Ubuntu 21.04 Users Get Major Kernel Security Update, 17 Vulnerabilities Patched

Ubuntu 21.04 Kernel

Canonical released today a new major Linux kernel security update for the Ubuntu 21.04 (Hirsute Hippo) release to address a total of 17 security vulnerabilities.

The new Linux kernel security patch is here about a month and a half after Ubuntu 21.04’s first kernel update and fixes no less than seven security vulnerabilities (CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26141, CVE-2020-26145, CVE-2020-26147) discovered by Mathy Vanhoef in Linux kernel’s Wi-Fi implementation, which could allow a physically proximate attacker to inject packets, decrypt fragments, exfiltrate selected fragments, expose sensitive information or cause a denial of service (system crash).

The new Ubuntu 21.04 kernel update also patches a race condition (CVE-2021-32399) and a use-after-free flaw (CVE-2021-33034) discovered in Linux kernel’s Bluetooth subsystem and Bluetooth HCI driver respectively. These issues could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code.

Another race condition (CVE-2021-3609), discovered by Norbert Slusarek in Linux kernel’s CAN BCM networking, which could lead to multiple use-after-free vulnerabilities, could be used by a local attacker to execute arbitrary
code and was patched in this kernel security update.

Also patched is a use-after-free vulnerability (CVE-2021-23134) discovered by Or Cohen and Nadav Markus in Linux kernel’s NFC implementation, which could allow a privileged local attacker to cause a denial of service (system crash) or execute arbitrary code. Or Cohen also discovered a race condition (CVE-2021-23133) in the SCTP implementation, which could lead to a use-after-free condition and allow a local attacker to crash the system by causing a denial of service or execute arbitrary code.

No less than three flaws were patched in Linux kernel’s extended Berkeley Packet Filter (eBPF) implementation, namely CVE-2021-33200, CVE-2021-31440 and CVE-2021-31829. These were discovered by Piotr Krysiuk and Manfred Paul, and could allow a local attacker to execute arbitrary code, cause a denial of service (system crash) or expose sensitive information (kernel memory).

Lastly, the new Ubuntu 21.04 kernel security update addresses a null pointer dereference (CVE-2021-3543) discovered by Mathias Krause in Linux kernel’s Nitro Enclaves kernel driver, which could allow a local attacker to either cause a denial of service or execute arbitrary code, as well as an out-of-bounds (OOB) memory access flaw (CVE-2021-3506) discovered in Linux kerne’s F2FS module, which could allow a local attacker to cause a denial of service (system crash).

The new kernel update is available right now for Ubuntu 21.04 (Hirsute Hippo) users on 64-bit (x86_64/amd64), ARM64 (Raspberry Pi (V8)), Amazon Web Services (AWS), Google Cloud Platform (GCP), Oracle Cloud, and Microsoft Azure Cloud systems. Canonical urges everyone to update their installations to the new kernel version for their architecture as soon as possible.

To update, run the sudo apt update && sudo apt full-upgrade command in the Terminal app or use the Software Updater graphical utility. Please note that, after a kernel update, you’ll have to reboot your system to make all the necessary changes. Also, you may also have to rebuild and reinstall any third-party kernel modules you might have installed.

Last updated 5 months ago