Patches to fix critical vulnerabilities on Linux systems are released; update ASAP

According to vulnerability testing specialists, the software developer Canonical has just announced the release of a set of important security updates for the Linux kernel. According to the report, the updates cover all operating Ubuntu Linux systems supported, as well as addressing 28 security vulnerabilities.

Ubuntu plugs code exec, DoS Linux kernel holes

Among all the reported vulnerabilities, the most dangerous one, tracked as CVE-2019-10638, was discovered by researchers Amit Klein and Benny Pinkas and allows threat actors to track Linux devices using the IP ID values for offline network protocols. The main implementations affected by this flaw are of Linux 5.0, 4.15 and 4.4 kernels for Ubuntu 19.04 (Dingo Disk), Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus).

The same team of vulnerability testing specialists also discovered the critical CVE-2019-10639 security flaw, which affects the Linux 4.15 kernel used in Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus). If exploited, this vulnerability would allow a remote threat actor to exploit a second vulnerability in the Linux kernel, as the location of kernel addresses could be exposed by the implementation of offline network protocols.

In addition to these critical flaws, Canonical released fixes for two other significant bugs. The first, tracked as CVE-2018-19985, is a flaw in the high-speed USB driver of the Linux kernel. The second flaw, CVE-2019-0136, is an error in the Intel WiFi controller that occurs when a particular tunnel direct link (TDLS) configuration is validated, allowing an attacker, from a location close to the vulnerable device, to trigger denial of service (DoS) condition, disconnect the WiFi network, or even collapse the system.

However, updates don’t end there. In addition to fixing critical errors, the company released solutions to other Linux kernel security issues considered less serious. For example, two issues were fixed in the floppy driver that allow buffer overhead, generating denial-of-service conditions, and infinite loops in the vitrio net driver and the CFS Linux kernel process scheduler.

Vulnerability testing experts also reported a race condition in the Linux kernel of the DesignWare USB3 DRD driver, an out-of-bounds reading flaw in the QLogic QEDI iSCSI Initiator driver, as well as two race conditions Advanced Linux Sound Architecture (ALSA) subsystem, on the YUREX USB device driver, among other less serious security flaws.

This update also addresses other issues, such as a flaw in Appletalk’s Linux kernel implementation, errors in the MDTV Siano USB receiver device driver, and other flaw in the Bluetooth BR/EDR protocol specification.

As we can see, although not all corrected issues are considered critical, the exploitation of at least two of these vulnerabilities can trigger catastrophic scenarios, so the vulnerability testing specialists from the International Institute of Cyber Security (IICS) recommend that all Ubuntu users update their products to the latest versions as soon as possible.