Several Linux Kernel Azure Vulnerabilities Fixed in Ubuntu

Several Linux Kernel Azure Vulnerabilities Fixed in Ubuntu

Canonical recently released security updates to address several vulnerabilities in the Linux kernel for Microsoft Azure Cloud Systems in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. An attacker could potentially leverage these issues to cause a denial of service, expose sensitive information, or execute arbitrary code.

Vulnerabilities in Linux Kernel (Azure)

These are the vulnerabilities patched in the latest Ubuntu security updates for Microsoft Azure Cloud Systems:

CVE-2021-33631 (CVSS v3 Severity Score: 7.8 High)

The ext4 filesystem implementation in the Linux kernel was found to improperly validate data state during write operations. An attacker could exploit this vulnerability by constructing a malicious ext4 filesystem image. When mounted, it could cause a system crash, resulting in a denial of service.

CVE-2023-6270 (CVSS v3 Severity Score: 7.0 High)

A race condition was discovered in the ATA over Ethernet (AoE) driver in the Linux kernel, leading to a use-after-free vulnerability. This could be exploited by an attacker to cause a denial of service or possibly execute arbitrary code.

CVE-2024-2201

Security researchers have determined that mitigations for the initial Branch History Injection vulnerability (CVE-2022-0001) were insufficient for Intel processors. This vulnerability could allow a local attacker to expose sensitive information.

CVE-2024-23307 (CVSS v3 Severity Score: 7.8 High)

Gui-Dong Han discovered a race condition in the software RAID driver in the Linux kernel, leading to an integer overflow vulnerability. A privileged attacker could exploit this to cause a denial of service.

CVE-2024-24861 (CVSS v3 Severity Score: 6.3 Medium)

Bai Jiaju discovered that the Xceive XC4000 silicon tuner device driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. This could allow an attacker to cause a denial of service.

Furthermore, several other issues were also fixed in various subsystems of the Linux kernel that could make up the system. These include:

  • Block layer subsystem
  • Hardware core for random number generator
  • GPU Drivers
  • AFS file system
  • Memory management
  • Mains filter

The relevant CVEs for these vulnerabilities are CVE-2024-26642, CVE-2024-26922, CVE-2024-26720, CVE-2024-26736, CVE-2024-26898, CVE-2021-47063, and CVE-2023-52615.

Addressing Linux Kernel Vulnerabilities in EOL Ubuntu

Since Ubuntu 16.04 and Ubuntu 18.04 have already reached their end of life (EOL), security updates are only available via Extended Security Maintenance (ESM) on Ubuntu Pro. ESM provides support beyond the standard five years of an Ubuntu LTS release. However, it is not the only solution. TuxCare offers an affordable alternative, Extended Lifecycle Support (ELS), which allows you to continue receiving security patches for an additional five years after the EOL date. ELS is available for both Ubuntu 16.04 and Ubuntu 18.04 and provides security updates to the Linux kernel, common shared libraries such as glibc, OpenSSL, OpenSSH, and several other Linux packages.

TuxCare has already released patches for the above vulnerabilities for Ubuntu 16.04 ELS and Ubuntu 18.04 ELS. You can track the release status of vulnerabilities on the CVE tracker page.

TuxCare also offers KernelCare Enterprise, a live kernel patching solution, which allows you to apply security updates to a running kernel without rebooting the system. The KernelCare team is working on deploying live patches for these Linux kernel vulnerabilities to Microsoft Azure Cloud users.

Source: USN-6866-2

The post Multiple Linux Kernel Azure Vulnerabilities Fixed in Ubuntu appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare written by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/several-linux-kernel-azure-vulnerabilities-fixed-in-ubuntu/