14 DAY TRIAL // Canonical published today, February 22, 2017, multiple security advisories to inform Ubuntu users about the availability of new kernel updates for their Linux-based operating systems.
All supported Ubuntu releases are affected by multiple kernel vulnerabilities discovered recently by various developers and hackers, including Ubuntu 16.04 LTS (Xenial Xerus), which received its second point release, versioned 16.04.2, last week with the Linux kernel 4.8 packages from Ubuntu 16.10 (Yakkety Yak).
We usually publish a single article with all the common kernel vulnerabilities fixed by the new updates, but this time we separated Ubuntu 16.04 LTS from the rest because it appears to have the most patches. A total of seven security issues were documented by Canonical in Ubuntu Security Notice USN-3208-1.
Here are the security issues affecting Ubuntu 16.04 LTS
The first security issue (CVE-2016-10088) affecting Ubuntu 16.04 LTS was discovered in Linux kernel's generic SCSI block layer, which incorrectly restricted write operations, allowing a local attacker to either gain root access or crash the vulnerable system by causing a denial of service.
The second kernel vulnerability (CVE-2016-9191) was discovered by CAI Qian in Linux kernel's sysctl implementation, which incorrectly performed reference counting, allowing an unprivileged attacker to cause a denial of service.
The third (CVE-2016-9588) and fourth (CVE-2017-2584) security flaws were discovered by Jim Mattson and Dmitry Vyukov in Linux kernel's KVM implementation, which failed to correctly handle #OF and #BP exceptions or improperly emulate various instructions, allowing a local attacker in a guest VM to crash the guest operating system, as well as to acquire sensitive information.
Discovered by Willy Tarreau and Andy Lutomirski, the fifth security issue (CVE-2017-2583) could allow a local attacker in a guest VM to crash the guest operating system or gain root access because Linux kernel's KVM implementation incorrectly emulated instructions on the SS segment register.
The sixth kernel vulnerability (CVE-2017-5549) was discovered in Linux kernel's KLSI KL5KUSB105 serial-to-USB device driver, which incorrectly initialized logging-related memory, thus allowing a local attacker to disclose sensitive information from kernel memory.
Lastly, the seventh security issue (CVE-2017-6074) patched in Ubuntu 16.04 LTS is a use-after-free vulnerability discovered by Andrey Konovalov in Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation, which could allow a local attacker to either gain root access or crash the affected system by causing a denial of service.
Users are urged to update their systems as soon as possible
If you're using either Ubuntu 16.04 LTS or Ubuntu 16.04.1 LTS with the Linux 4.4 LTS kernel, you need to update the kernel packages right away. The updated kernels are live in the stable repositories for 64-bit and 32-bit (linux-image-4.4.0-64-generic 4.4.0-64.85), as well as Snapdragon (linux-image-4.4.0-1048-snapdragon 4.4.0-1048.52), and PPC64 (linux-image-4.4.0-64-powerpc64-emb 4.4.0-64.85).
Low-latency (linux-image-4.4.0-64-lowlatency 4.4.0-64.85) and LPAE Generic (linux-image-4.4.0-64-generic-lpae 4.4.0-64.85) kernels are also available. To update, simply open the Software Update utility and install all available updates. Don't forget to reboot your PC after installing the new kernel versions. More details are provided by Canonical at https://wiki.ubuntu.com/Security/Upgrades.