Urgent: Ubuntu update! Kernel vulnerability discovered that could lead to denial of service or arbitrary code execution

Ubuntu is a Linux operating system mainly based on desktop applications. It is open source free software that provides a robust, feature-rich computing environment suitable for both home use and business environments. Ubuntu provides commercial support to hundreds of companies around the world.

On December 2, Ubuntu released a security update that fixed important vulnerabilities such as system kernel denial of service and arbitrary code execution. The following are the vulnerability details:

Vulnerability details

Source: https://ubuntu.com/security/notices/USN-4658-1

1.CVE-2020-0423 CVSS score: 7.8 High

A race condition exists in the binder IPC implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code.

2.CVE-2020-25645 CVSS Rating: 7.5 High

The GENEVE tunnel implementation in the Linux kernel when combined with IPSec did not correctly select IP routes in some cases. An attacker could exploit this vulnerability to expose sensitive information (unencrypted network traffic).

3.CVE-2020-25643 CVSS Rating: 7.2 High

The hdlcppp implementation in the Linux kernel does not validate input correctly in some cases. A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code.

4.CVE-2020-25211 CVSS Rating: 6.0 Medium

The netfilter connection tracker for netlink in the Linux kernel does not perform bounds checking correctly in some cases. A local attacker could exploit this vulnerability to cause a denial of service (system crash)

5.CVE-2020-14390 CVSS Rating: 5.6 Medium

It was discovered that the framebuffer implementation in the Linux kernel does not correctly handle some edge cases in software rollback. A local attacker could exploit this vulnerability to cause a denial of service (system crash) or possibly execute arbitrary code

6.CVE-2020-28915 CVSS Rating: 5.5 Medium

In some cases, it was discovered in the Linux kernel implementation that it did not perform framebuffer checks correctly. A local attacker could exploit this vulnerability to expose sensitive information (kernel memory).

7.CVE-2020-10135 CVSS Rating: 5.4 Medium

Legacy Pairing and Secure Connection Pairing Authentication in the Bluetooth protocol allows unauthenticated users to complete authentication with adjacent access without pairing credentials. A physically proximate attacker could exploit this to impersonate a previously paired Bluetooth device.

8.CVE-2020-25284 CVSS Rating: 4.1 Low

The Rados block device (rbd) driver in the Linux kernel does not properly perform access checks on rbd devices in some cases. A local attacker can use this feature to map or unmap the rbd block device.

9.CVE-2020-4788 CVSS Rating: 2.9 Low

Under certain circumstances, power9 processors may be forced to expose information from the L1 cache. A local attacker could exploit this vulnerability to expose sensitive information

Affected products and versions

This vulnerability affects Ubuntu 20.04 LTS and Ubuntu 18.04 LTS

solution

This issue can be resolved by updating the system to the following package versions:

Ubuntu 20.04:

linux-image-5.4.0-1028-kvm - 5.4.0-1028.29

linux-image-5.4.0-1030-aws - 5.4.0-1030.31

linux-image-5.4.0-1030-gcp - 5.4.0-1030.32

linux-image-5.4.0-1030-oracle - 5.4.0-1030.32

linux-image-5.4.0-1032-azure - 5.4.0-1032.33

linux-image-5.4.0-56-generic - 5.4.0-56.62

linux-image-5.4.0-56-generic-lpae - 5.4.0-56.62

linux-image-5.4.0-56-lowlatency - 5.4.0-56.62

linux-image-aws-5.4.0.1030.31

linux-image-azure-5.4.0.1032.30

linux-image-gcp-5.4.0.1030.38

linux-image-generic-5.4.0.56.59

linux-image-generic-hwe-20.04-5.4.0.56.59

linux-image-generic-lpae-5.4.0.56.59

linux-image-generic-lpae-hwe-20.04-5.4.0.56.59

linux-image-gke-5.4.0.1030.38

linux-image-kvm-5.4.0.1028.26

linux-image-lowlatency-5.4.0.56.59

linux-image-lowlatency-hwe-20.04-5.4.0.56.59

linux-image-oem-5.4.0.56.59

linux-image-oem-osp1-5.4.0.56.59

linux-image-oracle-5.4.0.1030.27

linux-image-virtual-5.4.0.56.59

linux-image-virtual-hwe-20.04-5.4.0.56.59

Ubuntu 18.04:

linux-image-5.4.0-1030-aws - 5.4.0-1030.31~18.04.1

linux-image-5.4.0-1030-gcp - 5.4.0-1030.32~18.04.1

linux-image-5.4.0-1030-oracle - 5.4.0-1030.32~18.04.1

linux-image-5.4.0-1032-azure - 5.4.0-1032.33~18.04.1

linux-image-5.4.0-56-generic - 5.4.0-56.62~18.04.1

linux-image-5.4.0-56-generic-lpae - 5.4.0-56.62~18.04.1

linux-image-5.4.0-56-lowlatency - 5.4.0-56.62~18.04.1

linux-image-aws-5.4.0.1030.15

linux-image-azure-5.4.0.1032.14

linux-image-gcp-5.4.0.1030.18

linux-image-generic-hwe-18.04-5.4.0.56.62~18.04.50

linux-image-generic-lpae-hwe-18.04-5.4.0.56.62~18.04.50

linux-image-lowlatency-hwe-18.04-5.4.0.56.62~18.04.50

linux-image-oem-osp1-5.4.0.56.62~18.04.50

linux-image-oracle-5.4.0.1030.14

linux-image-snapdragon-hwe-18.04-5.4.0.56.62~18.04.50

linux-image-virtual-hwe-18.04-5.4.0.56.62~18.04.50

For more vulnerability information and upgrades, please visit the official website:

https://www.php.cn/link/9c0badf6e91e4834393525f7dca1291d

The above is the detailed content of Urgent: Ubuntu update! Kernel vulnerability discovered that could lead to denial of service or arbitrary code execution. For more information, please follow other related articles on the PHP Chinese website!