Ubuntu update for linux

Published: 2021-03-16

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2020-29569 CVE-2020-36158
CWE-ID	CWE-252 CWE-120
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Ubuntu Operating systems & Components / Operating system linux-image-virtual-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-smp-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-emb-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-smp-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-e500mc-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1087-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-powerpc64-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-powerpc64-emb (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-powerpc-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-powerpc-e500mc (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-204-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-snapdragon (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-emb (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-e500mc (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1151-snapdragon (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1147-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1123-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1089-kvm (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Unchecked Return Value

EUVDB-ID: #VU56816

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-29569

CWE-ID: CWE-252 - Unchecked Return Value

Exploit availability: No

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to an unchecked return value. A local user can cause a denial of service (DoS) condition, leading to privilege escalation and information leaks.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 16.04

linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-powerpc64-smp-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-powerpc64-emb-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-powerpc-smp-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-powerpc-e500mc-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-generic-lpae-lts-xenial (Ubuntu package): before 4.4.0.204.178

linux-image-4.4.0-1087-aws (Ubuntu package): before 4.4.0-1087.91

linux-image-aws (Ubuntu package): before 4.4.0.1087.84

linux-image-4.4.0-204-powerpc64-smp (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-4.4.0-204-powerpc64-emb (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-4.4.0-204-powerpc-smp (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-4.4.0-204-powerpc-e500mc (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-4.4.0-204-lowlatency (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-4.4.0-204-generic-lpae (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-4.4.0-204-generic (Ubuntu package): before 4.4.0-204.236~14.04.1

linux-image-virtual (Ubuntu package): before 4.4.0.204.210

linux-image-snapdragon (Ubuntu package): before 4.4.0.1151.143

linux-image-raspi2 (Ubuntu package): before 4.4.0.1147.147

linux-image-powerpc64-smp (Ubuntu package): before 4.4.0.204.210

linux-image-powerpc64-emb (Ubuntu package): before 4.4.0.204.210

linux-image-powerpc-smp (Ubuntu package): before 4.4.0.204.210

linux-image-powerpc-e500mc (Ubuntu package): before 4.4.0.204.210

linux-image-lowlatency (Ubuntu package): before 4.4.0.204.210

linux-image-kvm (Ubuntu package): before 4.4.0.1089.87

linux-image-generic-lpae (Ubuntu package): before 4.4.0.204.210

linux-image-generic (Ubuntu package): before 4.4.0.204.210

linux-image-4.4.0-1151-snapdragon (Ubuntu package): before 4.4.0-1151.161

linux-image-4.4.0-1147-raspi2 (Ubuntu package): before 4.4.0-1147.157

linux-image-4.4.0-1123-aws (Ubuntu package): before 4.4.0-1123.137

linux-image-4.4.0-1089-kvm (Ubuntu package): before 4.4.0-1089.98

CPE2.3

External links

https://ubuntu.com/security/notices/USN-4876-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU92419

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-36158

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to buffer overflow error within the mwifiex_cmd_802_11_ad_hoc_start() function in drivers/net/wireless/marvell/mwifiex/join.c. A local privileged user can execute arbitrary code.