Important Kernel Updates Patch 7 Vulnerabilities in All Supported Ubuntu OSes

Share this…

Canonical announced a few hours ago the availability of new kernel updates for all supported Ubuntu Linux operating systems, patching a total of seven security issues across all of them.

In the new Ubuntu Security Notices, the company notes the fact that the Ubuntu 12.04 LTS (Precise Pangolin), Ubuntu 14.04 LTS (Trusty Tahr), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 16.10 (Yakkety Yak) distributions, as well as all of their officially supported derivatives, such as Kubuntu, Xubuntu, Lubuntu, Ubuntu MATE, Ubuntu GNOME, Ubuntu Kylin, Ubuntu Studio, Edubuntu, or Mythbuntu, are affected by the following issue.

Affecting only the Ubuntu 12.04 LTS and Ubuntu 14.04 LTS releases, there’s a security flaw documented as CVE-2016-9555 and discovered by Andrey Konovalov in Linux kernel’s SCTP implementation, which made it to improperly handle validation of incoming data, allowing a remote attacker to crash the affected system via a denial of service.

Additionally, Ubuntu 12.04 LTS is affected by multiple memory leaks (CVE-2016-9685) in the XFS file system support, which could allow a local attacker to cause a denial of service. Users are urged to update their systems as soon as possible to linux-image-3.2.0-121.164 for Ubuntu 12.04 LTS or linux-image-3.13.0-108.155~precise1 for Ubuntu 12.04.5 LTS, as well as linux-image-3.13.0-108.155 for Ubuntu 14.04 LTS or linux-image-4.4.0-62.83~14.04.1 for Ubuntu 14.04.5 LTS.

Two security issues affect Ubuntu 16.04 LTS and five Ubuntu 16.10

Two other kernel vulnerabilities (CVE-2016-10147 and CVE-2016-8399) are affecting both Ubuntu 16.04 LTS and Ubuntu 16.10 releases. The first one was discovered by Mikulas Patocka in Linux kernel’s asynchronous multibuffer cryptographic daemon (mcryptd), which made it to incorrectly handle incompatible algorithms, allowing a local attacker to crash the system via a denial of service.

The second security flaw was discovered by Qidan He in Linux kernel’s Internet Control Message Protocol (ICMP) implementation, causing it to incorrectly check the size of an ICMP header. As such, it would appear that a local attacker with CAP_NET_ADMIN privileges could exploit the kernel vulnerability to expose sensitive information.

Three other security issues (CVE-2016-10150, CVE-2016-8632, and CVE-2016-9777) are affecting only Ubuntu 16.10, and the first one is an use-after-free discovered in Linux kernel’s KVM (Kernel-based Virtual Machine) susbsystem when creating devices, which could have allowed a local attacker to crash the affected system via a denial of service.

The second one is a heap-based buffer overflow discovered by Qian Zhang in Linux kernel’s tipc_msg_build() function, which could allow a local attacker to either execute arbitrary code as root (system administrator) or crash the system via a denial of service. The last one was discovered by Dmitry Vyukov in Linux kernel’s KVM implementation, and it could allow an attacker in a guest virtual machine to crash the system or gain administrative privileges in the host operating system.

Users are urged to update their systems as soon as possible to linux-image-4.4.0-62.83 on Ubuntu 16.04 LTS and linux-image- on Ubuntu 16.10. To update, run the Synaptic Package Manager or Ubuntu Software and install all the available updates. Please reboot your computer after installing the new kernel versions.