Several patches have been released for Ubuntu, addressing vulnerabilities in the Linux kernel, including a use-after-free and a timing side-channel vulnerability.
Ubuntu patches kernel exploits
Ubuntu has received security updates for several vulnerabilities that could be exploited for denial-of-service (DoS) attacks and arbitrary code execution. Released on Wednesday, the advisory recommends users to patch if they are running 14.04 LTS (long term support) or any derivative builds. Over eight vulnerabilities have been patched in Ubuntu 14 and Ubuntu 15 variants, including Trusty Tahr, Utopic Unicorn, Wily Werewolf, and Raspberry Pi 2, SecurityWeek has reported.
Four of these flaws affect Ubuntu 14.04, one of which is a use-after-free vulnerability (CVE-2015-8812) in the CXGB3 driver, discovered by Venkatesh Pottem of Red Hat Engineering. The latest patch fixes this flaw where a local attacker could exploit the vulnerability to carry out a DoS attack, causing the system to crash, possibly allowing for arbitrary code execution.
Found by David Herrmann, the second vulnerability (CVE-2016-2550) is triggered because the Linux kernel “incorrectly accounted file descriptors to the original opener for in-flight file descriptors sent over a unix domain socket." This flaw could also be exploited to carry out DoS attacks by a local, unauthenticated attacker.
A third issue (CVE-2016-2085) was discovered by Xiaofei Rex Guo where he discovered that an attacker could disrupt the integrity of the system by exploiting a timing side channel vulnerability. This flaw existed in the Linux Extended Verification Module (EVM). EVM prevents tampering in the Linux kernel and helps validating extended attributes before allowing operations on the files.
The fourth resource exhaustion issue (CVE-2016-2847) was discovered, where the kernel failed to enforce limits on the amount of data allocated to buffer pipes. This flaw also would have exhausted the resources.
A few other security issues were also fixed in other versions of Ubuntu, including in Debian. Some of these exploits also affect Red hat products, however, they are being termed of low or medium severity. While Red Hat is yet to release the patch, users on Ubuntu 12.04 LTS and 15.10 are recommended to update to get the patch for the vulnerabilities affecting their systems.