Canonical Released New Ubuntu Kernel Security Update to Fix over 20 Vulnerabilities

Kernel Security Vulnerability Ubuntu


Canonical published today major Linux kernel security updates for all supported Ubuntu releases to address up to 20 security vulnerabilities, urging all users to update their installations.

The most important vulnerabilities patched in this new major Linux kernel update for Ubuntu are a flaw (CVE-2020-25704) discovered in the perf subsystem that could allow a privileged attacker to cause a denial of service (kernel memory exhaustion), and a security issue (CVE-2020-27777) in the PowerPC RTAS implementation, which could allow a privileged local attacker to arbitrarily modify kernel memory and bypass kernel lockdown restrictions.

Also patched in this new Ubuntu kernel security update is a race condition (CVE-2020-25656) in the console keyboard driver, race conditions (CVE-2020-25668) and a read-after-free vulnerability (CVE-2020-29660) in the TTY driver/subsystem, an information leak (CVE-2020-28588) found in the syscall implementation on 32-bit systems, and a flaw (CVE-2020-28974) in the framebuffer console driver. All these flaws could allow a local attacker to expose sensitive information (kernel memory).

Other vulnerabilities could allow a local attacker to cause a denial of service or possibly execute arbitrary code. These include a use-after-free in the Sun keyboard driver (CVE-2020-25669), an out-of-bounds read vulnerability (CVE-2020-27815) in the JFS file system implementation, two flaws (CVE-2020-27830 and CVE-2020-28941) in the Speakup screen reader driver, a use-after-free vulnerability (CVE-2020-27835) in the InfiniBand HFI1 device driver, and another race condition in the TTY subsystem (CVE-2020-29661).

Four other vulnerabilities patched in the new Ubuntu kernel security update affect cloud users. These are CVE-2020-27673, CVE-2020-29568, and CVE-2020-29569, three flaws discovered in Xen’s dom0 event handler, event processing backend, and paravirt block backend that could allow an attacker in a guest VM to cause a denial of service in the host OS, as well as CVE-2020-27675, a race condition discovered that the Xen event channel infrastructure, which could allow an attacker in guest to cause a denial of service (dom0 crash).

Affecting only Ubuntu 20.10 and 20.04.2 LTS users running Linux kernel 5.8, the new kernel security update addresses a race condition (CVE-2020-35508) that could allow a local attacker to send signals to arbitrary processes. Also patched is a vulnerability (CVE-2021-20177) found in the netfilter subsystem that affected only Ubuntu 20.04 LTS and Ubuntu 18.04.5 LTS users running Linux kernel 5.4 and could allow a local attacker with the
CAP_NET_ADMIN capability to cause a denial of service.

Last but not least, the new Ubuntu kernel security update addresses a vulnerability (CVE-2020-29374) discovered in Linux kernel’s memory management subsystem, which could allow a local attacker to gain unintended write access to read-only memory pages. This flaw only affected Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 ESM users running either Linux kernel 4.15 or 4.4 LTS.

In addition to these security fixes, Canonical also released today new OEM kernel updates for Ubuntu 20.04 LTS systems running Linux kernel 5.10 OEM to fix CVE-2020-28374, a flaw discovered in the LIO SCSI target implementation that could allow an attacker with access to at least one LUN in a multiple backstore environment to expose sensitive information or modify data, and Ubuntu 20.04 LTS system running Linux kernel 5.6 to fix 20 vulnerabilities detailed in this security advisory.

Canonical urges all Ubuntu users to update their installations as soon as possible. To update your Ubuntu system to the new kernel versions, you must run the sudo apt update && sudo apt full-upgrade command in the Terminal app or use the Software Updater utility. Don’t forget to reboot your computer after the new kernel versions were successfully installed.

Last updated 5 months ago