up version of my assessment email:
Subject: Linux kernel CVEs and my assessment of them
16.04 is only affected by CVE-2017-6074, which we've mitigated, and
CVE-2016-10088, which doesn't apply to us because we don't have
people who can access
12.04 and 14.04 are both affected by additional CVEs that are use-after-frees. They are not explicitly exploitable so far, but CVE-2017-6074 is also a use-after-free and is said to be exploitable with an exploit released soon, so I think they are probably equally dangerous.
[Local what-to-do discussion elided.]
Andrey Konovalov discovered a use-after-free vulnerability in the DCCP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
Dmitry Vyukov discovered a use-after-free vulnerability in the sys_ioprio_get() function in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
The latter URL has a program that reproduces it, but it's not clear if this can be exploited to do more than crash. But CVE-2017-6074's use-after-free is apparently exploitable, so...
It was discovered that a use-after-free vulnerability existed in the block device layer of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
Oh look, another use-after-free issue. Ubuntu's own link for the issue says 'allows local users to gain privileges by leveraging the execution of [...]' although their official release text is less alarming.
It was discovered that the generic SCSI block layer in the Linux kernel did not properly restrict write operations in certain situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges.
Finally some good news! As far as I can tell from Ubuntu's actual
this is only exploitable if you have access to a
and on our machines people don't.
(The actual email was plain text, so the various links were just URLs dumped into the text.)
As you can maybe see from this, doing a proper assessment requires
reading at least the detailed Ubuntu CVE information in order to
work out under what circumstances the issue can be triggered, for
instance to know that CVE-2016-10088 requires access to a
device. Not infrequently you have to go chasing further; for
example, only Andrey Konovalov's initial notice mentions that he will
release an exploit in a few days. In this case we could mitigate
the issue anyways by blacklisting the DCCP modules, but in other
cases 'an exploit will soon be released' drastically raises the
importance of a security exposure (at least for us).
The online USN pages usually link to Ubuntu's pages on the CVEs they include, but the email announcements that Ubuntu sends out don't. Ubuntu's CVE pages usually have additional links, but not a full set; often I wind up finding Debian's page on a CVE because they generally have a full set of search links for elsewhere (eg Debian's CVE-2016-9191 page). I find that sometimes the Red Hat or SuSE bug pages will have the most technical detail and thus help me most in understanding the impact of a bug and how exposed we are.
The amount of text that I wind up writing in these emails is generally
way out of proportion to the amount of reading and searching I have
to do to figure out what to write. Everything here is a sentence
or two, but getting to the point where I could write those is the
slog. And with CVE-2017-6074, I had to jump in to set up and test
an entire mitigation of blacklisting all the DCCP modules via a new
/etc/modprobe.d file and then propagating that file around to all
of our Ubuntu machines.