Canonical published today new Linux kernel updates for all of its supported Ubuntu releases to address several security vulnerabilities discovered by various researchers in the upstream Linux kernels.
The new Ubuntu kernel security updates are available for Ubuntu 21.04 (Hirsute Hippo), Ubuntu 20.10 (Groovy Gorilla), Ubuntu 20.04 LTS (Focal Fossa), Ubuntu 18.04 LTS (Bionic Beaver), as well as as for the ESM (Extended Security Maintenance) branches of Ubuntu 16.04 and Ubuntu 14.04.
Patched in these kernel updates is CVE-2021-33909, a 7-years-old privilege escalation flaw discovered by Qualys Research Labs in Linux kernel’s file system layer, which could allow an unprivileged user to create, mount, and then delete a large directory structure of over 1GB in size. This flaw affected all supported Ubuntu releases.
Only for Ubuntu 20.10, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS systems, the new kernel updates address CVE-2021-32399, a race condition discovered in Linux kernel’s Bluetooth subsystem that could lead to a use-after-free of slab objects, allowing an attacker to execute arbitrary code, and CVE-2021-23134, a use-after-free vulnerability discovered by Nadav Markus in the NFC implementation, which could allow a privileged local attacker to crash the system or execute arbitrary code.
Also fixed for Ubuntu 20.10, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS systems is CVE-2021-33034, a use-after-free vulnerability discovered in Linux kernel’s Bluetooth HCI driver that could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.
Only for Ubuntu 20.10 and Ubuntu 20.04 LTS systems, there’s a fix for CVE-2021-3506, an out-of-bounds (OOB) memory access flaw discovered in the F2FS module, which could allow a local attacker to cause a denial of service (system crash).
Only for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS systems, the new kernel updates patch CVE-2020-26558 and CVE-2021-0129, two flaws discovered in Linux kernel’s Bluetooth subsystem that could allow an authenticated attacker to expose sensitive information.
And lastly, affecting only Ubuntu 18.04 LTS systems, the kernel updates fix CVE-2021-33200 and CVE-2021-31829, two flaws discovered by Piotr Krysiuk in the eBPF implementation that could allow a local attacker to cause a denial of service (system crash), execute arbitrary code, or expose sensitive information (kernel memory).
Also fixed are several nastly flaws discovered by Mathy Vanhoef in Linux kernel’s Wi-Fi implementation, namely CVE-2020-24586, which could let a physically proximate attacker to inject packets or expose sensitive information, CVE-2020-24587, which could allow a physically proximate attacker to decrypt fragments, CVE-2020-26139, which could allow a physically proximate attacker to inject malicious packets to crash the system, and CVE-2020-26147, which could allow a physically proximate attacker to inject packets or exfiltrate selected fragments.
Canonical urges all Ubuntu users to update their systems as soon as possible to the new kernel versions available in the stable software repositories of Ubuntu 21.04, Ubuntu 20.10, Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, Ubuntu 16.04 ESM, and Ubuntu 14.04 ESM. To update your installations, simply run the
sudo apt update && sudo apt full-upgrade command in the Terminal app, or use the Software Updater utility. Please keep in mind to reboot your systems after installing the new kernel versions!
Last updated 3 months ago