Canonical Publishes New Ubuntu Linux Kernel Updates to Fix 20 Vulnerabilities

Kernel Security Vulnerability Ubuntu

Canonical published today new Linux kernel updates for all supported Ubuntu releases to address up to 20 security vulnerabilities affecting all supported kernel flavors.

The new kernel updates are available for Ubuntu 20.10 (Groovy Gorilla), Ubuntu 20.04 LTS (Focal Fossa), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 ESM systems.

For Ubuntu 20.10 and Ubuntu 20.04 LTS systems running Linux kernel 5.8, the new kernel update fixes CVE-2021-20239, a flaw discovered by Ryota Shiga in Linux kernel’s sockopt BPF hooks that could allow a local attacker to exploit another kernel vulnerability, CVE-2021-20268, a flaw discovered in the BPF verifier, which could allow a local attacker to cause a denial of service (system crash) or possibly execute arbitrary code, and CVE-2021-3178, a flaw discovered in the NFS implementation, which could allow an attacker to bypass NFS access restrictions.

For Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4 LTS, the new kernel update fixes CVE-2021-20194, a flaw discovered by Loris Reiff in the BPF implementation that could allow a local attacker to cause a denial of service (system crash), as well as CVE-2021-26930 and CVE-2021-26931, two flaws discovered in the Xen paravirtualization backend, which could allow an attacker in a guest VM to crash the host domain. These last two flaws were also fixed in Ubuntu 16.04 LTS and Ubuntu 14.04 ESM systems running Linux kernel 4.4 LTS.

For Ubuntu 20.04 LTS systems running Linux kernel 5.10 OEM, the new kernel update addresses CVE-2020-25639, a flaw discovered in the Nouveau GPU driver that could allow a local attacker to crash the system (denial of service), CVE-2021-28375, a vulnerability discovered in the fastrpc driver that could allow a local attacker to gain elevated privileges, CVE-2021-28950, a flaw discovered in the FUSE user space file system implementation, which could allow a local attacker to cause a denial of service, and CVE-2021-28038, a flaw discovered by Jan Beulich in the Xen netback backend that could allow an attacker in a guest VM to crash the host domain, which also affected Ubuntu 16.04 LTS and Ubuntu 14.04 ESM systems running Linux kernel 4.4 LTS.

For Ubuntu 16.04 LTS and Ubuntu 14.04 ESM systems running Linux kernel 4.4 LTS, the new kernel update fixes seven other flaws, including CVE-2015-1350, an issue discovered by Ben Harris in Linux kernel and which could allow a local attacker to cause a denial of service, CVE-2017-16644, a vulnerability discovered by Andrey Konovalov in the video4linux driver for Hauppauge HD PVR USB devices that could allow a physically proximate attacker to crash the system or possibly execute arbitrary code, and CVE-2017-5967, a flaw discovered in the timer stats implementation, which could allow a local attacker could use this to expose sensitive information.

Also fixed were CVE-2019-16231 and CVE-2019-16232, two flaws discovered in the Fujitsu ES network device driver and Marvell 8xxx Libertas WLAN device driver, respectively, which could allow a local attacker to cause a denial of service, CVE-2019-19061, a flaw discovered in the ADIS16400 IIO IMU driver that could allow a local attacker to cause a denial of service (memory exhaustion), as well as CVE-2021-20261, a race condition discovered in the floppy device driver, which could allow an attacker with access to the floppy device to crash the system or execute arbitrary code.

The new kernel updates also fix CVE-2021-3347 and CVE-2021-3348, two flaws discovered in Linux kernel’s priority inheritance futex implementation and network block device (nbd) driver, respectively. These could allow a local attacker to cause a denial of service (system crash) or possibly execute arbitrary code, and affect several Ubuntu releases, including Ubuntu 20.10 and Ubuntu 20.04 LTS systems running Linux kernel 5.8, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems running Linux kernel 5.4, as well as Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 ESM systems running Linux kernel 4.15.

Last but not least, the new Ubuntu Linux kernel updates fix CVE-2018-13095, a vulnerability discovered by Wen Xu in the XFS file system implementation and affecting Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 ESM systems running Linux kernel 4.15, as well as Ubuntu 16.04 LTS and Ubuntu 14.04 ESM systems running Linux kernel 4.4 LTS. This flaw could allow an attacker to crash the system (denial of service) by creating and mounting a malicious XFS image.

Canonical urges all users to update their installations as soon as possible to the new kernel versions available in the software repositories. To update your system, run the sudo apt update && sudo apt full-upgrade command in the Terminal app or use the Software Updater utility. Please note that after a new kernel update, you’ll have to reboot your computer to make all the necessary changes.

Update 16/04/21: Three more vulnerabilities were fixed in a new kernel update for all supported Ubuntu releases. These include CVE-2021-3493, a flaw discovered in the OverlayFS implementation that could allow a local attacker to gain elevated privileges, CVE-2021-3492, a flaw discovered in the shiftfs file system that could allow a local attacker to cause a denial of service (memory exhaustion) or execute arbitrary code and CVE-2021-29154, a flaw discovered by Piotr Krysiuk in the BPF JIT compiler for x86 that could allow a local attacker to cause a denial of service (system crash) or possibly execute arbitrary code.

Last updated 3 years ago

Buy Me a Coffee at ko-fi.com