Canonical published new Ubuntu kernels for all supported Ubuntu releases to address Secure Boot bypass flaws and other security vulnerabilities.
Available for Ubuntu 20.04 LTS (Focal Fossa), Ubuntu 18.04 LTS (Bionic Beaver), and Ubuntu 16.04 LTS (Xenial Xerus), the new Linux kernel updates are here to address two vulnerabilities (CVE-2019-20908 and CVE-2020-15780) discovered by Jason A. Donenfeld in the ACPI implementation, which could allow a privileged attacker to bypass Secure Boot lockdown restrictions and execute arbitrary code in the kernel.
CVE-2019-20908 affects the Linux 4.15 kernels in Ubuntu 18.04 LTS and Ubuntu 16.04.6 LTS systems, as well as the Linux 4.4 kernel of Ubuntu 16.04 LTS and Ubuntu 14.04 ESM systems. On the other hand, CVE-2020-15780 affects the Linux 5.4 kernels in Ubuntu 20.04 LTS and Ubuntu 18.04.4 LTS systems, as well as the Linux 4.15 kernel in Ubuntu 18.04 LTS and Ubuntu 16.04.6 LTS systems.
Another vulnerability (CVE-2020-11935) patched in this security update is affecting all supported Ubuntu releases and kernels, and could allow a local attacker to cause a denial of service. The issue was discovered by Mauricio Faria de Oliveira in Linux kernel’s AUFS implementation.
On Ubuntu 20.04 LTS and Ubuntu 18.04.4 LTS systems running Linux kernel 5.4, the security patch also fixes CVE-2019-16089 and CVE-2019-19462, two issues discovered in the network block device (nbd) implementation and the kernel->user space relay implementation respectively, which could allow an attacker to crash the system by causing a denial of service.
An important security vulnerability (CVE-2020-10757) was also patched on Ubuntu 18.04 LTS and Ubuntu 16.04.6 LTS systems running Linux kernel 4.15. The flaw was discovered by Fan Yang in Linux kernel’s mremap implementation, which failed to handle DAX Huge Pages, thus allowing a local attacker with access to DAX storage to gain administrative privileges.
Last but not least, Ubuntu 16.04 LTS systems running Linux kernel 4.4 were plagued by several other vulnerabilities, including CVE-2020-10766, CVE-2020-10767 and CVE-2020-10768, which caused the Linux kernel to incorrectly apply mitigations for Speculative Store Bypass Disable (SSBD), Indirect Branch Predictor Barrier (IBPB) and Indirect Branch Restricted Speculation (IBRS) vulnerabilities. These security issues could allow a local attacker to expose sensitive information.
Also fixed are flaws discovered in the Kvaser CAN/USB driver (CVE-2019-19947), go7007 USB audio device driver (CVE-2019-20810), elf handling code (CVE-2020-10732), Virtual Terminal keyboard driver (CVE-2020-13974), and EFI subsystem (CVE-2019-12380). These could allow local attackers to either cause a denial of service (system crash) or possibly expose sensitive information (kernel memory).
All Ubuntu users are urged to update their systems as soon as possible to the new Linux kernel versions, linux-image 5.4.0-42.46 for Ubuntu 20.04 LTS, linux-image 5.4.0-42.46~18.04.1 for Ubuntu 18.04.4 LTS, linux-image 4.15.0-112.113 for Ubuntu 18.04 LTS, linux-image 4.15.0-112.113~16.04.1 for Ubuntu 16.04.6 LTS, and linux-image 4.4.0-186.216 for Ubuntu 16.04 LTS.
To update, simply run the Software Updater utility and apply all available updates or use the command below in a terminal window. Please remember to reboot your computers after installing the new Linux kernel versions, as well as to recompile and reinstall any third-party kernel modules you might have installed.
sudo apt-get update && sudo apt-get full-upgrade
After restart, you can check the kernel version you’re running with the following command.
Last updated 6 months ago