According to vulnerability testing specialists, the software developer Canonical has just announced the release of a set of important security updates for the Linux kernel. According to the report, the updates cover all operating Ubuntu Linux systems supported, as well as addressing 28 security vulnerabilities.
Among all the reported vulnerabilities, the most dangerous one, tracked as CVE-2019-10638, was discovered by researchers Amit Klein and Benny Pinkas and allows threat actors to track Linux devices using the IP ID values for offline network protocols. The main implementations affected by this flaw are of Linux 5.0, 4.15 and 4.4 kernels for Ubuntu 19.04 (Dingo Disk), Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus).
The same team of vulnerability testing
specialists also discovered the critical CVE-2019-10639 security flaw, which
affects the Linux 4.15 kernel used in Ubuntu 18.04 LTS (Bionic Beaver) and
Ubuntu 16.04 LTS (Xenial Xerus). If exploited, this vulnerability would allow a
remote threat actor to exploit a second vulnerability in the Linux kernel, as
the location of kernel addresses could be exposed by the implementation of
offline network protocols.
In addition to these critical flaws, Canonical
released fixes for two other significant bugs. The first, tracked as CVE-2018-19985,
is a flaw in the high-speed USB driver of the Linux kernel. The second flaw,
CVE-2019-0136, is an error in the Intel WiFi controller that occurs when a
particular tunnel direct link (TDLS) configuration is validated, allowing an
attacker, from a location close to the vulnerable device, to trigger denial of
service (DoS) condition, disconnect the WiFi network, or even collapse the
system.
However, updates don’t end there. In addition
to fixing critical errors, the company released solutions to other Linux kernel
security issues considered less serious. For example, two issues were fixed in
the floppy driver that allow buffer overhead, generating denial-of-service
conditions, and infinite loops in the vitrio net driver and the CFS Linux kernel
process scheduler.
Vulnerability testing experts also reported a
race condition in the Linux kernel of the DesignWare USB3 DRD driver, an
out-of-bounds reading flaw in the QLogic QEDI iSCSI Initiator driver, as well
as two race conditions Advanced Linux Sound Architecture (ALSA) subsystem, on
the YUREX USB device driver, among other less serious security flaws.
This update also addresses other issues, such
as a flaw in Appletalk’s Linux kernel implementation, errors in the MDTV Siano
USB receiver device driver, and other flaw in the Bluetooth BR/EDR protocol
specification.
As we can see, although not all corrected
issues are considered critical, the exploitation of at least two of these
vulnerabilities can trigger catastrophic scenarios, so the vulnerability
testing specialists from the International Institute of Cyber Security (IICS)
recommend that all Ubuntu users update their products to the latest versions as
soon as possible.
