Ubuntu 18.04 LTS, 17.10, 16.04 LTS & 14.04 LTS are affected

Jun 12, 2018 10:13 GMT  ·  By

Canonical released new kernel security updates for all supported Ubuntu Linux releases to address several security vulnerabilities discovered by various security researchers in the upstream Linux kernel.

The new kernel updates are available for Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 17.10 (Artful Aardvark), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr) operating system series and address a total of nine security vulnerabilities affecting the kernels for 64-bit, 32-bit, Raspberry Pi 2, AWS, and GCP systems, as well as cloud environments.

They address a security issue (CVE-2018-1092 and CVE-2018-1093) affecting the Ubuntu 18.04 LTS, Ubuntu 17.10, and Ubuntu 16.04 LTS releases and discovered by Wen Xu in Linux kernel's EXT4 file system implementation, which could allow an attacker to crash the vulnerable system by causing a denial of service when mounting a specially crafted EXT4 file system.

Also affecting the Ubuntu 18.04 LTS, Ubuntu 17.10, and Ubuntu 16.04 LTS releases, the kernel update addresses a memory leak (CVE-2018-8087) in Linux kernel's 802.11 software simulator implementation, which could allow a local attacker to cause a denial of service (memory exhaustion).

Affecting Ubuntu 17.10 and Ubuntu 14.04 LTS releases, the update patches a security issue (CVE-2018-8781) discovered by Eyal Itkin in Linux kernel's USB DisplayLink video adapter driver, which incorrectly validated mmap offsets sent from userspace, could allow a local attacker to either execute arbitrary code or expose sensitive information from kernel memory.

Additionally, it fixes a security vulnerability (CVE-2018-1068) discovered in Linux kernel's netfilter subsystem, which incorrectly validated ebtables offsets, thus allowing a local attacker to either execute arbitrary code or crash the affected system by causing a denial of service, which also affected the Ubuntu 17.10 and Ubuntu 14.04 LTS releases.

Furthermore, the kernel update addresses a NULL pointer dereference (CVE-2018-7492) affecting both Ubuntu 17.10 and Ubuntu 14.04 LTS releases, discovered in Linux kernel's RDS (Reliable Datagram Sockets) protocol implementation, which could allow a local attacker to crash the vulnerable system by causing a denial of service attack.

Issues affecting only Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS

In addition to the patches mentioned above, today's Ubuntu kernel security update fixes a memory leak discovered in Linux kernel's Serial Attached SCSI (SAS) implementation, which affected only the Ubuntu 18.04 LTS (Bionic Beaver) operating system series. This issue (CVE-2018-10021) could allow a physically proximate attacker to cause a denial of service (memory exhaustion).

Lastly, the security update addresses an out-of-bounds read issue (CVE-2017-0627) affecting only Ubuntu 14.04 LTS and discovered by Xingyuan Lin in Linux kernel's USB Video Class (UVC) driver, as well as an incorrect bounds check issue (CVE-2018-10940) in the cdrom driver affecting only Ubuntu 16.04 LTS. Both issues could allow a local attacker to expose sensitive information (kernel memory).

All users are urged to update their Ubuntu installations as soon as possible to the new kernel versions. Canonical also published new HWE Linux kernel versions for users of the Ubuntu 16.04.4 LTS (Xenial Xerus), Ubuntu 14.04.5 LTS (Trusty Tahr), and Ubuntu 12.04 ESM (Precise Pangolin) releases. To update your Ubuntu PCs, please follow the instructions provided by Canonical at https://wiki.ubuntu.com/Security/Upgrades.