Ubuntu update for linux

Published: 2021-03-23

Risk	Low
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2021-3444 CVE-2021-27365 CVE-2020-27171 CVE-2020-27170 CVE-2021-27363 CVE-2021-27364
CWE-ID	CWE-125 CWE-119 CWE-193 CWE-203 CWE-200 CWE-264
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Ubuntu Operating systems & Components / Operating system linux-image-raspi (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem-20.04b (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gkeop (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual-hwe-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem-osp1 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-hwe-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gkeop-5.4 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae-hwe-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-hwe-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-64k-hwe-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.6.0-1052-oem (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-70-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-70-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-70-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1043-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1041-oracle (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1041-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1040-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1036-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1032-raspi (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1012-gkeop (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.10.0-1019-oem (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi-nolpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oracle (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gke (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-64k (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-48-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-48-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-48-generic-64k (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-48-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1027-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1026-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1026-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1024-oracle (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1022-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1019-raspi-nolpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.8.0-1019-raspi (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-snapdragon-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi2-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gkeop-5.3 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gke-5.4 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gke-5.3 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1039-gke (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.3.0-72-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.3.0-72-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.3.0-1041-gke (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.3.0-1038-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU90368

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3444

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to an out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.10

linux-image-raspi (Ubuntu package): before 5.4.0.1032.67

linux-image-oem-20.04b (Ubuntu package): before 5.10.0.1019.20

linux-image-gkeop (Ubuntu package): before 5.4.0.1012.15

linux-image-virtual-hwe-20.04 (Ubuntu package): before 5.8.0.48.54~20.04.32

linux-image-raspi2 (Ubuntu package): before 5.4.0.1032.67

linux-image-oem-osp1 (Ubuntu package): before 5.4.0.70.73

linux-image-oem (Ubuntu package): before 5.4.0.70.73

linux-image-lowlatency-hwe-20.04 (Ubuntu package): before 5.8.0.48.54~20.04.32

linux-image-gkeop-5.4 (Ubuntu package): before 5.4.0.1012.13~18.04.13

linux-image-generic-lpae-hwe-20.04 (Ubuntu package): before 5.8.0.48.54~20.04.32

linux-image-generic-hwe-20.04 (Ubuntu package): before 5.8.0.48.54~20.04.32

linux-image-generic-64k-hwe-20.04 (Ubuntu package): before 5.8.0.48.54~20.04.32

linux-image-5.6.0-1052-oem (Ubuntu package): before 5.6.0-1052.56

linux-image-5.4.0-70-lowlatency (Ubuntu package): before 5.4.0-70.78~18.04.1

linux-image-5.4.0-70-generic-lpae (Ubuntu package): before 5.4.0-70.78~18.04.1

linux-image-5.4.0-70-generic (Ubuntu package): before 5.4.0-70.78~18.04.1

linux-image-5.4.0-1043-azure (Ubuntu package): before 5.4.0-1043.45~18.04.1

linux-image-5.4.0-1041-oracle (Ubuntu package): before 5.4.0-1041.44~18.04.1

linux-image-5.4.0-1041-aws (Ubuntu package): before 5.4.0-1041.43~18.04.1

linux-image-5.4.0-1040-gcp (Ubuntu package): before 5.4.0-1040.43~18.04.1

linux-image-5.4.0-1036-kvm (Ubuntu package): before 5.4.0-1036.37

linux-image-5.4.0-1032-raspi (Ubuntu package): before 5.4.0-1032.35~18.04.1

linux-image-5.4.0-1012-gkeop (Ubuntu package): before 5.4.0-1012.13~18.04.1

linux-image-5.10.0-1019-oem (Ubuntu package): before 5.10.0-1019.20

linux-image-virtual (Ubuntu package): before 5.4.0.70.73

linux-image-raspi-nolpae (Ubuntu package): before 5.8.0.1019.22

linux-image-oracle (Ubuntu package): before 5.4.0.1041.38

linux-image-oem-20.04 (Ubuntu package): before 5.6.0.1052.48

linux-image-lowlatency (Ubuntu package): before 5.4.0.70.73

linux-image-kvm (Ubuntu package): before 5.4.0.1036.34

linux-image-gke (Ubuntu package): before 5.8.0.1026.26

linux-image-generic-lpae (Ubuntu package): before 5.4.0.70.73

linux-image-generic-64k (Ubuntu package): before 5.8.0.48.53

linux-image-generic (Ubuntu package): before 5.4.0.70.73

linux-image-gcp (Ubuntu package): before 5.4.0.1040.27

linux-image-azure (Ubuntu package): before 5.4.0.1043.23

linux-image-aws (Ubuntu package): before 5.4.0.1041.24

linux-image-5.8.0-48-lowlatency (Ubuntu package): before 5.8.0-48.54~20.04.1

linux-image-5.8.0-48-generic-lpae (Ubuntu package): before 5.8.0-48.54~20.04.1

linux-image-5.8.0-48-generic-64k (Ubuntu package): before 5.8.0-48.54~20.04.1

linux-image-5.8.0-48-generic (Ubuntu package): before 5.8.0-48.54~20.04.1

linux-image-5.8.0-1027-aws (Ubuntu package): before 5.8.0-1027.29

linux-image-5.8.0-1026-gcp (Ubuntu package): before 5.8.0-1026.27

linux-image-5.8.0-1026-azure (Ubuntu package): before 5.8.0-1026.28

linux-image-5.8.0-1024-oracle (Ubuntu package): before 5.8.0-1024.25

linux-image-5.8.0-1022-kvm (Ubuntu package): before 5.8.0-1022.24

linux-image-5.8.0-1019-raspi-nolpae (Ubuntu package): before 5.8.0-1019.22

linux-image-5.8.0-1019-raspi (Ubuntu package): before 5.8.0-1019.22

linux-image-virtual-hwe-18.04 (Ubuntu package): before 5.4.0.70.78~18.04.63

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before 5.4.0.70.78~18.04.63

linux-image-raspi2-hwe-18.04 (Ubuntu package): before 5.3.0.1038.27

linux-image-raspi-hwe-18.04 (Ubuntu package): before 5.4.0.1032.34

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before 5.4.0.70.78~18.04.63

linux-image-gkeop-5.3 (Ubuntu package): before 5.3.0.72.129

linux-image-gke-5.4 (Ubuntu package): before 5.4.0.1039.41~18.04.6

linux-image-gke-5.3 (Ubuntu package): before 5.3.0.1041.24

linux-image-generic-lpae-hwe-18.04 (Ubuntu package): before 5.4.0.70.78~18.04.63

linux-image-generic-hwe-18.04 (Ubuntu package): before 5.4.0.70.78~18.04.63

linux-image-5.4.0-1039-gke (Ubuntu package): before 5.4.0-1039.41~18.04.1

linux-image-5.3.0-72-lowlatency (Ubuntu package): before 5.3.0-72.68

linux-image-5.3.0-72-generic (Ubuntu package): before 5.3.0-72.68

linux-image-5.3.0-1041-gke (Ubuntu package): before 5.3.0-1041.44

linux-image-5.3.0-1038-raspi2 (Ubuntu package): before 5.3.0-1038.40

CPE2.3

External links

https://ubuntu.com/security/notices/USN-4887-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU51451

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-27365

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing Netlink messages in Linux kernel through 5.11.3, as certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. A local unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message, trigger memory corruption and execute arbitrary code on the system with elevated privileges.