Affects Ubuntu 19.10, 19.04, 18.04 LTS, and 16.04 LTS

Nov 13, 2019 15:00 GMT  ·  By

Canonical released today a new batch of Linux kernel security updates for all of its supported Ubuntu Linux releases to address the latest Intel CPU vulnerabilities, as well as other important flaws.

As announced the other day, Canonical was quick to respond to the latest security vulnerabilities affecting Intel CPU microarchitectures, so they now published Linux kernel updates to mitigate them. These are CVE-2019-11135, CVE-2018-12207, CVE-2019-0154, and CVE-2019-0155, which could allow local attackers to either expose sensitive information or possibly elevate privileges or cause a denial of service.

On top of these security issues affecting Intel CPUs, the new Linux kernel security updates also address three vulnerabilities (CVE-2019-15791, CVE-2019-15792, and CVE-2019-15793) discovered by Google Project Zero's Jann Horn in the shiftfs implementation, which could allow a local attacker to either execute arbitrary code, cause a denial of service (system crash), or bypass DAC permissions.

Users are urged to update their systems immediately

Also fixed are a buffer overflow (CVE-2019-16746) discovered in Linux kernel's 802.11 Wi-Fi configuration interface, which could allow a local attacker to cause a denial of service (system crash) or execute arbitrary code, and another buffer overflow (CVE-2019-17666) found by Nico Waisman in the Realtek Wi-Fi driver, which could allow a physically proximate attacker to crash the system or execute arbitrary code.

The security update also fixes several vulnerabilities affecting only Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS systems, namely CVE-2019-17052, CVE-2019-17053, CVE-2019-17054, CVE-2019-17055, and CVE-2019-17056, which were discovered by Ori Nimron in Linux kernel's Appletalk, AX25, NFC, ISDN, and IEEE 802.15.4 Low-Rate Wireless network protocol implementations, All these flaws could allow a local attacker to create a raw socket.

Additionally, it fixes a vulnerability (CVE-2019-15098) discovered by Hui Peng in Linux kernel's Atheros AR6004 USB Wi-Fi device driver, which could allow a physically proximate attacker to cause a denial of service (system crash), and another vulnerability (CVE-2019-2215) discovered by Maddie Stone in the Binder IPC Driver implementation, which could let a local attacker cause a denial of service (system crash) or execute arbitrary code, the latter only affecting Ubuntu 16.04 LTS systems.

Users are urged to update their Ubuntu systems to the new kernel versions available in the main software repositories as soon as possible. These are linux-image 5.3.0-23.27 for Ubuntu 19.10, linux-image 5.0.0-36.38 for Ubuntu 19.04, linux-image 5.0.0-36.39~18.04.1 for Ubuntu 18.04.3 LTS, linux-image 4.15.0-70.79 for Ubuntu 18.04 LTS, linux-image 4.15.0-70.79~16.04.1 for Ubuntu 16.04.6 LTS, and linux-image 4.4.0-169.198 for Ubuntu 16.04 LTS. Please reboot your systems after installing the new kernel versions.

Update: Canonical released new Linux kernel versions for all supported Ubuntu Linux versions to address a regression introduced by the previous kernel versions, which broke KVM guests on systems where extended page tables (EPT) were disabled or not supported. Also they discovered that the fix for CVE-2019-0155 (i915 missing Blitter Command Streamer check) was incomplete on 64-bit Intel x86 systems. Users are urged to update their systems again to the new Linux kernel versions mentioned above, which address these issues.